About NPM deprecation warnings

It baffles me how many deprecation warnings appear when installing some NPM package. Like if I was the only one in the world seeing them, and worrying about them.

% npm i -g truffle

Some people say: “if it’s important (e.g. a security problem), notify the package maintainers; if not, ignore the deprecation warning.

NPM deprecation warnings are displayed without any classification with respect to the dependency where they originate.

  • If the code of the deprecated package was not used at all (fake dependency), then we could safely ignore the deprecation warning.
  • If the code of the deprecated package was only used in development (dev dependency), then we could almost safely ignore the deprecation warning.
  • If the code of the deprecated package was also used in production, then we couldn’t ignore the deprecation warning without a detailed analysis.

Sample analysis

Let’s look at the first warning above:

testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.

The deprecation message is not alarming. What should I do? Let’s research a bit more.

Here is the path from testrpc back to truffle:

% npm –global –all ls testrpc@0.0.1

/Users/andrea/.nvm/versions/node/v16.13.0/lib
└─┬ truffle@5.4.18
  └─┬ @truffle/db@0.5.36
    └─┬ @truffle/resolver@7.0.34
      └─┬ @truffle/contract@4.3.39
        └─┬ @ensdomains/ensjs@2.0.1
          └─┬ @ensdomains/ens@0.4.3
            └── testrpc@0.0.1

And here is the package.json in truffle:

package.json

Looking into package.json, we see that @truffle/db is an optional dependency, i.e. a production dependency which could also be not automatically installed when installing truffle.

Looking into @truffle/db, we see that it allows to configure truffle for using it:

db: {
  enabled: true
}

Given that I went for the default installation (and I don’t have a replacement ready), this is a production dependency for me. What should I do? Let’s research a bit more.

Googling @ensdomains/ens we get to the project page on GitHub:

https://github.com/ensdomains/ens

So this project is pretty popular, used by 7.7k other projects. And yet it uses a deprecated package. It’s still unclear what should I do.

This project was included (in its parent, @ensdomains/ensjs) at version 0.4.3. Such a version is nowhere to be found in the repo: not a release, not a tag, not a branch.

Let’s assume it’s a close ancestor of the current code in the master branch, which is marked as 0.5.0 in package.json.

This is what we get after searching for testrpc in the repo:

We see that this is a code dependency whose code is never used but the package name is cited in a README file. That’s it. it’s a fake dependency.

Now, I needed (wasted) a solid hour to find that out. That’s unreasonable.

Could a tool automate all of the above? Not really, because I had to assume that the code of the lost version 0.4.3, in all places where testrpc would be used, is equivalent to the code of the master version (maybe 0.5.0).

Posterity

There is something else that troubles me. If I wanted to persist the result of my research there is little support in the Open Source world as a whole. (I could be wrong. Please, correct me if you know better.)

A possible, but cumbersome, and incomplete solution could be one based on the following tools:

  1. selective dependency resolutions, implemented in NPM by npm-force-resolutions
  2. a fork of @ensdomains/ens (the troublesome package), where I could fix its deprecated dependencies, like aercolino/ensdomains-ens#fix-deprecations
  3. force a resolution, like
{
  "@ensdomains/ens@0.4.3": "aercolino/ensdomains-ens#fix-deprecations"
}

However, that is totally hypothetical, because:

  • the package whose installation complained about testrpc@0.0.1 is global, which means that I do not have any package.json file where I can add my resolutions
  • npm-force-resolutions is poorly documented
  • the Selective dependency resolutions feature of Yarn, upon which npm-force-resolutions is based, doesn’t seem to support versions on the left, nor full repos on the right.

In the end, my research is going to get lost (in my biological memory) and my confidence in NPM lowers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.