About NPM deprecation warnings

It baffles me how many deprecation warnings appear when installing some NPM package. Like if I was the only one in the world seeing them, and worrying about them.

npm WARN deprecated testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.
npm WARN deprecated mkdirp-promise@5.0.1: This package is broken and no longer maintained. 'mkdirp' itself supports promises now, please switch to that.
npm WARN deprecated har-validator@5.1.5: this library is no longer supportednpm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated fsevents@2.1.3: "Please update to latest v2.3 or v2.2"
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details
npm WARN deprecated ipld-raw@6.0.0: This module has been superseded by the multiformats module
npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated graphql-tools@6.2.6: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/
npm WARN deprecated cids@1.1.9: This module has been superseded by the multiformats module
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated remotedev-serialize@0.1.9: Package moved to @redux-devtools/serialize.
npm WARN deprecated redux-devtools-instrument@1.10.0: Package moved to @redux-devtools/instrument.
npm WARN deprecated redux-devtools-core@0.2.1: Package moved to @redux-devtools/app.
npm WARN deprecated uuid@2.0.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated @nodefactory/filsnap-adapter@0.2.2: Package is deprecated in favour of @chainsafe/filsnap-adapter
npm WARN deprecated ipld-dag-cbor@0.17.1: This module has been superseded by @ipld/dag-cbor and multiformats
npm WARN deprecated multicodec@1.0.4: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.2.1: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@4.0.6: This module has been superseded by the multiformats module
npm WARN deprecated multibase@3.1.2: This module has been superseded by the multiformats module
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated ipld-dag-pb@0.20.0: This module has been superseded by @ipld/dag-pb and multiformats
npm WARN deprecated multibase@0.7.0: This module has been superseded by the multiformats module
npm WARN deprecated multibase@0.6.1: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@0.5.7: This module has been superseded by the multiformats module
npm WARN deprecated node-pre-gyp@0.11.0: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated multicodec@3.2.1: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated multicodec@2.1.3: This module has been superseded by the multiformats module
npm WARN deprecated axios@0.20.0: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm WARN deprecated cids@0.7.5: This module has been superseded by the multiformats module
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated @ensdomains/ens@0.4.3: Please use @ensdomains/ens-contracts
npm WARN deprecated @ensdomains/resolver@0.2.4: Please use @ensdomains/ens-contracts
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated ethereumjs-testrpc@6.0.3: ethereumjs-testrpc has been renamed to ganache-cli, please use this package from now on.

added 2165 packages, and audited 2266 packages in 4m

133 packages are looking for funding
  run `npm fund` for details

90 vulnerabilities (6 low, 50 moderate, 27 high, 7 critical)

Some people say: “if it’s important (e.g. a security problem), notify the package maintainers; if not, ignore the deprecation warning.

NPM deprecation warnings are displayed without any classification with respect to the dependency where they originate.

  • If the code of the deprecated package was not used at all (fake dependency), then we could safely ignore the deprecation warning.
  • If the code of the deprecated package was only used in development (dev dependency), then we could almost safely ignore the deprecation warning.
  • If the code of the deprecated package was also used in production, then we couldn’t ignore the deprecation warning without a detailed analysis.

Sample analysis

Let’s look at the first warning above:

testrpc@0.0.1: testrpc has been renamed to ganache-cli, please use this package from now on.

The deprecation message is not alarming. What should I do? Let’s research a bit more.

Here is the path from testrpc back to truffle:

% npm –global –all ls testrpc@0.0.1

/Users/andrea/.nvm/versions/node/v16.13.0/lib
└─┬ truffle@5.4.18
  └─┬ @truffle/db@0.5.36
    └─┬ @truffle/resolver@7.0.34
      └─┬ @truffle/contract@4.3.39
        └─┬ @ensdomains/ensjs@2.0.1
          └─┬ @ensdomains/ens@0.4.3
            └── testrpc@0.0.1

And here is the package.json in truffle:

{
  "name": "truffle",
  "description": "Truffle - Simple development framework for Ethereum",
  "license": "MIT",
  "author": "consensys.net",
  "homepage": "https://github.com/trufflesuite/truffle#readme",
  "repository": {
    "type": "git",
    "url": "https://github.com/trufflesuite/truffle.git",
    "directory": "packages/truffle"
  },
  "bugs": {
    "url": "https://github.com/trufflesuite/truffle/issues"
  },
  "version": "5.4.18",
  "main": "./build/library.bundled.js",
  "bin": {
    "truffle": "./build/cli.bundled.js"
  },
  "scripts": {
    "analyze": "./scripts/analyze.sh",
    "build": "yarn build:cli",
    "build:cli": "node --max-old-space-size=8192 ./node_modules/webpack/bin/webpack --config ./webpack.config.js",
    "postinstall": "node ./scripts/postinstall.js",
    "prepare": "yarn build",
    "publish:byoc": "node ./scripts/prereleaseVersion.js byoc-safe byoc",
    "publish:external-compiler": "node ./scripts/prereleaseVersion.js external-compiler external-compiler",
    "publish:next": "node ./scripts/prereleaseVersion.js next next",
    "publish:user-level-mnemonic": "node ./scripts/prereleaseVersion.js user-level-mnemonic user-level-mnemonic",
    "test": "./scripts/test.sh",
    "test:raw": "NO_BUILD=true mocha"
  },
  "optionalDependencies": {
    "@truffle/db": "^0.5.36",
    "@truffle/preserve-fs": "^0.2.4",
    "@truffle/preserve-to-buckets": "^0.2.4",
    "@truffle/preserve-to-filecoin": "^0.2.4",
    "@truffle/preserve-to-ipfs": "^0.2.4"
  },
  "dependencies": {
    "@truffle/db-loader": "^0.0.15",
    "@truffle/debugger": "^9.2.0",
    "app-module-path": "^2.2.0",
    "mocha": "8.1.2",
    "original-require": "^1.0.1"
  },
  "devDependencies": {
    "@truffle/box": "^2.1.32",
    "@truffle/config": "^1.3.12",
    "@truffle/contract": "^4.3.39",
    "@truffle/core": "^5.4.18",
    "@truffle/interface-adapter": "^0.5.8",
    "clean-webpack-plugin": "^3.0.0",
    "copy-webpack-plugin": "^7.0.0",
    "eslint": "^5.7.0",
    "fs-extra": "^9.1.0",
    "ganache-core": "2.13.0",
    "glob": "^7.1.6",
    "husky": "^1.1.2",
    "js-scrypt": "^0.2.0",
    "meta-npm": "^0.0.22",
    "meta-pkgs": "^0.2.0",
    "nyc": "^13.0.1",
    "semver": "^7.3.4",
    "shebang-loader": "0.0.1",
    "stream-buffers": "^3.0.1",
    "tmp": "^0.2.1",
    "web3": "1.5.3",
    "webpack": "^5.21.2",
    "webpack-bundle-analyzer": "^3.0.3",
    "webpack-cli": "^4.5.0",
    "yargs": "^8.0.2"
  },
  "publishConfig": {
    "access": "public"
  },
  "authors": [
    {
      "name": "Tim Coulter",
      "email": "tim@timothyjcoulter.com",
      "url": "https://github.com/tcoulter"
    }
  ],
  "gitHead": "b788e582fbe5466334a35498d63fca67dca929de",
  "namespace": "consensys"
}

Looking into package.json, we see that @truffle/db is an optional dependency, i.e. a production dependency which could also be not automatically installed when installing truffle.

Looking into @truffle/db, we see that it allows to configure truffle for using it:

db: {
  enabled: true
}

Given that I went for the default installation (and I don’t have a replacement ready), this is a production dependency for me. What should I do? Let’s research a bit more.

Googling @ensdomains/ens we get to the project page on GitHub:

https://github.com/ensdomains/ens

So this project is pretty popular, used by 7.7k other projects. And yet it uses a deprecated package. It’s still unclear what should I do.

This project was included (in its parent, @ensdomains/ensjs) at version 0.4.3. Such a version is nowhere to be found in the repo: not a release, not a tag, not a branch.

Let’s assume it’s a close ancestor of the current code in the master branch, which is marked as 0.5.0 in package.json.

This is what we get after searching for testrpc in the repo:

We see that this is a code dependency whose code is never used but the package name is cited in a README file. That’s it. it’s a fake dependency.

Now, I needed (wasted) a solid hour to find that out. That’s unreasonable.

Could a tool automate all of the above? Not really, because I had to assume that the code of the lost version 0.4.3, in all places where testrpc would be used, is equivalent to the code of the master version (maybe 0.5.0).

Posterity

There is something else that troubles me. If I wanted to persist the result of my research there is little support in the Open Source world as a whole. (I could be wrong. Please, correct me if you know better.)

A possible, but cumbersome, and incomplete solution could be one based on the following tools:

  1. selective dependency resolutions, implemented in NPM by npm-force-resolutions
  2. a fork of @ensdomains/ens (the troublesome package), where I could fix its deprecated dependencies, like aercolino/ensdomains-ens#fix-deprecations
  3. force a resolution, like
{
  "@ensdomains/ens@0.4.3": "aercolino/ensdomains-ens#fix-deprecations"
}

However, that is totally hypothetical, because:

  • the package whose installation complained about testrpc@0.0.1 is global, which means that I do not have any package.json file where I can add my resolutions
  • npm-force-resolutions is poorly documented
  • the Selective dependency resolutions feature of Yarn, upon which npm-force-resolutions is based, doesn’t seem to support versions on the left, nor full repos on the right.

In the end, my research is going to get lost (in my biological memory) and my confidence in NPM lowers.

Looking for the perfect match

Lately, I passed through many selection processes, and I still will go through some more. Did I meet a company where I really wanted to work at? Surely, for many I could have made a positive impact working there. But none was a perfect match. 1I’m not talking about cultural fit here

Why do we look for the perfect match? We should already know that such a thing doesn’t even exist. Lasting couples aren’t a perfect match. How can colleagues be a perfect match to each other? For n colleagues, that would require n * (n - 1) / 2 perfect matches. Insane.

I don’t look for the perfect match with my colleagues, but I must confess that I’m often relieved to get rejected by colleagues which present to me in the testudo formation.

Almost impossible to be admitted here, by design.

How do you expect to find a new team mate if, as soon as a discussion arises, you close ranks and state you know better. Nonetheless, they keep looking for the perfect match, which boils down to a developer with the biggest experience to write quality code without spoon-feeding her, and the smallest experience to follow orders with humbleness.

That, or likemindedness. Isn’t it a known problem to hire like minded people?

Such practices can 2I stroke this through also lead to groupthink where all go along with decisions for the sake of team harmony. Creativity, innovation and growth can 3I stroke this through suffer in the absence of diversity, vigorous debate and conflict.

I never liked to sheepishly follow others. Decades ago, when I was 10 years old, our school teacher gave us a mathematical problem to solve cooperatively. I immediately found a short solution, and shared it with the others. They dismissed it and decided to elaborate one of their own. How proud I was when our teacher validated my answer and not theirs.

During my job interviews, I genuinely make an effort to understand and value the programming decisions, mostly the architectural ones, that my yet-to-be colleagues made in the projects I’m asked to collaborate in. How could I not show my surprise when they tell me:

  • We can’t use Docker / Kubernetes because our setup is too complex
    • What? They are used at Google, I don’t think they have a simpler setup.
  • We prefer vanilla JavaScript to React, because it wouldn’t scale for us.
    • What? It’s used at Facebook, I don’t think they have a smaller scale.

About legacies

I just stumbled upon the job offer that REDACTED-3 1the company where I had been working for the last 3 years, up to two months ago published to fill the vacancy I left.

Here it goes.

Role & Responsibilities

  • Reporting to the CTO, to be the reference in the Front development of the own platform. 2this is the same promise they made to me during my face to face job interview (after delivering a stellar solution to their job challenge) to entice me, but they were never able to hand over anything to me of their huge AngularJS platform in the next 3 years
  • Lead a migration project from AngularJS to a more current efficient solution, possibly VueJS. 3this is what I suggested just two months after I started working there; I had compiled and shared with them a GitLab repo with work-in-progress documents, describing all the steps I envisioned to migrate their big ball of mud, AngularJS, ES5 app to a well architected, VueJS, ES6+ app; they never ever gave me any feedback, until this posthumous job offer
  • Ensure the highest quality of the software developed. 4the newcomer will find the bar quite high indeed; the only feedback I got from the general manager was his praise of my excellent programming skills
  • Possibility of managing a team. 5this was also part of the initial enticing offer they made to me, but the initial team of 2.5 frontend developers shrank to one of 1.5 after a few months; I was the 1 and the .5 was another guy which (in his other .5) also developed the Java middleware; he had been doing both since the start of the company (7 years ago)

Skills & Qualifications

  • Empathy with our Product, high communication skills and a desire to understand how our REDACTED-3 platform works. 6did I say anything about a big ball of mud? be ready for it
  • Experience of at least 4 years in FrontEnd development and specifically with AngularJS. 7this will be of little help to you, as it was to me; not only because of the big ball of mud, but also because the original developers who chose AngularJS, and knew how to create an AngularJS app, had left the company years before my arrival; now you will find misuses at many levels, together with indiscriminate use of $scope and timeouts, be ready for it
  • Ability to build leadership based on both technological mastery and the ability to combine team, tasks and effort, leading by example.
  • Committed, positive, decisive, empathetic person, with the ability to work in a team and quality-oriented.
  • Aligned with continuing to build the best Product on the Market to provide the best services to our Clients

Benefits

  • Face-to-face 4 days a week
  • 1 day remote
  • Office in Barcelona Center 8nice and spacious office, in the most central street, close to public transportation of any kind, but a bit expensive to eat out, be ready for it
  • Indefinite contract
  • Flexible schedule
  • Solid, growing and sustainable project
  • REAL growth possibility 9I doubt it, the company was very small (15 employees) when I joined it, and it was much smaller when I left (5 employees)