styfle
commented
6 months ago There is some related discussion here: https://github.com/vercel/nft/pull/407#issuecomment-2108830341
Would you like to submit a PR to fix it?
Open cdwmhcc opened 6 months ago
styfle
commented
6 months ago There is some related discussion here: https://github.com/vercel/nft/pull/407#issuecomment-2108830341
Would you like to submit a PR to fix it?
benmccann
commented
5 months ago I wonder if we even need to include the dependency at all. I looked at argon2 to see how its used and its just a single function export:
Compare https://npmgraph.js.org/?q=argon2 vs https://npmgraph.js.org/?q=argon2@0.31.1. The new version drops 55 dependencies including @mapbox/node-pre-gyp
benmccann
commented
5 months ago I sent https://github.com/vercel/nft/pull/431 to upgrade argon2. I'm not sure what else is required to address this issue, but I believe this new version of argon2 should hopefully address the blockers and make this issue much easier to solve
styfle
commented
5 months ago Its not related to argon2 at all. I updated my comment from the other issue and I'll repost here.
I looked at how consumers are using it (for example, argon2) and its just a single function export:
const binary = require("@mapbox/node-pre-gyp");
const bindingPath = binary.find(path.resolve(__dirname, "./package.json"));So perhaps we could implement this find() function easily assuming its just reading the package.json.
Do you want to submit a PR to implement this?
benmccann
commented
5 months ago I see. That makes much more sense to me. Thanks!
It's not exactly clear to me that find is easily replaceable though it would be awesome if someone can figure out how to do that. In the meantime I'll work on cleaning up @mapbox/node-pre-gyp:
benmccann
commented
5 months ago argon2 switched from @mapbox/node-pre-gyp to node-gyp-build here:
https://github.com/ranisalt/node-argon2/commit/b47602840a259946039db8526ddd182d1430f634#diff-bc704b883867dea430073059d0e3061c8ac87c037826b06007646f667777916d
The latter library is dramatically lighter. I wonder if we could make the same switch here
benmccann
commented
5 months ago @styfle based on the link from my past comment, do you think something like this might work?
It looks like argon2 was able to do something similar, but when I create a dummy find method that returns null I don't get any extra failing tests (I have 6 that fail for me both on main and with a clearly broken implementation), so I'm not overly confident in the fix. I'm wholly unfamiliar with nft so don't know if I can put together and test a fix, but I hope that discovering the argon2 implementation uses node-gyp-build to do the same as @mapbox/node-pre-gyp's find will be enough to let you address this.
styfle
commented
5 months ago nft supports both node-gyp-build and @mapbox/node-pre-gyp because it needs to work on any version of any npm package
vhovorun
commented
4 months ago @styfle @benmccann Hey guys, sorry for pinging u but any updates on this one?
benmccann
commented
4 months ago I don't understand the changes that would need to be made here to remove the use of @mapbox/node-pre-gyp, but if https://github.com/mapbox/node-pre-gyp/pull/829 is merged then it should fix the issue in @mapbox/node-pre-gyp
KillyMXI
commented
3 weeks ago Current latest version of @mapbox/node-pre-gyp is 1.0.11 (from 2023-07-14) (edit: wrongly took the date of 1.1.0-dev.1)
@vercel/nft still depends on 1.0.5 (from 2021-05-11)
Is there a reason to stick with the old version? Otherwise, just bumping the version would resolve some warnings.
styfle
commented
3 weeks ago Bumping in PR https://github.com/vercel/nft/pull/451 but it won't make a difference for consumers since the ^ will still match the latest version of the 1.x.y.
Also note that none of these upstream PRs have landed yet.
KillyMXI
commented
3 weeks ago I mistakenly attributed the recent activity there to 1.0.11, while in fact it is 1.1.0-dev.1. Indeed, it doesn't seem it will make much or any difference yet.
nanobugsbozbitcH
commented
3 weeks ago Description
When installing dependencies for our project that uses
@vercel/nft, we encountered warnings about deprecated subdependencies. These warnings are caused by the@mapbox/node-pre-gyppackage, which is a dependency of@vercel/nft.Details
The following deprecated subdependencies are reported during
pnpm install:
are-we-there-yet@2.0.0gauge@3.0.2inflight@1.0.6npmlog@5.0.1Expected Behavior
Dependencies within
@vercel/nftshould not rely on deprecated packages to ensure better security and compatibility with modern development environments.Additional Information
- Node.js version: [20.13.1]
- pnpm version: [9.1.2]
- Operating System: [windows 11]
Nanobots
nanobugsbozbitcH
commented
3 weeks ago Bumping in PR #451 but it won't make a difference for consumers since the
^will still match the latest version of the1.x.y.Also note that none of these upstream PRs have landed yet.
Nanobots
Description
When installing dependencies for our project that uses
@vercel/nft, we encountered warnings about deprecated subdependencies. These warnings are caused by the@mapbox/node-pre-gyppackage, which is a dependency of@vercel/nft.Details
The following deprecated subdependencies are reported during
pnpm install:are-we-there-yet@2.0.0gauge@3.0.2inflight@1.0.6npmlog@5.0.1Expected Behavior
Dependencies within
@vercel/nftshould not rely on deprecated packages to ensure better security and compatibility with modern development environments.Additional Information