About NPM deprecation warnings

It baffles me how many deprecation warnings appear when installing some NPM package. Like if I was the only one in the world seeing them, and worrying about them.

npm WARN deprecated testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.
npm WARN deprecated mkdirp-promise@5.0.1: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.
npm WARN deprecated har-validator@5.1.5: this library is no longer supportednpm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated fsevents@2.1.3: "Please update to latest v2.3 or v2.2"
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details
npm WARN deprecated ipld-raw@6.0.0: This module has been superseded by the multiformats module
npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated graphql-tools@6.2.6: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/
npm WARN deprecated cids@1.1.9: This module has been superseded by the multiformats module
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated remotedev-serialize@0.1.9: Package moved to @redux-devtools/serialize.
npm WARN deprecated redux-devtools-instrument@1.10.0: Package moved to @redux-devtools/instrument.
npm WARN deprecated redux-devtools-core@0.2.1: Package moved to @redux-devtools/app.
npm WARN deprecated uuid@2.0.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated @nodefactory/filsnap-adapter@0.2.2: Package is deprecated in favour of @chainsafe/filsnap-adapter
npm WARN deprecated ipld-dag-cbor@0.17.1: This module has been superseded by @ipld/dag-cbor and multiformats
npm WARN deprecated multicodec@1.0.4: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@3.1.2: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated ipld-dag-pb@0.20.0: This module has been superseded by @ipld/dag-pb and multiformats
npm WARN deprecated multibase@0.7.0: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.6.1: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@0.5.7: This module has been superseded by the multiformats module
npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated multicodec@3.2.1: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated axios@0.20.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm WARN deprecated cids@0.7.5: This module has been superseded by the multiformats module
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated @ensdomains/ens@0.4.3: Please use @ensdomains/ens-contracts
npm WARN deprecated @ensdomains/resolver@0.2.4: Please use @ensdomains/ens-contracts
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated ethereumjs-testrpc@6.0.3: ethereumjs-testrpc has been renamed to ganache-cli, please use this package from now on.

added 2165 packages, and audited 2266 packages in 4m

133 packages are looking for funding
  run `npm fund` for details

90 vulnerabilities (6 low, 50 moderate, 27 high, 7 critical)

Some people say: “if it’s important (e.g. a security problem), notify the package maintainers; if not, ignore the deprecation warning.

NPM deprecation warnings are displayed without any classification with respect to the dependency where they originate.

  • If the code of the deprecated package was not used at all (fake dependency), then we could safely ignore the deprecation warning.
  • If the code of the deprecated package was only used in development (dev dependency), then we could almost safely ignore the deprecation warning.
  • If the code of the deprecated package was also used in production, then we couldn’t ignore the deprecation warning without a detailed analysis.

Sample analysis

Let’s look at the first warning above:

testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.

The deprecation message is not alarming. What should I do? Let’s research a bit more.

Here is the path from testrpc back to truffle:

% npm –global –all ls testrpc@0.0.1

/Users/andrea/.nvm/versions/node/v16.13.0/lib
└─┬ truffle@5.4.18
  └─┬ @truffle/db@0.5.36
    └─┬ @truffle/resolver@7.0.34
      └─┬ @truffle/contract@4.3.39
        └─┬ @ensdomains/ensjs@2.0.1
          └─┬ @ensdomains/ens@0.4.3
            └── testrpc@0.0.1

And here is the package.json in truffle:

{
  "name": "truffle",
  "description": "Truffle - Simple development framework for Ethereum",
  "license": "MIT",
  "author": "consensys.net",
  "homepage": "https://github.com/trufflesuite/truffle#readme",
  "repository": {
    "type": "git",
    "url": "https://github.com/trufflesuite/truffle.git",
    "directory": "packages/truffle"
  },
  "bugs": {
    "url": "https://github.com/trufflesuite/truffle/issues"
  },
  "version": "5.4.18",
  "main": "./build/library.bundled.js",
  "bin": {
    "truffle": "./build/cli.bundled.js"
  },
  "scripts": {
    "analyze": "./scripts/analyze.sh",
    "build": "yarn build:cli",
    "build:cli": "node --max-old-space-size=8192 ./node_modules/webpack/bin/webpack --config ./webpack.config.js",
    "postinstall": "node ./scripts/postinstall.js",
    "prepare": "yarn build",
    "publish:byoc": "node ./scripts/prereleaseVersion.js byoc-safe byoc",
    "publish:external-compiler": "node ./scripts/prereleaseVersion.js external-compiler external-compiler",
    "publish:next": "node ./scripts/prereleaseVersion.js next next",
    "publish:user-level-mnemonic": "node ./scripts/prereleaseVersion.js user-level-mnemonic user-level-mnemonic",
    "test": "./scripts/test.sh",
    "test:raw": "NO_BUILD=true mocha"
  },
  "optionalDependencies": {
    "@truffle/db": "^0.5.36",
    "@truffle/preserve-fs": "^0.2.4",
    "@truffle/preserve-to-buckets": "^0.2.4",
    "@truffle/preserve-to-filecoin": "^0.2.4",
    "@truffle/preserve-to-ipfs": "^0.2.4"
  },
  "dependencies": {
    "@truffle/db-loader": "^0.0.15",
    "@truffle/debugger": "^9.2.0",
    "app-module-path": "^2.2.0",
    "mocha": "8.1.2",
    "original-require": "^1.0.1"
  },
  "devDependencies": {
    "@truffle/box": "^2.1.32",
    "@truffle/config": "^1.3.12",
    "@truffle/contract": "^4.3.39",
    "@truffle/core": "^5.4.18",
    "@truffle/interface-adapter": "^0.5.8",
    "clean-webpack-plugin": "^3.0.0",
    "copy-webpack-plugin": "^7.0.0",
    "eslint": "^5.7.0",
    "fs-extra": "^9.1.0",
    "ganache-core": "2.13.0",
    "glob": "^7.1.6",
    "husky": "^1.1.2",
    "js-scrypt": "^0.2.0",
    "meta-npm": "^0.0.22",
    "meta-pkgs": "^0.2.0",
    "nyc": "^13.0.1",
    "semver": "^7.3.4",
    "shebang-loader": "0.0.1",
    "stream-buffers": "^3.0.1",
    "tmp": "^0.2.1",
    "web3": "1.5.3",
    "webpack": "^5.21.2",
    "webpack-bundle-analyzer": "^3.0.3",
    "webpack-cli": "^4.5.0",
    "yargs": "^8.0.2"
  },
  "publishConfig": {
    "access": "public"
  },
  "authors": [
    {
      "name": "Tim Coulter",
      "email": "tim@timothyjcoulter.com",
      "url": "https://github.com/tcoulter"
    }
  ],
  "gitHead": "b788e582fbe5466334a35498d63fca67dca929de",
  "namespace": "consensys"
}

Looking into package.json, we see that @truffle/db is an optional dependency, i.e. a production dependency which could also be not automatically installed when installing truffle.

Looking into @truffle/db, we see that it allows to configure truffle for using it:

db: {
  enabled: true
}

Given that I went for the default installation (and I don’t have a replacement ready), this is a production dependency for me. What should I do? Let’s research a bit more.

Googling @ensdomains/ens we get to the project page on GitHub:

https://github.com/ensdomains/ens

So this project is pretty popular, used by 7.7k other projects. And yet it uses a deprecated package. It’s still unclear what should I do.

This project was included (in its parent, @ensdomains/ensjs) at version 0.4.3. Such a version is nowhere to be found in the repo: not a release, not a tag, not a branch.

Let’s assume it’s a close ancestor of the current code in the master branch, which is marked as 0.5.0 in package.json.

This is what we get after searching for testrpc in the repo:

We see that this is a code dependency whose code is never used but the package name is cited in a README file. That’s it. it’s a fake dependency.

Now, I needed (wasted) a solid hour to find that out. That’s unreasonable.

Could a tool automate all of the above? Not really, because I had to assume that the code of the lost version 0.4.3, in all places where testrpc would be used, is equivalent to the code of the master version (maybe 0.5.0).

Posterity

There is something else that troubles me. If I wanted to persist the result of my research there is little support in the Open Source world as a whole. (I could be wrong. Please, correct me if you know better.)

A possible, but cumbersome, and incomplete solution could be one based on the following tools:

  1. selective dependency resolutions, implemented in NPM by npm-force-resolutions
  2. a fork of @ensdomains/ens (the troublesome package), where I could fix its deprecated dependencies, like aercolino/ensdomains-ens#fix-deprecations
  3. force a resolution, like
{
  "@ensdomains/ens@0.4.3": "aercolino/ensdomains-ens#fix-deprecations"
}

However, that is totally hypothetical, because:

  • the package whose installation complained about testrpc@0.0.1 is global, which means that I do not have any package.json file where I can add my resolutions
  • npm-force-resolutions is poorly documented
  • the Selective dependency resolutions feature of Yarn, upon which npm-force-resolutions is based, doesn’t seem to support versions on the left, nor full repos on the right.

In the end, my research is going to get lost (in my biological memory) and my confidence in NPM lowers.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.