Cordova installation dispalying warning

[Likhi1111]

Issue Type

• Bug Report
• Feature Request
• Support Question

Description

showing some warning while installing Cordava

Information

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated stringify-package@1.0.1: This module is not used anymore, and has been replaced by @npmcli/package-json
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142

added 489 packages, and audited 490 packages in 36s

52 packages are looking for funding
run npm fund for details

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

Command or Code

npm install -g cordava

Environment, Platform, Device

cmd

Version information

Checklist

• I searched for already existing GitHub issues about this
• I updated all Cordova tooling to their most recent version
• I included all the necessary information above

[breautek]

A fresh install shows different results (npm install -g cordova may not be a fresh install if you had an older version previously installed)

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 489 packages, and audited 490 packages in 1m

52 packages are looking for funding
  run `npm fund` for details

5 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

You can use npm -g upgrade cordova to upgrade global packages. The difference between upgrade and install and install will update the main package, but may not recursively update it's dependencies or child dependencies, if the version is already satisfactory, where as upgrade will upgrade all of the package's dependencies and child dependencies recursively to the latest version available that satisfies their declared semver version.

This will resolve the deprecation warnings for receive for uuid and stringify-package

Nonetheless, there are still 2 active deprecations used, which are: har-validor and request

npm ls har-validator
cdvtest@1.0.0 /home/norman/test/cdvtest
└─┬ cordova@11.0.0
  └─┬ insight@0.11.1
    └─┬ request@2.88.2
      └── har-validator@5.1.5

As you can see, har-validot is used by request, soo...

npm ls request
cdvtest@1.0.0 /home/norman/test/cdvtest
└─┬ cordova@11.0.0
  ├─┬ cordova-create@4.0.0
  │ └─┬ cordova-fetch@3.0.1
  │   └─┬ pacote@11.3.5
  │     └─┬ @npmcli/run-script@1.8.6
  │       └─┬ node-gyp@7.1.2
  │         └── request@2.88.2 deduped
  └─┬ insight@0.11.1
    └── request@2.88.2

There are 2 sub-dependencies that Cordova depends on that is including this dependency, pacote which is part of NPM's codebase and insight. Pacote may need to wait for NodeJS's package node-gyp to update first. There isn't anything Cordova can do directly to resolve these deprecation warnings. While these packages are deprecated they should work as is for the foreseeable future. Therefore I think it's fine to wait for updates of the underlying packages for the time being.

As for the reported vulnerabilities, they are from the update-notifier package. There are ways to forcefully force cordova to use a different version, such as version 6.x of update-notifier which resolves the moderate vulnerabilities, however 6.x includes breaking changes that a simple test causes Cordova not to work properly. You can use npm audit to find more information on vulnerability to determine the severity for you.

[jsbiff]

I did a clean install of Cordova today (I have never used Cordova before, and am just exploring/learning about it for the first time), and got a bunch of warnings similar to what is reported above, but it seems the list of deprecated packages has gotten longer, and Cordova maybe needs to update to other dependencies?

C:\Users\uogre>npm install -g cordova
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm warn deprecated read-package-json@6.0.4: This package is no longer supported. Please use @npmcli/package-json instead.
npm warn deprecated npmlog@6.0.2: This package is no longer supported.
npm warn deprecated npmlog@7.0.1: This package is no longer supported.
npm warn deprecated stringify-package@1.0.1: This module is not used anymore, and has been replaced by @npmcli/package-json
npm warn deprecated har-validator@5.1.5: this library is no longer supported
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated q@1.5.1: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated are-we-there-yet@4.0.2: This package is no longer supported.
npm warn deprecated are-we-there-yet@3.0.1: This package is no longer supported.
npm warn deprecated gauge@5.0.2: This package is no longer supported.
npm warn deprecated gauge@4.0.4: This package is no longer supported.
npm warn deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 548 packages in 11s

62 packages are looking for funding
  run `npm fund` for details

[breautek]

I did a clean install of Cordova today (I have never used Cordova before, and am just exploring/learning about it for the first time), and got a bunch of warnings similar to what is reported above, but it seems the list of deprecated packages has gotten longer, and Cordova maybe needs to update to other dependencies?

C:\Users\uogre>npm install -g cordova
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm warn deprecated read-package-json@6.0.4: This package is no longer supported. Please use @npmcli/package-json instead.
npm warn deprecated npmlog@6.0.2: This package is no longer supported.
npm warn deprecated npmlog@7.0.1: This package is no longer supported.
npm warn deprecated stringify-package@1.0.1: This module is not used anymore, and has been replaced by @npmcli/package-json
npm warn deprecated har-validator@5.1.5: this library is no longer supported
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated q@1.5.1: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated are-we-there-yet@4.0.2: This package is no longer supported.
npm warn deprecated are-we-there-yet@3.0.1: This package is no longer supported.
npm warn deprecated gauge@5.0.2: This package is no longer supported.
npm warn deprecated gauge@4.0.4: This package is no longer supported.
npm warn deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 548 packages in 11s

62 packages are looking for funding
  run `npm fund` for details

A cordova install in a complete fresh environment will yield, or at least it did for me:

npm install -g cordova
npm warn deprecated har-validator@5.1.5: this library is no longer supported
npm warn deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

A complete fresh environment meaning I had 0 globally installed NPM packages.

If you have other globally installed packages and those versions satisfies the version pins that cordova or any of its dependencies uses, they won't get upgraded on npm install, even if you're installing cordova for the first time and for the sake of speed, NPM will use any existing package assuming that the existing version satisfies the version pin of the package requesting that dependency.

So in other words, if a package wants dependency x@^1.0.0, and x latest is 1.5.0 and the system has x@1.2.0 installed, it will use x@1.2.0 that already exists instead of downloading and pulling 1.5.0 since 1.2.0 already satisfies ^1.0.0, even if the existing version is marked as deprecated. This is behaviour of NPM, not something that Cordova controls.

Running npm -g upgrade should upgrade all global packages to the latest versions possible (while satisfying version pins) which should solve your large list of deprecated packages, but if you have other global packages that have strict version pins it may hold them back.

npm -g ls <packageName> can also be used to find where some of those packages are being used if any are being held back.

If you have other global packages that are causing these dependencies to be held back, then you might be able to use a project-local install instead by doing npm install cordova --save-dev in your project directory. Then prefix any cordova commands with npx to use the project-local install, e.g: npx cordova build android. This should eliminate any influence on global installed packages, but I'm not 100% sure if local installs actually works completely.