Remove uncss?

Question

Remove uncss?

devongovett opened this issue 3 years ago · comments

It seems pretty much unmaintained, and purgecss is already supported as an alternative. Currently, the dependency on uncss causes a bunch of deprecated packages to be installed via a very old JSDOM dependency, including request, request-promise-native, and har-validator. These show up during an npm install of htmlnano or any other tool using htmlnano (like Parcel).

Kirill Maltsev · Answer 1 · Mon Oct 11 2021 14:41:44 GMT+0800 (China Standard Time)

@NovaAtWarren maintains a fork of uncss with updated dependencies (#152). Also, some people, I guess, might still use it. Maybe instead of removing we could move it to optionalDependencies? So it won't be installed by default, but if someone wants to use it, they can install it.

Chris Wilkinson · Answer 2 · Fri Oct 22 2021 16:13:24 GMT+0800 (China Standard Time)

Just had a quick look at what's needed. I see that uncss is currently the default tool so would be a breaking change. I'm surprised at that patch file too: I've not tried it, but surely that doesn't work?

Would it make sense to remove uncss entirely and release a new major version?

Kirill Maltsev · Answer 3 · Mon Oct 25 2021 03:24:06 GMT+0800 (China Standard Time)

I've not tried it, but surely that doesn't work?

I guess it works.

Would it make sense to remove uncss entirely and release a new major version?

I don't think we should remove it entirely. Some people are still using it. Instead, I'd suggest switching to PurgeCSS as a default option and let people install uncss as an optional dependency and use it as well. What do you think?

Sukka · Answer 4 · Sun Nov 21 2021 14:47:57 GMT+0800 (China Standard Time)

@maltsev

What about making them peer dependencies? Anyone who wants to use will have to install it by him/herself.

Also cc @thewilkybarkid

Kirill Maltsev · Answer 5 · Sun Nov 21 2021 20:54:40 GMT+0800 (China Standard Time)

What about making them peer dependencies? Anyone who wants to use will have to install it by him/herself.

Yes, that's a great idea! I'm not 100% sure it'd work seamlessly though. It'd be awesome if someone could create a PR with that :-)

Kirill Maltsev · Answer 6 · Mon Nov 22 2021 03:25:18 GMT+0800 (China Standard Time)

Fixed in #168.

Devon Govett · Answer 7 · Wed Jan 12 2022 07:32:23 GMT+0800 (China Standard Time)

This is now causing a security issue for all downstream dependencies of htmlnano due to an old version of postcss. See GHSA-566m-qj78-rww5. Any chance this could be released?

Kirill Maltsev · Answer 8 · Wed Jan 12 2022 18:59:40 GMT+0800 (China Standard Time)

Any chance this could be released?

Sure. I'll do it this evening.

Kirill Maltsev · Answer 9 · Wed Jan 12 2022 22:49:24 GMT+0800 (China Standard Time)

Done: https://www.npmjs.com/package/htmlnano/v/2.0.0

folk · Answer 10 · Sat Jan 15 2022 04:59:46 GMT+0800 (China Standard Time)

But uncss is still used in lib/modules/removeUnusedCss.es6? What is it I don't understand?
It's also listed in package.json and my build system is still complaining about uncss 0.17.3 depending on old, unmaintainted, unsupported, and explicitly deprecated package versions.

EDIT: Nevermind, I see how it works now. Thank you.