Update package.json dependencies for new projects

[nenadvicentic]

Currently, after running npx makes aurelia/v1, selecting choices for a new project and running npm install, we immediatelly get warnings about outdates and deprecated npm packages:

√ Please name this new project: » au1-ts-scss-alameda
√ Would you like to use the default setup or customize your choices? » Custom Project
√ App or Plugin? » App
√ Which bundler would you like to use? » CLI's built-in bundler with an AMD module loader
√ Which AMD module loader would you like to use? » Alameda
√ What platform are you targeting? » Web
√ What transpiler would you like to use? » TypeScript
√ How would you like to setup your HTML template? » Minified with htmlmin
√ What css preprocessor would you like to use? » Sass
√ Do you want to add PostCSS processing » Yes
√ Which unit test runner would you like to use? » None
√ Would you like to configure e2e integration testing? » None
√ What is your default code editor? » Visual Studio Code
√ Which features do you want to scaffold into your project? » Minimum
√ Would you like to add a Dockerfile? » No
[makes] Project au1-ts-scss-anaconda has been created.
√ Do you want to install npm dependencies now? » Yes, use npm
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @babel/plugin-proposal-class-properties@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm warn deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated q@1.5.1: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.

Would it be possible to update npm dependencies, perhaps also using gulp@5 for aureli-cli projects?

[3cp]

I will try upgrade all deps.
Gulp v5 is dangerous. Lots of gulp plugins do not play well with it. Last time we tried, gulp-typescript did not work.

[3cp]

Other deps were upgraded. Next, I will upgrade eslint to v9. Then try gulp v5 again.

[3cp]

eslint is upgraded to v9.
I will skip gulp v5, as I can see there are still many unfixed v5 issues in the gulp repo.

[nenadvicentic]

@3cp Thank you for the quick reaction.

I tried to create a new local project. The project itself and it's own package.json are really nice now! Much better.

However, I am still getting similar warnings:

√ Do you want to install npm dependencies now? » Yes, use npm
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)

added 874 packages, and audited 875 packages in 22s

I am also getting a warning during au build (it was there also when I initially wrote the ticket):

Finished 'processCSS'
(node:37956) [DEP0180] DeprecationWarning: fs.Stats constructor is deprecated.
(Use `node --trace-deprecation ...` to show where the warning was created)
Finished 'processMarkup'

Looking into more details, the packages that give warning are not even listed in the project itself. And judging by @babel/plugin-proposal-class-properties warning, it seems like this packages are part of aurelia-cli dependencies.

I guess that aurelia-cli is more complex project compered. Is there any chance that this project gets updated too at some point?

[3cp]

That's not right. I will check and fix. Thanks for details!

[3cp]

aurelia/cli#1210

[3cp]

cli v3.0.4 is out.

[nenadvicentic]

Hi @3cp,

I have just tested creating a new project with cli v3.0.4 (using npx makes aurelia/v1 command).

Babel warning is gone (due to the new Aurelia CLI version). But there are still few other dependency warnings remaining.

Just to recap, 4 warnings have been resolved:

• @babel/plugin-proposal-class-properties
• @humanwhocodes/config-array
• @humanwhocodes/object-schema
• eslint

And bellow is current report, after npm install has been run (4 packages + 2 warnings not showing any particular package):

√ Do you want to install npm dependencies now? » Yes, use npm
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)

added 906 packages, and audited 907 packages in 25s

107 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (5 moderate, 2 high)

[3cp]

Some are not from cli, some can be fixed in aurelia/v1 skeleton itself. Few can be fixed by removing "del" package (nodejs rm({recusive:true}) can replace it). Some other outdated deps are harder to remove. I will clean up some when I can.
Unfortunately with troublesome gulp v5, we have to stay with gulp v4. That's a big deps tree.

[3cp]

Merged as much cleanup as I could.

[nenadvicentic]

Hi @3cp,

Thank you for the additional effort! I wasn't expecting you are going do a further cleanup. Just wanted to document the status.

With the latest version, in my configuration (ts, scss, alameda) rifraf warning has also dissapeared. I see you also cleaned up Webpack plugins. This is huge improvement compared to the state when I originally wrote this ticket!

So just to document current status, if anyone decides to dig futher into dependencies:

√ Do you want to install npm dependencies now? » Yes, use npm
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)

[3cp]

If you want to dig deeper, use npm ls (like npm ls q) to find out which dep requires those troublesome lib.

Some deps are hard to be removed or be replaced.

[nenadvicentic]

Thank you @3cp! I am going to give it a shot.

Did not know about npm ls command, so I've been looking into the package-lock.json.

It seems that npm ls glob gives me only one branch of the dependency tree (no command switch helped):

>npm ls glob
[email protected]
+-- [email protected]
| `-- [email protected]
|   `-- [email protected] overridden
|     `-- [email protected] deduped
`-- [email protected]
  `-- [email protected]
    `-- [email protected]

While, when inspecting package-lock.json manually, I also found:

[email protected] -> [email protected] -> [email protected] -> [email protected]

However, npm explain glob gives lists multiple dependency trees and overrides for glob

npm explain glob
[email protected] dev
node_modules/glob
  glob@"^7.2.0" from [email protected]
  node_modules/glob-stream
    overridden glob-stream@"^7.0.0" (was "^8.0.0") from [email protected]
    node_modules/gulp-eslint-new/node_modules/vinyl-fs
      vinyl-fs@"^4.0.0" from [email protected]
      node_modules/gulp-eslint-new
        dev gulp-eslint-new@"^2.4.0" from the root project
    overridden glob-stream@"^7.0.0" (was "^6.1.0") from [email protected]
    node_modules/vinyl-fs
      vinyl-fs@"^3.0.0" from [email protected]
      node_modules/gulp
        dev gulp@"^4.0.2" from the root project
        gulp@">=4.0.2" from [email protected]
        node_modules/aurelia-cli
          dev aurelia-cli@"^3.0.4" from the root project
      vinyl-fs@"^3.0.3" from [email protected]
      node_modules/gulp-typescript
        dev gulp-typescript@"^6.0.0-alpha.1" from the root project
  glob@"^7.1.6" from [email protected]
  node_modules/node-sass-magic-importer
    node-sass-magic-importer@"^5.3.3" from [email protected]
    node_modules/node-sass-package-importer
      dev node-sass-package-importer@"^5.3.3" from the root project

In any case, I will take a deeper look into the dependencies. Thanks a lot again!