#620 is a breaking change

[bcoe]

Hello @springmeyer, first off thank you for your open source contributions (we use this library on some of our client libraries at Google, and appreciate your work).

---

I notice the recent update #620, which upgrades npmlog to address a regex vulnerability. Unfortunately, this is technically a breaking change, because it drops support for Node 10.

I noticed that npmlog isn't used too heavily, would you be open to switching to an alternate logger, e.g., pino?

Edit: reading through the code-base, it seems like swapping out the progress behavior would perhaps be a pain in the neck.

[springmeyer]

@bcoe - thanks for the heads up - that has not been apparent to me. My intention has been to keep node v10 support for the time being (and only drop at a major release).

I've also considered dropping npmlog - it's heavier that likely what is needed. It is used because this project was initially modeled after node-gyp which used npmlog. I'd accept a PR changing the logger, but it would likely (as you say) be a bit painful/tedious due to how many tests depend on the output (and the tests are not particularly well written - what I can say the project is not the most modern).

In the meantime are you looking for a new 1.0.x release that restores node v10 support (somehow)?

[bcoe]

In the meantime are you looking for a new 1.0.x release that restores node v10 support (somehow)?

If we could figure out a way, this would be amazing. But it might be challenging because I think the latest ansi-regex forces v12.

I also reached to npm, one option would be perhaps floating a patch for npmlog, if npm is open to it (CC: @wraithgar).

---

Just an FYI, I moved my CI/CD to using this approach a few months ago:

- run: npm install --production --engine-strict 

It's been a great way to catch when a dependency drops a major node version, before it actually breaks behavior.

[wraithgar]

I don't know if a patch is possible. If there were semver-compatible updates for ansi-regex that were not vulnerable they would be installed already because npmlog uses ^ as its prefix.

Wide-align moved its support to node12 also when fixing this, which is one of the reasons this can't be fixed in v5 of npmlog.

Long term, moving off of npmlog is probably the best option, though I know that's a tall order and there is a limited amount of time in the universe.

[bcoe]

@wraithgar I did a bit of digging:

npm/gauge#140

I believe a patch is possible because ansi-regex fixes the issue in 5.0.1 which still supports Node 10.

[bcoe]

@wraithgar I think basically, there would need to be a new gauge release, followed by a patch to npmlog, and then node-pre-gyp could pin to the older npmlog.

Pain in the neck, but allows folks to keep using node-pre-gyp on Node 10 until we can drop it soon, this is good motivation for my team at Google to announce dropping Node 10 ASAP in the new year -- but it would stink for users to do this without warning.

[wraithgar]

you should be able to pin back to v3.0.2 and be node v10 compatible again

[springmeyer]

Thanks @wraithgar - started a PR to pull in downgraded npmlog + gauge at #624.

[springmeyer]

Thanks all! Closed by #624