punycode module deprecated message

[mphillippiAPG]

Steps To Reproduce

from terminal on macOS, run any bw command:

bw --version

Expected Result

should only provide the version:

2023.9.1

Actual Result

shows a deprecation warning for punycode in node:

(node:2299) [DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.
(Use node --trace-deprecation ... to show where the warning was created)
2023.9.1

Screenshots or Videos

❯ bw --version
(node:2299) [DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.
(Use node --trace-deprecation ... to show where the warning was created)
2023.9.1

Additional Context

No response

Operating System

macOS

Operating System Version

14.0 (23A344)

Shell

Zsh

Build Version

2023.9.1

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[hseeberger]

As a workaround you can use bw ... 2>/dev/null for the time being, because the noise is written to stderr.

[tyler-8]

Output of the node --trace-deprecation command

~ node --trace-deprecation /opt/homebrew/bin/bw
(node:32186) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
    at node:punycode:3:9
    at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:392:7)
    at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:328:10)
    at loadBuiltinModule (node:internal/modules/helpers:101:7)
    at Module._load (node:internal/modules/cjs/loader:1001:17)
    at Module.require (node:internal/modules/cjs/loader:1235:19)
    at require (node:internal/modules/helpers:176:18)
    at Object.<anonymous> (/opt/homebrew/Cellar/bitwarden-cli/2023.9.1/libexec/lib/node_modules/@bitwarden/cli/node_modules/psl/index.js:5:16)
    at Module._compile (node:internal/modules/cjs/loader:1376:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1435:10)
Usage: bw [options] [command]

[sammbw]

Hi there,

Thank you for your report!

I was able to reproduce this issue, and I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

[RoboProgrammer69]

Downgrade node to 20.9.0 version!

[maion308]

solution that worked for me:
npm install punycode --save

and then in node_modules go to the directory tr46 > index.js

// Replace this:
const punycode = require('punycode');
// With this:
const punycode = require('punycode/');

basically just add a trailing forward slash

[lmerz1]

As a workaround you can use bw ... 2>/dev/null for the time being, because the noise is written to stderr.

So I was able to do this for e.g. bw sync, but not for a command like bw list items --search example.com – which to my understanding seems to imply the latter command writes its regular output to stderr instead of stdout.

Am I right in assuming this as a bug? I am relatively new to shell/command line use, so please do correct me in case I am mistaken.

The reverse also seems to hold:

bw sync 1>/dev/null shows no output (expected); whereas

bw list items --search example.com 1>/dev/null still shows output (both the deprecation message mentioned in this issue, as well as the prompt for entering the master password).

Screenshot attached as a quick demonstration of this.

[TheUdK]

Temporary fix im using:

NODE_OPTIONS="--no-deprecation" bw --version

or add as an env var.
export NODE_OPTIONS="--no-deprecation

If you add the env var this will suppress all other depreciation warnings as well. Should probably be removed once this has been fixed.

[saidhammane]

Temporary fix im using:

NODE_OPTIONS="--no-deprecation" bw --version

or add as an env var. export NODE_OPTIONS="--no-deprecation

If you add the env var this will suppress all other depreciation warnings as well. Should probably be removed once this has been fixed.

Where did you put that exactly?

[TheUdK]

Temporary fix im using:
NODE_OPTIONS="--no-deprecation" bw --version
or add as an env var. export NODE_OPTIONS="--no-deprecation
If you add the env var this will suppress all other depreciation warnings as well. Should probably be removed once this has been fixed.

Where did you put that exactly?

You can either:

• if you are using zsh put export NODE_OPTIONS="--no-deprecation it in ~/.zshrc or ~/.zshenv to make it persist in new sessions.
• put export NODE_OPTIONS="--no-deprecation in the terminal session to make it persist for this session.
• execute every bw command with the node option as 'prefix' NODE_OPTIONS="--no-deprecation" bw --version

[kschat]

I didn't want to set --no-deprecation globally since I use Node at work. My temp workaround was to make an alias for bw:

# Temp workaround to disable punycode deprecation logging to stderr
# https://github.com/bitwarden/clients/issues/6689
alias bw='NODE_OPTIONS="--no-deprecation" bw'

[Moulick]

Can we please get some love on this??

[Hinton]

Hi everyone,

This seems to be caused by a transient dependency of jsdom which is required by several features of the CLI. Unfortunately this means we don't have a good way of resolving this until the dependency releases a new version.

In the meanwhile you can avoid the error by using the distributed version of the CLI from our website, by downgrading node or by passing in the --no-deprecation flag to NODE_OPTIONS.

[luckydonald]

Related Issues:

• Deprecated Punycode module generating deprecation warnings jsdom/jsdom#3613
• Dependency on deprecated Node "punycode" module lupomontero/psl#296
• Replace psl with tldts salesforce/tough-cookie#346

[tolecnal]

Not that it is needed, as it has been confirmed by several, but here is another one with the issue on macOS 14.3.1 running Node v21.6.2.

For the time being, I have added an alias per @kschat suggestion, which solves it for me until it has been resolved upstream.

[navruz8080]

The easiest way to do this is:
1 Let's install the en package (n is its name)) to manage node versions globally:
npm install -g n
2 And then, using this package, we switch the node to the version we need:
n 20.9.0

[valorisa]

solution that worked for me: npm install punycode --save

and then in node_modules go to the directory tr46 > index.js

// Replace this: const punycode = require('punycode'); // With this: const punycode = require('punycode/');

basically just add a trailing forward slash

Hello,

Could you please explain in detail this part 'and then in node_modules go to the directory tr46 > index.js' ? Thanks.

[Servinjesus1]

To keep the latest version and remove the error messasge, find your installation of bw:

realpath $(which bw)

then go there and up a few directories till you get to the directory with build/, node_modules/, and package*.json files. This is a node project, so run

npm install punycode --save

to install the "userland" version of punycode.
Then run

find . -type f -exec grep -H "require(.*punycode" {} \;

to find all the sub-dependencies which require punycode. As @maion308 suggested, making these

require('punycode/')

calls the right version. In this latest version ( 2024.6.0 ) I had to change a few subdependencies until the error went away. Notably I think it's still the tr46 package that's the problem: it's just now a dependent of node-fetch whose version of tr46 (cli/node_modules/node-fetch/node_modules/tr46/index.js) now also needs updating to punycode/ on top of bw-cli's version of tr46 (cli/node_modules/tr46/index.js). Not sure if other changes I made were also necessary. I have at least one instance of some code that says var punycode = require('punycode')(no trailing slash) and the warning message is gone, so maybe ignore those lines.

[palaueb]

Hello, for me it was file ./node_modules/node-fetch/node_modules/whatwg-url/lib/url-state-machine.js, changing to require('punycode/') fixed the issue.

Also changed:

• ./node_modules/psl/index.js
• ./node_modules/node-fetch/node_modules/tr46/index.js

Thanks!

[jzadra]

This just started occurring for me.

bw cli: 2024.6.0
macOS Sonoma 14.5

[gsoneill]

I'm also having this issue

bw cli: 2024.6.1
macOS: Sonoma 14.5 (23F79)

[kniziol]

Result from the Copy Last Error:

(node:36881) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Invalid master password.

The master password is 100% correct. I've copied and pasted it to avoid typos.

Do you have any ideas on when it will be solved? 🙄

[ckujau]

For me it was editing 4 files to get rid of that warning:

$ cd $(dirname $(readlink -f $(which bw)))/../../
$ grep -r 'require("punycode")' .
./cli/node_modules/node-fetch/node_modules/whatwg-url/lib/url-state-machine.js:const punycode = require("punycode");
./cli/node_modules/node-fetch/node_modules/tr46/index.js:var punycode = require("punycode");
./cli/node_modules/tr46/index.js:const punycode = require("punycode");
./cli/node_modules/tough-cookie/lib/cookie.js:const punycode = require("punycode");

Replace all those with punycode/ as suggested (and install the punycode module locally) and the warnings are gone.

[rojosinalma]

It's almost 1 year after the first acknowledgement of this issue and there's still no official solution. What's the current status, is there any intentions of fixing it or giving a reasonable timeline? @sammbw

[djsmith85]

@rojosinalma As @Hinton has previously mentioned this is an upstream issue:

Hi everyone,

This seems to be caused by a transient dependency of jsdom which is required by several features of the CLI. Unfortunately this means we don't have a good way of resolving this until the dependency releases a new version.

In the meanwhile you can avoid the error by using the distributed version of the CLI from our website, by downgrading node or by passing in the --no-deprecation flag to NODE_OPTIONS.

[chipschipschips]

BitWarden, if you're not interested enough in resolving this properly[1], and it's otherwise harmless, and one recommended workaround includes passing the --no-deprecation flag to NODE_OPTIONS, then why not set that environment variable in the CLI itself?

For example:

@@ -1,4 +1,4 @@
-#!/usr/local/opt/node/bin/node
+#!/usr/bin/env NODE_OPTIONS=--no-deprecation /usr/local/opt/node/bin/node

You can then revert this once jsdom releases a new version.

[1] Eg: chasing this up with jsdom

[valorisa]

I scrupulously followed the instructions provided by @ckujau and @Servinjesus1. Now I no longer have the warnings of depreciation of the 'punycode' module

[andrew-chang-dewitt]

For everyone tracking this:

Looks like this has been resolved in jsdom/jsdom#3776, included in v 25.01 release as of 2024-09-22. Since then, you might notice above here BW's upgraded to v25 in #10742, merged to main 3 days ago & included in the browser & web version 2024.10.0 releases. No matching CLI release yet though.

[DJAlPee]

New CLI version released today (updated with brew on my device), but still having this issue:

✗ bw --version
(node:68370) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
2024.10.0

[andrew-chang-dewitt]

I still get the same deprecation warning even when I built bitwarden cli from source at the latest commit on main.

[andrew-chang-dewitt]

Did some cursory digging, looks like this is still upstream—this time with node-fetch@2.x:

Running bw w/ deprecation tracing outputs the following:

$ NODE_OPTIONS="--trace-deprecation" bw --version
(node:41464) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
    at node:punycode:3:9
    at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:398:7)
    at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:337:10)
    at loadBuiltinModule (node:internal/modules/helpers:96:7)
    at Module._load (node:internal/modules/cjs/loader:1037:17)
    at Module.require (node:internal/modules/cjs/loader:1271:19)
    at require (node:internal/modules/helpers:123:16)
    at Object.<anonymous> (/home/andrew/.nvm/versions/node/v22.2.0/lib/node_modules/@bitwarden/cli/node_modules/node-fetch/node_modules/whatwg-url/lib/url-state-machine.js:2:18)
    at Module._compile (node:internal/modules/cjs/loader:1434:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1518:10)
2024.10.0

Per node-fetch, version 2.x can't be updated to latest version of whatwg-url due to minimum supported version of Node is v18 & node-fetch@2.x supports Node versions all the way back to v4. See node-fetch/node-fetch/#1793. Maintainer recommends (see proceeding PR comment link) switching to node-fetch@3.x or native fetch in Node versions 18+.

bitwarden/clients pins node-fetch to 2.6.12 in package.json.

[andrew-chang-dewitt]

Did some cursory digging, looks like this is still upstream—this time with node-fetch@2.x:
...

Should this issue be reopened, or is it better if I file a new issue for this new cause?

[djsmith85]

Thank you @andrew-chang-dewitt for the investigation and identifying another upstream issue. I'll go ahead and re-open this.

[andrew-chang-dewitt]

Just in case anyone else is looking at resolving this w/ a PR like I was, it seems like the following issues could be blocking a resolution:

1. [deps] Vault: Update node-fetch to v3 #10606: node-fetch@v3.x requires ESM support

   1. I explored importing node-fetch@3.x using the const fetch = (...args) => import('node-fetch').then(({default: fetch}) => fetch(...args)); trick (as suggested by the node-fetch team), but quickly ran into a lot more issues than I have the time to spend on resolving this myself
      • I tried various versions of transformIgnorePatterns: ["node_modules/(?!node-fetch)"] in various jest.config.js files, but every time the tests at src/service-container/service-container.spec.ts failed to parse ESM syntax in node-fetch
      • Also tried converting ./babel.config.json to ./babel.config.js as suggested in a few different issues, but still no success

2. An alternative to (1) could be switching to native fetch, but this would require bumping the entire project's node version to 21+ (likely 22+ 21 went out of maintenance support earlier this year)—a change I assume the team would want to look at themselves instead of some random outsider.

[evgenykushnarenko]

For me it was editing 4 files to get rid of that warning:

$ cd $(dirname $(readlink -f $(which bw)))/../../
$ grep -r 'require("punycode")' .
./cli/node_modules/node-fetch/node_modules/whatwg-url/lib/url-state-machine.js:const punycode = require("punycode");
./cli/node_modules/node-fetch/node_modules/tr46/index.js:var punycode = require("punycode");
./cli/node_modules/tr46/index.js:const punycode = require("punycode");
./cli/node_modules/tough-cookie/lib/cookie.js:const punycode = require("punycode");

Replace all those with punycode/ as suggested (and install the punycode module locally) and the warnings are gone.

Its work for me! 🚀