Closed i8-pi closed 4 weeks ago
@i8-pi
This isn't a topic that Yarn can help you with.
As you already wrote, the problem was solved in later versions of normalize-url.
normalize-url
is a direct dependency of yarn, not the project I'm installing
https://github.com/yarnpkg/yarn/blob/740c38c3a962c30ddb344a919bbfb7065620714b/package.json#L38
This warning shows when my project doesn't include normalize-url
at all
# In an empty directory
$ yarn add cookie
yarn add v1.22.22
info No lockfile found.
[1/4] Resolving packages...
⠁ (node:26263) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
at node:punycode:3:9
at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:398:7)
at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:337:10)
at loadBuiltinModule (node:internal/modules/helpers:96:7)
at Module._load (node:internal/modules/cjs/loader:1037:17)
at Module.require (node:internal/modules/cjs/loader:1271:19)
at require (node:internal/modules/helpers:123:16)
at Object.<anonymous> (/usr/lib/node_modules/yarn/node_modules/normalize-url/index.js:3:18)
at Module._compile (node:internal/modules/cjs/loader:1434:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1518:10)
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
info Direct dependencies
└─ cookie@0.6.0
info All dependencies
└─ cookie@0.6.0
Done in 0.56s.
@i8-pi
I apologize for my misunderstanding and thanks for pointing out where normalize-url
is used by Yarn v1. I can't actually reproduce the issue in my environment though, so I should let the experts take a look!
I tried again but with a fresh build of yarn from the repo, instead of the one packaged by my distro (arch), and I can't reproduce the warnings. I will see if I can come up with a reproduction that works with a fresh build, and close this issue for now
From what I can tell, yarn does depend on the deprecated node builtin punycode
through normalize-url
and other packages, but when building with yarn build-dist
, it tweaks the module resolution logic within webpack so the webpack bundle always resolves to the node_modules version of punycode
instead of the node builtin one.
The arch package doesn't run yarn build-dist
, but instead does yarn build
and copies the resulting lib/
and node_modules/
into place. So webpack isn't run at all, and in the arch package any require('punycode')
statements resolve to the node builtin one
I don't expect the arch workflow to be considered supported. Just writing this down for anyone curious about the issue
i have created a issue downstream, posting it here for reference: https://gitlab.archlinux.org/archlinux/packaging/packages/yarn/-/issues/2, will likely not be fixing this myself as i dont know enough about yarns build system.
The (deprecated) node builtin punycode is being requested through
yarn
->normalize-url
v2 ->punycode
The warning is triggered by running
yarn install
without a yarn.lock or with an outdated yarn.lock with major version changes on some packagesI tried upgrading to
normalize-url
v3 and it doesn't trigger the warning, but it swaps out punycode for node's builtinURL
implementation, which bumps up the node version requirement to v6, and may have introduced user visible changes because the behaviour is different. Not sure if there is a good way to handle this