[RRFC] Structured data for deprecated packages about migration paths

[JamieMagee]

Motivation ("The Why")

Currently, deprecated packages show a short string with some information from the deprecated property. This often includes information about another package to migrate to, either due to a package rename or a fork. Unfortunately, this makes it hard or impossible to automate any sort of migration, in the same way that tools like Dependabot or Renovate can for version upgrades.

Allowing structured data in the deprecated property, with information about a replacement package or packages, would allow these tools to perform package migrations as well as package upgrades.

Example

Renovate currently has a manually curated list of these package migrations¹, and I am discussing whether or not this addition makes sense as part of the Open Source Vulnerability schema². I think there are definitely security applications for deprecated packages that have CVEs, it would also be useful for general package migrations.

How

Current Behaviour

The deprecated property in package.json currently only allows a string or boolean to show some information about what package to migrate to. For example:

  "deprecated": "No longer supported. Migrate to @example/package-name"

Desired Behaviour

Allowing for structured data in the deprecated property would allow for automation to perform migrations in users code. For example:

  "deprecated": {
    "description": "No longer supported. Migrate to @example/package-name",
    "migration": {
      "name": "@example/package-name",
      "version": "2.0.0"
    }
  }

References

• n/a

Footnotes

1. https://github.com/renovatebot/renovate/blob/main/lib/config/presets/internal/replacements.ts ↩

2. https://github.com/ossf/osv-schema/issues/230 ↩