Most packages need some upgrade

[JJ]

Summary

Many packages seem to be a few majors behind their current release; karma is an example.

Simplest Example to Reproduce

I found this while doing npm uninstall har-validator which effectively does not seem to be used. This revealed a karma* conflict, which revealed several vulnerabilities when upgrading:

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'karma-cli@1.0.1',
npm WARN EBADENGINE   required: { node: '0.10 || 0.12 || 4 || 5 || 6' },
npm WARN EBADENGINE   current: { node: 'v16.2.0', npm: '7.19.1' }
npm WARN EBADENGINE }
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated sprintf@0.1.5: The sprintf package is deprecated in favor of sprintf-js.
npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated phantomjs-prebuilt@2.1.16: this package is now deprecated
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN deprecated codecov@3.8.3: https://about.codecov.io/blog/codecov-uploader-deprecation-plan/
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 880 packages, and audited 883 packages in 60s

46 packages are looking for funding
  run `npm fund` for details

36 vulnerabilities (2 low, 16 moderate, 9 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Expected Behavior

Even if it's not a production library in most modules, I would expect some maintenance updates.

Possible Solution

Upgrade of all dependencies, and corresponding testing

Context

This is causing deprecated warnings, as well as snyk alerts, up and down the line.

Your Environment

software	version
request	HEAD in master
node	16.8
npm	8.0
Operating System	linux

[jankanty]

@JJ har-validator is used here:

request/lib/har.js

Line 5 in 8608a5d

var validate = require('har-validator')

[JJ]

That wasn't apparently tested. And it's still deprecated. As I've suggested elsewhere, it's probably better to get rid of it. If it's not tested, it's not spec.