About NPM deprecation warnings

It baffles me how many deprecation warnings appear when installing some NPM package. Like if I was the only one in the world seeing them, and worrying about them.

npm WARN deprecated testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.
npm WARN deprecated mkdirp-promise@5.0.1: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.
npm WARN deprecated har-validator@5.1.5: this library is no longer supportednpm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated fsevents@2.1.3: "Please update to latest v2.3 or v2.2"
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details
npm WARN deprecated ipld-raw@6.0.0: This module has been superseded by the multiformats module
npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated graphql-tools@6.2.6: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/
npm WARN deprecated cids@1.1.9: This module has been superseded by the multiformats module
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated remotedev-serialize@0.1.9: Package moved to @redux-devtools/serialize.
npm WARN deprecated redux-devtools-instrument@1.10.0: Package moved to @redux-devtools/instrument.
npm WARN deprecated redux-devtools-core@0.2.1: Package moved to @redux-devtools/app.
npm WARN deprecated uuid@2.0.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated @nodefactory/filsnap-adapter@0.2.2: Package is deprecated in favour of @chainsafe/filsnap-adapter
npm WARN deprecated ipld-dag-cbor@0.17.1: This module has been superseded by @ipld/dag-cbor and multiformats
npm WARN deprecated multicodec@1.0.4: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@3.1.2: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated ipld-dag-pb@0.20.0: This module has been superseded by @ipld/dag-pb and multiformats
npm WARN deprecated multibase@0.7.0: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.6.1: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@0.5.7: This module has been superseded by the multiformats module
npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated multicodec@3.2.1: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated axios@0.20.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm WARN deprecated cids@0.7.5: This module has been superseded by the multiformats module
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated @ensdomains/ens@0.4.3: Please use @ensdomains/ens-contracts
npm WARN deprecated @ensdomains/resolver@0.2.4: Please use @ensdomains/ens-contracts
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated ethereumjs-testrpc@6.0.3: ethereumjs-testrpc has been renamed to ganache-cli, please use this package from now on.

added 2165 packages, and audited 2266 packages in 4m

133 packages are looking for funding
  run `npm fund` for details

90 vulnerabilities (6 low, 50 moderate, 27 high, 7 critical)

Some people say: “if it’s important (e.g. a security problem), notify the package maintainers; if not, ignore the deprecation warning.

NPM deprecation warnings are displayed without any classification with respect to the dependency where they originate.

  • If the code of the deprecated package was not used at all (fake dependency), then we could safely ignore the deprecation warning.
  • If the code of the deprecated package was only used in development (dev dependency), then we could almost safely ignore the deprecation warning.
  • If the code of the deprecated package was also used in production, then we couldn’t ignore the deprecation warning without a detailed analysis.

Sample analysis

Let’s look at the first warning above:

testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.

The deprecation message is not alarming. What should I do? Let’s research a bit more.

Here is the path from testrpc back to truffle:

% npm –global –all ls testrpc@0.0.1

/Users/andrea/.nvm/versions/node/v16.13.0/lib
└─┬ truffle@5.4.18
  └─┬ @truffle/db@0.5.36
    └─┬ @truffle/resolver@7.0.34
      └─┬ @truffle/contract@4.3.39
        └─┬ @ensdomains/ensjs@2.0.1
          └─┬ @ensdomains/ens@0.4.3
            └── testrpc@0.0.1

And here is the package.json in truffle:

{
  "name": "truffle",
  "description": "Truffle - Simple development framework for Ethereum",
  "license": "MIT",
  "author": "consensys.net",
  "homepage": "https://github.com/trufflesuite/truffle#readme",
  "repository": {
    "type": "git",
    "url": "https://github.com/trufflesuite/truffle.git",
    "directory": "packages/truffle"
  },
  "bugs": {
    "url": "https://github.com/trufflesuite/truffle/issues"
  },
  "version": "5.4.18",
  "main": "./build/library.bundled.js",
  "bin": {
    "truffle": "./build/cli.bundled.js"
  },
  "scripts": {
    "analyze": "./scripts/analyze.sh",
    "build": "yarn build:cli",
    "build:cli": "node --max-old-space-size=8192 ./node_modules/webpack/bin/webpack --config ./webpack.config.js",
    "postinstall": "node ./scripts/postinstall.js",
    "prepare": "yarn build",
    "publish:byoc": "node ./scripts/prereleaseVersion.js byoc-safe byoc",
    "publish:external-compiler": "node ./scripts/prereleaseVersion.js external-compiler external-compiler",
    "publish:next": "node ./scripts/prereleaseVersion.js next next",
    "publish:user-level-mnemonic": "node ./scripts/prereleaseVersion.js user-level-mnemonic user-level-mnemonic",
    "test": "./scripts/test.sh",
    "test:raw": "NO_BUILD=true mocha"
  },
  "optionalDependencies": {
    "@truffle/db": "^0.5.36",
    "@truffle/preserve-fs": "^0.2.4",
    "@truffle/preserve-to-buckets": "^0.2.4",
    "@truffle/preserve-to-filecoin": "^0.2.4",
    "@truffle/preserve-to-ipfs": "^0.2.4"
  },
  "dependencies": {
    "@truffle/db-loader": "^0.0.15",
    "@truffle/debugger": "^9.2.0",
    "app-module-path": "^2.2.0",
    "mocha": "8.1.2",
    "original-require": "^1.0.1"
  },
  "devDependencies": {
    "@truffle/box": "^2.1.32",
    "@truffle/config": "^1.3.12",
    "@truffle/contract": "^4.3.39",
    "@truffle/core": "^5.4.18",
    "@truffle/interface-adapter": "^0.5.8",
    "clean-webpack-plugin": "^3.0.0",
    "copy-webpack-plugin": "^7.0.0",
    "eslint": "^5.7.0",
    "fs-extra": "^9.1.0",
    "ganache-core": "2.13.0",
    "glob": "^7.1.6",
    "husky": "^1.1.2",
    "js-scrypt": "^0.2.0",
    "meta-npm": "^0.0.22",
    "meta-pkgs": "^0.2.0",
    "nyc": "^13.0.1",
    "semver": "^7.3.4",
    "shebang-loader": "0.0.1",
    "stream-buffers": "^3.0.1",
    "tmp": "^0.2.1",
    "web3": "1.5.3",
    "webpack": "^5.21.2",
    "webpack-bundle-analyzer": "^3.0.3",
    "webpack-cli": "^4.5.0",
    "yargs": "^8.0.2"
  },
  "publishConfig": {
    "access": "public"
  },
  "authors": [
    {
      "name": "Tim Coulter",
      "email": "tim@timothyjcoulter.com",
      "url": "https://github.com/tcoulter"
    }
  ],
  "gitHead": "b788e582fbe5466334a35498d63fca67dca929de",
  "namespace": "consensys"
}

Looking into package.json, we see that @truffle/db is an optional dependency, i.e. a production dependency which could also be not automatically installed when installing truffle.

Looking into @truffle/db, we see that it allows to configure truffle for using it:

db: {
  enabled: true
}

Given that I went for the default installation (and I don’t have a replacement ready), this is a production dependency for me. What should I do? Let’s research a bit more.

Googling @ensdomains/ens we get to the project page on GitHub:

https://github.com/ensdomains/ens

So this project is pretty popular, used by 7.7k other projects. And yet it uses a deprecated package. It’s still unclear what should I do.

This project was included (in its parent, @ensdomains/ensjs) at version 0.4.3. Such a version is nowhere to be found in the repo: not a release, not a tag, not a branch.

Let’s assume it’s a close ancestor of the current code in the master branch, which is marked as 0.5.0 in package.json.

This is what we get after searching for testrpc in the repo:

We see that this is a code dependency whose code is never used but the package name is cited in a README file. That’s it. it’s a fake dependency.

Now, I needed (wasted) a solid hour to find that out. That’s unreasonable.

Could a tool automate all of the above? Not really, because I had to assume that the code of the lost version 0.4.3, in all places where testrpc would be used, is equivalent to the code of the master version (maybe 0.5.0).

Posterity

There is something else that troubles me. If I wanted to persist the result of my research there is little support in the Open Source world as a whole. (I could be wrong. Please, correct me if you know better.)

A possible, but cumbersome, and incomplete solution could be one based on the following tools:

  1. selective dependency resolutions, implemented in NPM by npm-force-resolutions
  2. a fork of @ensdomains/ens (the troublesome package), where I could fix its deprecated dependencies, like aercolino/ensdomains-ens#fix-deprecations
  3. force a resolution, like
{
  "@ensdomains/ens@0.4.3": "aercolino/ensdomains-ens#fix-deprecations"
}

However, that is totally hypothetical, because:

  • the package whose installation complained about testrpc@0.0.1 is global, which means that I do not have any package.json file where I can add my resolutions
  • npm-force-resolutions is poorly documented
  • the Selective dependency resolutions feature of Yarn, upon which npm-force-resolutions is based, doesn’t seem to support versions on the left, nor full repos on the right.

In the end, my research is going to get lost (in my biological memory) and my confidence in NPM lowers.

Looking for the perfect match

Lately, I passed through many selection processes, and I still will go through some more. Did I meet a company where I really wanted to work at? Surely, for many I could have made a positive impact working there. But none was a perfect match. 1I’m not talking about cultural fit here

Why do we look for the perfect match? We should already know that such a thing doesn’t even exist. Lasting couples aren’t a perfect match. How can colleagues be a perfect match to each other? For n colleagues, that would require n * (n - 1) / 2 perfect matches. Insane.

I don’t look for the perfect match with my colleagues, but I must confess that I’m often relieved to get rejected by colleagues which present to me in the testudo formation.

Almost impossible to be admitted here, by design.

How do you expect to find a new team mate if, as soon as a discussion arises, you close ranks and state you know better. Nonetheless, they keep looking for the perfect match, which boils down to a developer with the biggest experience to write quality code without spoon-feeding her, and the smallest experience to follow orders with humbleness.

That, or likemindedness. Isn’t it a known problem to hire like minded people?

Such practices can 2I stroke this through also lead to groupthink where all go along with decisions for the sake of team harmony. Creativity, innovation and growth can 3I stroke this through suffer in the absence of diversity, vigorous debate and conflict.

I never liked to sheepishly follow others. Decades ago, when I was 10 years old, our school teacher gave us a mathematical problem to solve cooperatively. I immediately found a short solution, and shared it with the others. They dismissed it and decided to elaborate one of their own. How proud I was when our teacher validated my answer and not theirs.

During my job interviews, I genuinely make an effort to understand and value the programming decisions, mostly the architectural ones, that my yet-to-be colleagues made in the projects I’m asked to collaborate in. How could I not show my surprise when they tell me:

  • We can’t use Docker / Kubernetes because our setup is too complex
    • What? They are used at Google, I don’t think they have a simpler setup.
  • We prefer vanilla JavaScript to React, because it wouldn’t scale for us.
    • What? It’s used at Facebook, I don’t think they have a smaller scale.

About TypeScript

I didn’t touch TypeScript once in the last 3 years. I stopped using it when I changed my job, from Angular 4 back to jQuery, AngularJS, and forth to VueJS.

  • Did I miss it? Not once.
  • Did I like it when I had to use it? I did.

But now my opinion on TypeScript is that it works like a self fulfilling prophecy. You think you need some control on the types of values you pass around in your application, and, in fact, as soon as you write a line of TypeScript, the linter first, and the compiler later, will immediately spot so many type errors. If you think about how many lines you wrote in JavaScript in the past, without any sort of type checking, they must have been all wrong!

Well, not really. The simplicity and strength of JavaScript is it lacks type checking. I wrote millions of lines of JavaScript, and not many of them with errors. I already know how to protect me from most of them. While developing, the JavaScript linter and the JavaScript test runner will immediately spot whatever I mistook. But also TypeScript needs a linter and a test runner, so that they do not represent a price for the lack of type checking.

While running… well, while running TypeScript is JavaScript and loses any notion of type. Surprising, but true. TypeScript only checks types at compilation time. You should validate whatever data enter into and exit from your code. For example, using Ajv to validate the JSON schemas of the responses you get for requests issued to API endpoints. Again, you need data validation in any case, so it’s not a price for the lack of type checking.

In the end, it seems to me that the benefits of TypeScript are less relevant than the drawbacks. Which is essentially one: development slowness, for having to get types right, when wrong types are hardly so subtle errors that you wouldn’t detect otherwise.