Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[scope] npm install deprecated and security warnings #3008

Open
freedmandil opened this issue Feb 28, 2024 · 5 comments
Open

[scope] npm install deprecated and security warnings #3008

freedmandil opened this issue Feb 28, 2024 · 5 comments
Labels
dependencies Pull requests that update a dependency file tag/next-release/nightly Any issue which has a corresponding PR which has been merged and is available in the nightly build type/duplicate Anything which is a duplicate type/upstream Any issues in dependencies
Milestone
2.9.4

Comments

@freedmandil
Copy link

Bug Report

I just wanted a clean install of fomantic-ui
and it has many dependencies that are deprecated and in need of repair/replacement:

npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated gulp-util@3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated fsevents@1.2.13: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies

Steps to reproduce

  1. followed install instructions on website to install via npm
  2. npm install fomantic-ui

Expected result

Clean install with no deprecation errors or security vulnerabilities

Actual result

npm warnings

Screenshot (if possible)

2.9
@freedmandil freedmandil added state/awaiting-investigation Anything which needs more investigation state/awaiting-triage Any issues or pull requests which haven't yet been triaged type/bug Any issue which is a bug or PR which fixes a bug labels Feb 28, 2024
@lubber-de
Copy link
Member

lubber-de commented Feb 28, 2024
edited

These are (sub-)dependencies of gulp which is ignored by the gulp developers as they declare this as a false positive explained via
https://overreacted.io/npm-audit-broken-by-design/
gulpjs/gulp#2640

So as long as nobody fixes the original libs or forks them and/or fixes gulp or rewrites the whole build system this won't get fixed. But infact those affect the local instance only as described in the external link above.

I, however, was already trying to fork and fix all affected external and abandoned dependencies, some time ago, but this ain't an easy/motivating task and isnt finished. If interested those packages are here https://www.npmjs.com/search?q=%40fomantic

Duplicate of #2936 (comment)
Duplicate of #1646

@lubber-de lubber-de added tag/help-wanted Issues which need help to fix or implement dependencies Pull requests that update a dependency file type/upstream Any issues in dependencies type/duplicate Anything which is a duplicate and removed type/bug Any issue which is a bug or PR which fixes a bug state/awaiting-investigation Anything which needs more investigation state/awaiting-triage Any issues or pull requests which haven't yet been triaged labels Feb 28, 2024
@freedmandil
Copy link
Author

Thank you for your tireless work and quick response @lubber-de I was focussing more on the deprecated dependencies that already have upgrades. I realize gulp is a tough cookie to swallow! Thanks for the feedback.

@lubber-de
Copy link
Member

I was focussing more on the deprecated dependencies that already have upgrades.

Gulp 5 will solve all that, they say
gulpjs/gulp#2749

@redalpha01
Copy link

redalpha01 commented May 8, 2024
edited

Wow uhhh the gulp devs are unpleasant.

I think I'll look into trying to build fomantic with vite if I have the time. Maybe release a PR.

Edit: Gulp 5 is also out

@lubber-de lubber-de mentioned this issue May 9, 2024
Merged
@lubber-de
Copy link
Member

gulp5 was upgraded by #3032
all other plugings have been upgraded by #3047

The remaining/new 2 moderate warnings will be fixed in FUI 2.10.0 when node 12 is dropped

@lubber-de lubber-de added state/has-pr An issue which has a related PR open and removed tag/help-wanted Issues which need help to fix or implement labels May 9, 2024
@lubber-de lubber-de added this to the 2.9.4 milestone May 9, 2024
@lubber-de lubber-de added tag/next-release/nightly Any issue which has a corresponding PR which has been merged and is available in the nightly build and removed state/has-pr An issue which has a related PR open labels May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file tag/next-release/nightly Any issue which has a corresponding PR which has been merged and is available in the nightly build type/duplicate Anything which is a duplicate type/upstream Any issues in dependencies
Projects
None yet
Milestone
2.9.4
Development

No branches or pull requests
3 participants
@freedmandil @lubber-de @redalpha01