v10.0.0-rc.0 + npm emitting Buffer deprecation warnings

[Trott]

• Version: v10.0.0-rc.0
• Platform: macOS
• Subsystem: buffer

$ uname -a
REDACTED-HOSTNAME 16.7.0 Darwin Kernel Version 16.7.0: Tue Jan 30 11:27:06 PST 2018; root:xnu-3789.73.11~1/RELEASE_X86_64 x86_64
$ NVM_NODEJS_ORG_MIRROR=https://nodejs.org/download/rc nvm install 10
v10.0.0-rc.0 is already installed.
Now using node v10.0.0-rc.0 (npm v5.6.0)
$ node -v
v10.0.0-rc.0
$ npm -v
5.6.0
$ npm install left-pad
(node:39380) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
npm WARN saveError ENOENT: no such file or directory, open '/Users/trott/temp/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/Users/trott/temp/package.json'
npm WARN temp No description
npm WARN temp No repository field.
npm WARN temp No README data
npm WARN temp No license field.
npm WARN You are using a pre-release version of node and things may not work as expected

+ left-pad@1.3.0
added 1 package in 0.653s
$ env | grep NODE
$ env  | grep NVM
NVM_CD_FLAGS=
NVM_DIR=/Users/trott/.nvm
NVM_BIN=/Users/trott/.nvm/versions/node/v10.0.0-rc.0/bin
$ which node
/Users/trott/.nvm/versions/node/v10.0.0-rc.0/bin/node
$ which npm
/Users/trott/.nvm/versions/node/v10.0.0-rc.0/bin/npm
$

Turning on trace warnings so we can see what's causing the warning to be emitted:

$ NODE_OPTIONS='--trace-warnings' npm install left-pad 
(node:39545) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
    at showFlaggedDeprecation (buffer.js:159:11)
    at new Buffer (buffer.js:174:3)
    at Object.<anonymous> (/Users/trott/.nvm/versions/node/v10.0.0-rc.0/lib/node_modules/npm/node_modules/tar/lib/parse.js:33:20)
    at Module._compile (internal/modules/cjs/loader.js:678:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:689:10)
    at Module.load (internal/modules/cjs/loader.js:589:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:528:12)
    at Function.Module._load (internal/modules/cjs/loader.js:520:3)
    at Module.require (internal/modules/cjs/loader.js:626:17)
    at require (internal/modules/cjs/helpers.js:20:18)
    at Object.<anonymous> (/Users/trott/.nvm/versions/node/v10.0.0-rc.0/lib/node_modules/npm/node_modules/tar/lib/list.js:8:16)
    at Module._compile (internal/modules/cjs/loader.js:678:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:689:10)
    at Module.load (internal/modules/cjs/loader.js:589:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:528:12)
    at Function.Module._load (internal/modules/cjs/loader.js:520:3)
npm WARN saveError ENOENT: no such file or directory, open '/Users/trott/temp/package.json'
npm WARN enoent ENOENT: no such file or directory, open '/Users/trott/temp/package.json'
npm WARN temp No description
npm WARN temp No repository field.
npm WARN temp No README data
npm WARN temp No license field.
npm WARN You are using a pre-release version of node and things may not work as expected

+ left-pad@1.3.0
updated 1 package in 0.64s
$

It seems to be /Users/trott/.nvm/versions/node/v10.0.0-rc.0/lib/node_modules/npm/node_modules/tar/lib/parse.js which should not trigger a warning because it is inside of a node_modules directory. The offending line is:

const gzipHeader = new Buffer([0x1f, 0x8b])

[SimenB]

FWIW, this happens with yarn (at least installed through brew) as well: yarnpkg/yarn#5704. I installed the RC via nvm, with the help of zsh-nvm

^{(Also, you can minimize comments in the v10 thread if you want, see https://blog.github.com/2018-04-18-new-tools-for-open-source-maintainers/)}

EDIT: Wait, if there is magic around "is inside node_modules" then the yarn case is not relevant as they bundle to a single JS file. Sorry!

[apapirovski]

Same issue for me on macOS without even using nvm. Just happens when I npm install anything, doesn't even have to be global as far as I can tell.

[apapirovski]

@addaleax I think we might need to make this more lenient and just match anything in node_modules, even if it's at the same level as the main file. See the following code:

node/lib/internal/util.js

Line 379 in 1b438a7

return !!match && match[0] !== mainPrefix;

The second part of that conditional creates the problems from what I can tell. Which corresponds to the following test case:

test('/a/node_modules/b.js', '/a/node_modules/x.js', true);

[addaleax]

@apapirovski What are the values for npm in that case? I’d like to understand why it’s failing (and why it’s failing only on macOS), because we did add this behaviour intentionally

[mcollina]

Confirmed as well on my machine.

[apapirovski]

@addaleax I think it's failing because code is executing with main being within node_modules. I don't think this is necessarily macOS only. E.g. fsevents runs node install within its own directory within node_modules.

But to go back to npm itself, after digging through it the culprit is here:

https://github.com/npm/npm/blob/8452a9d9b231bc6c95745bb49a4b838ce11d3b9c/lib/install/action/extract.js#L22-L34

[apapirovski]

Edited the title slightly as it's not just macOS, anything that spins up a process with the main file being within node_modules, gets its warnings printed. Lots of install / post-install scripts are in the mix too.