Innerdependency sshpk's deprecationwarning handling

[kwonoj]

Summary

Currently @bugsnag/node raises one deprecation warning on latest node:

DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
    at showFlaggedDeprecation (buffer.js:160:11)
    at new Buffer (buffer.js:175:3)
    at Object../node_modules/sshpk/lib/algs.js (C:\github\slack-desktop\dist\main.bundle.js:95613:6)
    at __webpack_require__ (C:\github\slack-desktop\dist\main.bundle.js:27:30)
    at Object../node_modules/sshpk/lib/key.js (C:\github\slack-desktop\dist\main.bundle.js:100103:12)
    at __webpack_require__ (C:\github\slack-desktop\dist\main.bundle.js:27:30)
    at Object../node_modules/sshpk/lib/index.js (C:\github\slack-desktop\dist\main.bundle.js:100050:11)
    at __webpack_require__ (C:\github\slack-desktop\dist\main.bundle.js:27:30)
    at Object../node_modules/@bugsnag/node/node_modules/http-signature/lib/utils.js (C:\github\slack-desktop\dist\main.bundle.js:10826:13)
    at __webpack_require__ (C:\github\slack-desktop\dist\main.bundle.js:27:30)

coming from innerdependency of @bugsnag/node.

We are under bit special circumstances of grabbing console.warn in our Electron renderer process and send it to bugsnag, which results our event collection is polluted by this event.

Possible approaches?

I'm not sure if there's easy way to deal with this: sshpk itself already fixed (TritonDataCenter/node-sshpk#46), but parent dep http-signature doesn't updated so not sure if there's way to control bump up inner dependency selectively.

[bengourley]

Hi @kwonoj, thanks for the report. I'll see what we can do about getting this dependecy updated.
In the mean time, you should be able to ignore this error using a beforeSend callback.

[bengourley]

In fact, the version ranges in package.json for each of the modules in the dependency chain allow this new version to be installed. If you purge your lockfile, or manually upgrade this dependency, your problem should go away.

[kwonoj]

Purging lockfile is something we'd like to avoid cause we try to honor lockfile's state. we have multiple dependency have dep to sshpk for specific version in devDep, so just trying to bump up will resolved deduped into single version of sshpk and not allowed to bump up to latest. I'm bit unsure to bump unless we specify sshpk as our own dependency, which we also would like to avoid (as we are not direct consumer).

~Probably unrelated note, is there any plan to replace requset into some lightweight module? request and it's dependency takes around 100kb in our prod bundle, non-trivial amount as error reporter. Actually whole @bugsnag/node is non-trivial size already: ~

above is our prod bundle's @bugsnag/node size, while whole app for those process is about 1.3 mb - it's nearly 1/4 of our bundle.

☝️ I've spawned separate issue #456 for unrelated.

[bengourley]

we have multiple dependency have dep to sshpk for specific version in devDep

Ok, in which case I'm going to close off this issue because Bugsnag is not the module causing this problem.

You should be able to upgrade a single dependency without invalidating your entire lockfile.