Deprecations and vulnerabilities (devDependencies) #173
Description
Current behavior
Installing dependencies with npm ci logs deprecations and vulnerabilities. These are from devDependencies only and do not affect the published npm package @cypress/commit-info.
Desired behavior
Installing dependencies in the repo should show no deprecations and no vulnerabilities.
Test code to reproduce
Ubuntu 24.04.3 LTS, Node.js 22.19.0 LTS
git clone https://github.com/cypress-io/commit-info
cd commit-info
git clean -xfd # if repeating
npm ciLogs
$ npm ci
npm warn deprecated acorn-dynamic-import@4.0.0: This is probably built in to whatever tool you're using. If you still need it... idk
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm warn deprecated folktale@2.3.2: This package is no longer actively maintained. Only security patches will be provided, if needed. Consider switching to fp-ts.
added 597 packages, and audited 806 packages in 15s
135 packages are looking for funding
run `npm fund` for details
4 vulnerabilities (2 low, 2 high)
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
Other
The deprecations and vulnerabilities result from archived / unmaintained npm packages used in devDependencies. To resolve these issues would involve replacing their functionality in repo testing.
In devDependencies |
Last Release | Status | Suggested Replacement |
|---|---|---|---|
| dependency-check@4.1.0 | Jul 29, 2019 | deprecated and archived | knip |
| snap-shot-it@7.9.10 | Dec 10, 2022 | unmaintained | |
| stub-spawn-once@2.3.0 | Jul 11, 2017 | unmaintained |
- see also Dependency Dashboard #111
Deprecations
| Deprecation | Dependency of |
|---|---|
| acorn-dynamic-import@4.0.0 | dependency-check@4.1.0 |
| glob@7.2.3 | dependency-check@4.1.0 |
| debug@4.1.1 | snap-shot-it@7.9.10 |
| folktale@2.3.2 | snap-shot-it@7.9.10 |
Vulnerabilities
| Vulnerability | Dependency of |
|---|---|
| debug@4.1.1 | snap-shot-it@7.9.10 |
| debug@2.6.8 | stub-spawn-once@2.3.0 |