Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecation warnings on install #1178

Closed
mmc41 opened this issue May 13, 2020 · 10 comments
Closed

Deprecation warnings on install #1178

mmc41 opened this issue May 13, 2020 · 10 comments
Labels
bug: dependency A problem in one of Eleventy’s dependencies
Milestone
Eleventy 1.0.0

Comments

@mmc41
Copy link

mmc41 commented May 13, 2020

Describe the bug
Deprecation warnings on install that affect unsupported code, supported node versions and potential security issues.

npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

To Reproduce
npm install

Expected behavior
No warnings on install.

Environment:

  • OS and Version: Mac
  • Eleventy Version 0.11.0

Additional context
Add any other context about the problem here.
@mmc41 mmc41 changed the title Deprecation warnings on instal Deprecation warnings on install May 13, 2020
@Ryuno-Ki
Copy link
Contributor

Could you run the following commands and share their output?

npm ls chokidar
npm ls fsevents
npm ls resolve-url
npm ls urix
npm ls core-js

This way, we can see, which dependency pulls in the deprecated version.

@mmc41
Copy link
Author

mmc41 commented May 13, 2020

npm ls chokidar
npm ls fsevents
npm ls resolve-url
npm ls urix
npm ls core-js/...
└── (empty)

npm ls fsevents
npm ls resolve-url
npm ls urix
npm ls core-js/...
└── (empty)

npm ls resolve-url
npm ls urix
npm ls core-js/...
└── (empty)

npm ls urix
npm ls core-js/...
└── (empty)

npm ls core-js
...
└── (empty)

@josebolos
Copy link

I'm not getting the same deprecation warnings as OP, but all of the dependencies seem to be coming from browser-sync, except for core-js which comes from pug:

$ npm ls chokidar@2.1.8 fsevents@1.2.13 resolve-url@0.2.1 urix@0.1.0 core-js@2.6.11
eleventysite@0.0.1 /home/josebolos/devel/eleventy
└─┬ @11ty/eleventy@0.11.0
  ├─┬ browser-sync@2.26.7
  │ ├─┬ chokidar@2.1.8 
  │ │ └── UNMET OPTIONAL DEPENDENCY fsevents@1.2.13 
  │ └─┬ micromatch@3.1.10
  │   └─┬ snapdragon@0.8.2
  │     └─┬ source-map-resolve@0.5.3
  │       ├── resolve-url@0.2.1 
  │       └── urix@0.1.0 
  └─┬ pug@2.0.4
    └─┬ pug-code-gen@2.0.2
      └─┬ constantinople@3.1.2
        └─┬ babel-types@6.26.0
          └─┬ babel-runtime@6.26.0
            └── core-js@2.6.11

@mmc41
Copy link
Author

mmc41 commented May 14, 2020

In relation, I am today getting this new security warning from npm when I install eleventy:

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @11ty/eleventy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @11ty/eleventy > browser-sync > localtunnel > yargs > │
│ │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @11ty/eleventy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @11ty/eleventy > browser-sync > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 low severity vulnerabilities in 708 scanned packages
2 vulnerabilities require manual review. See the full report for details.

@Ryuno-Ki
Copy link
Contributor

Hi @mmc41,

please read #1025 (comment) and open a new issue (in case it wasn't reported yet).

Thanks.

@zachleat
Copy link
Member

browser-sync npm audits are filed here #1164

@zachleat zachleat added this to the Eleventy v1.0.0 milestone May 16, 2020
@zachleat zachleat added bug: dependency A problem in one of Eleventy’s dependencies and removed needs-triage labels May 16, 2020
@RichmondYeboah
Copy link

I'm getting the same issue, ive been trying to resolve it for 2-3 days now.

@prajapatarun
Copy link

i am also facing this issue
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

@hubgit
Copy link

hubgit commented Jul 4, 2020

Using yarn global add @11ty/eleventy shows just two deprecation warnings, from browser-sync:

warning @11ty/eleventy > browser-sync > chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
warning @11ty/eleventy > browser-sync > chokidar > fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.

@dorian-yeager dorian-yeager mentioned this issue Jul 15, 2020
Closed
@zachleat zachleat mentioned this issue Sep 4, 2020
Closed
@zachleat
Copy link
Member

zachleat commented Sep 4, 2020

An update here regarding these deps specifically on master:

npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

image
image

Going to close this! Follow along at #1394 for the valid core-js issue

@zachleat zachleat closed this as completed Sep 4, 2020
@zachleat zachleat modified the milestones: Planning for Eleventy v1.0.0, Eleventy 1.0.0 Nov 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug: dependency A problem in one of Eleventy’s dependencies
Projects
None yet
Milestone
Eleventy 1.0.0
Development

No branches or pull requests
7 participants
@hubgit @mmc41 @zachleat @josebolos @Ryuno-Ki @RichmondYeboah @prajapatarun