NPM Dependencies - Numerous Packages Deprecated

[1000heads-luke]

During npm install from Commit #35e0d79850c65d6f533a515425ca7c22d940d680

• [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
• [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
• [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
• [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
• [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
• [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches.If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
• [email protected]: This package is unmaintained. Use @sinonjs/formatio instead
• [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
• [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
• [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
• [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
• [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
• [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
• [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
• [email protected]: This module is no longer maintained, try this instead: Visit https://istanbul.js.org/integrations for other alternatives.
• [email protected]: Please use the native JSON object instead of JSON 3
• [email protected]: use String.prototype.padStart()
• [email protected]: Copy its ~20 LOC directly into your code instead.
• [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
• [email protected]: 'native-or-bluebird' is deprecated. Please use 'any-promise' instead.
• [email protected]: Use uuid module instead
• [email protected]: Use portfinder
• [email protected]: request has been deprecated, see Request’s Past, Present and Future request/request#3142
• [email protected]: request has been deprecated, see Request’s Past, Present and Future request/request#3142
• [email protected]: This package has been deprecated in favour of @sinonjs/samsam
• [email protected]: This package has been deprecated in favour of @sinonjs/samsam
• [email protected]: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
• [email protected]: deprecated in favor of the official sockjs-client
• [email protected]: uglifyjs is deprecated - use uglify-js instead.
• [email protected]: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
  npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js

[vincentfretin]

We did big updates with #5091 #5092 #5111
Currently we have those warnings:

npm WARN skipping integrity check for git dependency ssh://[email protected]/dmarcos/three-buffer-vertex-data.git 
npm WARN skipping integrity check for git dependency ssh://[email protected]/dmarcos/three-bmfont-text.git 
npm WARN skipping integrity check for git dependency ssh://[email protected]/dmarcos/document-register-element.git 
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: Use portfinder
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm WARN deprecated [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1290 packages, and audited 1291 packages in 1m

112 packages are looking for funding
  run `npm fund` for details

36 vulnerabilities (1 low, 13 moderate, 18 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

This is mainly due to the browserify stack and budo that aren't much maintained. We also has an issue with pem package on ubuntu 22.04 #5084
In comparison the networked-aframe repo that switched from browserify to webpack, and has the same test stack with karma chai sinon, we have 0 warnings, 0 vulnerabilities (except for the forked debug package, dependency of aframe)
but @dmarcos doesn't plan to change the build stack for now

[vincentfretin]

I wanted to rectify what I said here, actually all those warnings and vulnerabilities remaining are not from browserify and budo at all, but other packages we use for some scripts and docs server. You can see the details with npm audit.

[vincentfretin]

As of today we have
24 vulnerabilities (9 moderate, 13 high, 2 critical)
That mostly comes from the unmaintained markserv dependency that is used for the npm run docs command to run a live server rendering the docs. Not sure if someone use that? I usually use a live markdown preview in vscode these days.
If we remove that dependency we get

npm install

up to date, audited 1034 packages in 1s

218 packages are looking for funding
  run `npm fund` for details

3 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

and

npm audit
# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
  nice-color-palettes  3.0.0
  Depends on vulnerable versions of got
  node_modules/nice-color-palettes
    three-bmfont-text  >=3.0.0
    Depends on vulnerable versions of nice-color-palettes
    node_modules/three-bmfont-text

3 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

three-bmfont-text may be replaced by troika in the future, see #5615