Re-enable deprecated dependency warnings

[tuckbick]

What would you like Renovate to be able to do?
I would like Renovate to be able to raise issues for deprecated dependencies. Once a dependency has been removed or updated to use a non-deprecated version, Renovate should close the raised issue.

Describe the solution you'd like
I haven't seen any documentation on how to remove values from merged configuration arrays, but something like suppressNotifications: ['!deprecationWarningIssues'] or suppressNotifications: {'deprecationWarningIssues': false} would be convenient ways of overriding merged configurations.

Describe alternatives you've considered
There was previously an option called raiseDeprecationWarnings, which has since been deprecated and refactored into setting suppressNotifications: ['deprecationWarningIssues'] instead. There is currently no way to prevent deprecationWarningIssues from being added to the suppressNotifications array since it's always set during configuration migration.

Additional context
Related issue/discussion: #2909 (comment)

[rarkins]

• Verify semantics of how to ignore/close them
• Verify platform behaves as intended for this

[HonkingGoose]

Relevant quote from @rarkins ¹

One other relevant point is that migrated packages should also be marked as deprecated on npmjs and we should find a way to display this. We once did it with issues, but it was too noisy and error prone so got rolled back and never rolled forward again. I think displaying in the dashboard would be best, meaning from a visibility point of view the user would see:

* Notice that current package is deprecated (hopefully it says which package to update to)

* Pending update of current package

And found another relevant quote from @rarkins ²:

Another idea would be noting in each PR that there's warnings which need checking (maybe deprecations can be considered their own first class concept though with their own count). Then you have a chance to see that in each PR you get, so then you only are unaware if you are not looking at the dashboard or getting PRs, so the chances are lower.

Footnotes

1. https://github.com/renovatebot/renovate/pull/13135#issuecomment-996502814 ↩

2. https://github.com/renovatebot/renovate/pull/13135#issuecomment-997691239 ↩

[HonkingGoose]

I'm labeling this status:requirements as some other ideas need to be discussed first, before we can start work on this issue.

Options to get deprecated dependency warnings going again:

1. Create a "deprecations" section in the Dependency Dashboard which lists the deprecated packages that need to be updated.
2. Create a "deprecations" section in each pull request that Renovate makes, which lists the deprecated packages that need to be updated.
3. Mix-and-match, use both the Dependency Dashboard and the PR deprecation warning section.

@rarkins Do you want me to work on mockups for the Dependency Dashboard and the PR warning idea?

[rarkins]

I think we should default to using a single logger.warn if a repository has any deprecated dependencies.

We should display the list of deprecated packages in the dependency dashboard (maybe grouped by datasource) if it is disabled. We shouldn't use a separate issue for this like we used to.

Users should be able to ignore such packages individually - I think this is possible using ignoreDeps or packageRules today.

Users should be able to turn off the warning altogether, using suppressNotifications (it should no longer be default behavior to do so).

[chezsmithy]

I'd love to see the ability to see upcoming deprecations as well where there isn't a replacement or new version found. For example with the endoflife-date datasource renovate might discover that a dependency is going EOL and we could notify the users. A replacement rule might need to be defined to resolve the EOL situation.

Maybe a configuration that would allow a back off duration from the EOL date for the notifications to begin in the dependency dashboard?

[chezsmithy]

Good article on the state of deprecated NPM packages this morning. Another good reason to bump the priority on this.

https://blog.aquasec.com/deceptive-deprecation-the-truth-about-npm-deprecated-packages

[rarkins]

Let's start with this being in the Dependency Dashboard.

Option 1: Add a section towards the top of the dashboard warning if deprecated dependencies were found and listing them, perhaps grouped by manager.

Option 2: Warning with a count of deprecated dependencies, then include a deprecated flag/badge next to the actual dependencies in the existing dependency tree

I think Option 1 is easier.

Delete the deprecationWarningIssues option, which hasn't existed for years. Do not warn if someone includes it, instead just massage it out of the list.

[rarkins]

It would be nice for a later enhancement to indicate if any of these have replacement PRs available.

[HonkingGoose]

I vote option 1

I like option 1 best.

A ordered list is more accessible and easier to understand than the counts, flags and badges of option 2.

I think deprecated stuff deserves a bit of a "shout out". So putting it in a new section at the top seems best.

When you open the Dashboard you will probably look at the top first. Putting it at the top also keeps it "above the fold" on small viewports/devices.

Use alert syntax on GitHub?

It might be nice to use GitHub's alert syntax, as that looks extra different. 😄

GitHub Docs, Basic writing and formatting syntax, Alerts

If !WARNING is too urgent for you, you can pick a different alert level from the supported ones. 😉

Mock-up of option 1, GitHub alert syntax, top of page

Warning

Renovate found the following deprecated dependencies:

• Deprecated-stuff-1
• Deprecated-stuff-2

You should review the listed dependencies, and either request a update from Renovate via this dashboard, or upgrade manually.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Markdown source for mock-up

> [!WARNING]
> Renovate found the following deprecated dependencies:
> 
> - Deprecated-stuff-1
> - Deprecated-stuff-2
>
> You should review the listed dependencies, and either request a update from Renovate via this dashboard, or upgrade manually.

This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.

Let me know what you think

As usual, tell me what you like and don't like about my idea. 😉

[rarkins]

Group by manager or datasource? Or make the list flat, and include the datasource as part of the line, e.g.

• thePackageName (npm) [replacement available]
• thePackageName (maven)

[HonkingGoose]

To group or not to group

Group by manager or datasource?

Each Git hosting platform has different limits on the amount of characters, some have low limits. We should probably avoid grouping, to save characters for the rest of the dashboard features.

Plain list

- thePackageName (npm) [replacement available]
- thePackageName (maven)

Grouped list

### npm manager packages

- thePackageName [replacement available]

### maven manager packages

- thePackageName

I prefer the flat list

Or make the list flat, and include the datasource as part of the line, e.g.

• thePackageName (npm) [replacement available]
• thePackageName (maven)

This looks best to me, for now. It's simpler than grouping things and costs less characters.

Open PR from deprecation list? Looks bad...

I was thinking of letting users open the replacement PR from the list of deprecated items. But this looks bad/broken when you mix replacement available, and missing replacement items:

• thePackageName (npm)
• thePackageName (maven) [no replacement found]

- [ ] thePackageName (npm)
- thePackageName (maven) [no replacement found]

I think this means that the actual replacement PRs go in their own Replacement PR section with proper checkboxes. As that way it will look/behave as expected. 😞

[zharinov]

Usage of [!NOTE], [!WARNING], etc are nice for Github, but it's not portable, so maybe we want to make it a separate issue.

[HonkingGoose]

Usage of [!NOTE], [!WARNING], etc are nice for Github, but it's not portable, so maybe we want to make it a separate issue.

See:

• Use GitHub Alerts for Deprecated Dependency warnings #29689

[renovate-release]

🎉 This issue has been resolved in version 37.410.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 37.410.0

Your semantic-release bot 📦🚀

[dword-design]

I have a question about this: Is the dependency dashboard currently the only way to show deprecated dependencies and unsuppressing "deprecationWarningIssues" doesn't work? If so, is it possible to auto-close the dependency dashboard/don't open it if there are no issues?

[rarkins]

@dword-design please start a new discussion, we can discuss there