Outdated dependency npm-install-peers

Question

Outdated dependency npm-install-peers

basmasking opened this issue a year ago · comments

In version 5.0.1 the package.json npm-install-peers has been added as a dependency. This dependency is last updated 2 years ago.

"dependencies": {
    "@types/glob": "^8.0.0",
    "npm-install-peers": "^1.2.2"
  }

We've added the npm-glob-promise to our project, and since version 5.0.1 we get 10 vulnerabilities (1 low, 6 moderate, 3 high), which all trace back to npm-install-peers.

Version 5.0.0 doesn't have this dependency, and with that specific version we don't get any vulnerabilities.

Could the dependency get removed?

electrovir · Answer 1 · Thu Dec 22 2022 03:19:13 GMT+0800 (China Standard Time)

That npm-install-peers dependency causes issues with npm workspaces (causing infinite loops when running workspace scripts) and package-lock.json files (creating lock files with version 1 instead of 2). It's almost as if it forces npm to revert to a really old version somehow.

Bas Meeuwissen · Answer 2 · Thu Dec 22 2022 03:50:56 GMT+0800 (China Standard Time)

The npm-install-peers has a prerequisite of npm < 7. When I removed that, npm threw an error saying that some functionality has been removed in npm v8.

Because of the nom requirements, npm will install npm v4. That contains all the vulnerabilities.

I don't know anything about the workspaces, but maybe there is another way to get them to work.

electrovir · Answer 3 · Thu Dec 22 2022 04:12:12 GMT+0800 (China Standard Time)

Wow I didn't know that npm would install other versions of itself like that. TIL, thanks!

Ahmad Nassri · Answer 4 · Thu Dec 22 2022 05:29:13 GMT+0800 (China Standard Time)

I added that dependency to address node v14 / npm 6 where peer dependencies are not automatically installed ...

I think the easiest path forward is to declare node v14 no longer supported ...

Ahmad Nassri · Answer 5 · Thu Dec 22 2022 05:37:21 GMT+0800 (China Standard Time)

released v6.0.0 that declares node v14 no longer supported

Bas Meeuwissen · Answer 6 · Thu Dec 22 2022 13:34:20 GMT+0800 (China Standard Time)

Thanks for the quick fix!

Geraldo Barbosa Landre · Answer 7 · Sat Dec 31 2022 16:08:17 GMT+0800 (China Standard Time)

Hi @ahmadnassri. First of all, thank you for maintaining this project.

It's an excellent solution to declare that v14 is no longer supported in v6.0.0. However, My understanding is that 5.0.1 should not impose node 16, as this would be a breaking change that requires a major upgrade (not a patch one).

I work on a private project that has a dependency using this library:
A -> B -> C - where:

A: is the project I work on;
B: is a direct dependency of ours (which we have no control over);
C: is glob-promise.

A still relies on node 14. We have plans to upgrade it, but it''ll require significant changes in our infrastructure, so it'll still take time for us to accomplish that.

I can see glob-promise@^5.0.0 in B's dependencies. Since 5.0.1 was released, this dependency is automatically resolved to 5.0.1, which breaks our build.

As a temporary solution, I'm relying on yarn resolutions to force B to use 5.0.0. Here are a couple of reasons why this isn't an ideal scenario:

It could make B behave unexpectedly;
We won't benefit from future updates to this library.

Besides, Node 14 EOL is not yet here (Apr 30).

With that in mind, could you remove Node 16 as a requirement for version 5.x.x? At least while Node 14 is still officially maintained?

P.s.: Let me know if you want me to open an issue for this.

Thank you for your support!