80% of deprecations in console are due to react-scripts

[genefedorchenko]

Describe the bug

npm i react-scripts@3.3.1
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

Did you try recovering your dependencies?

Yes

Which terms did you search for in User Guide?

deprecated

Environment

$ npx create-react-app --info
npx: установлен 98 в 18.49s

Environment Info:

current version of create-react-app: 3.4.1
running from C:\Users\User\AppData\Roaming\npm-cache_npx\17536\node_modules\create-react-app

System:
OS: Windows 10 10.0.18363
CPU: (8) x64 Intel(R) Core(TM) i7-4700HQ CPU @ 2.40GHz
Binaries:
Node: 14.4.0 - C:\nodejs\node.EXE
Yarn: Not Found
npm: 6.14.5 - C:\nodejs\npm.CMD
Browsers:
Edge: 44.18362.449.0
Internet Explorer: 11.0.18362.1
npmPackages:
react: Not Found
react-dom: Not Found
react-scripts: ^3.3.1 => 3.3.1
npmGlobalPackages:
create-react-app: Not Found

Steps to reproduce

1. run npm i react-scripts@3.3.1
   2.enjoy the deprecation messages
   npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
   npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
   npm WARN deprecated request@2.88.2: request has been deprecated, see Request’s Past, Present and Future request/request#3142
   npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see Request’s Past, Present and Future request/request#3142
   npm WARN deprecated har-validator@5.1.5: this library is no longer supported
   npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

Expected behavior

No deprecation messages

Actual behavior

npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

Reproducible demo

(Paste the link to an example project and exact instructions to reproduce the issue.)

[eddiemonge]

this will be fixed in the next release. To test it out https://gist.github.com/iansu/282dbe3d722bd7231fa3224c0f403fa1

[doc-duncan]

Hello! I have the same issue with deprecated dependencies and unfortunately switching to the new version did not correct the problem for me.

I changed my package.json reference "react-scripts": "next" and installed the new version.

I still received the following deprecation warnings:

npm WARN deprecated @hapi/joi@15.1.1: joi is leaving the @hapi organization and moving back to 'joi' (https://github.com/sideway/joi/issues/2411)
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated @hapi/address@2.1.4: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported

I ran npm ls <dependency-name@ver> on each of these dependencies and each traced back to react-scripts:

-- react-scripts@4.0.0-next.77
  `-- workbox-webpack-plugin@5.1.3
    `-- workbox-build@5.1.3
      `-- strip-comments@1.0.2
        `-- babel-plugin-transform-object-rest-spread@6.26.0
          `-- babel-runtime@6.26.0
            `-- core-js@2.6.11`
 
`-- react-scripts@4.0.0-next.77
  `-- jest@26.1.0
    `-- @jest/core@26.4.0
      `-- jest-config@26.4.0
        `-- jest-environment-jsdom@26.3.0
          `-- jsdom@16.4.0
            `-- request@2.88.2`

`-- react-scripts@4.0.0-next.77
  `-- jest@26.1.0
    `-- @jest/core@26.4.0
      `-- jest-config@26.4.0
        `-- jest-environment-jsdom@26.3.0
          `-- jsdom@16.4.0
            `-- request-promise-native@1.0.9`

`-- react-scripts@4.0.0-next.77
  `-- workbox-webpack-plugin@5.1.3
    `-- workbox-build@5.1.3
      `-- @hapi/joi@15.1.1`

...

I'm sure I must be missing something on my end, I apologize for the trouble. Thanks so much!

[ankon]

Is there anything we can do to help? Having this many deprecation warnings scares me a bit to be honest.

[stale]

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

[ankon]

Indeed, there's not much activity -- but the issue still persists.

[seamuslowry]

Yeah, I'm seeing the same thing on 'next'

[Pomax]

@gaearon any idea who currently "owns" this repo? It'd be good to get the deps updated and pushed as patch release, even if no code changes get pushed.

[gaearon]

All of these would eventually resolve themselves as underlying packages are updated. I don't see an action item here. The messages showing up are unfortunate but there is no actual way it would impact your app or environment as far as I can tell.

[Pomax]

While true, create-react-app is so ubiquitous that someone like you asking the folks who run the projects that create-react-app depends on to bump their versions to no longer yield deprecation errors would absolutely have a stronger effect than anyone else asking them to update ever could. Not having new users to react get a full screen of deprecation warnings when they follow the official "let's set up your first react application" steps sounds pretty worth it =)

[gaearon]

I fully agree with you it's nice to have (and we actually worked with underlying packages in the past to get issues like this fixed) but I don't think this is a priority right now when there are bigger issues (such as to get 4.0 out).

[doc-duncan]

To provide some tracking of each warning for myself and others:

1. The request-promise-native and request warnings are coming from jsdom and the fix remains open: Replace request with something better jsdom/jsdom#2792
2. har-validator warning is coming from request and will remain an issue until jsdom replaces it
3. The @hapi/joi warnings are coming from workbox, which appears to be sticking with @hapi/joi to maintain support for node v10.x: Migrate from deprecated @hapi/joi to joi GoogleChrome/workbox#2609
4. All other warnings starting with @hapi are dependencies of @hapi/joi and will therefore remain until workbox upgrades to joi
5. One that may be in react-scripts control is the left-pad warning which was to be fixed in jest 25, which I believe was fixed in this pr: chore: bump most dated deps jestjs/jest#8850
6. core-js warning coming from babel-runtime because of strip-comments (referenced here as well) but this issue/pr should remediate that warning

[ankon]

Thanks -- the tracking/explanations definitely help.

However, I fear having these deprecations produce warnings that are now "ok" will lead to some form of "warning fatique", and so one might end up ignoring all of them because "probably that's just react-scripts anyways" (as unfair as that might sound, given above explanation that react-scripts isn't really the evil guy here).

I suspect there's not much that can be done here though, and the problem might be more in the way these deprecations get aggregated upwards by npm.

Maybe react-scripts could log something to point to a place that has these explanations?

[genefedorchenko]

Accuracy and elegance of React can be reduced to nothing with such littering tools like react-scripts. If perfectionists would leave React, where they would go?
Eject and Tree-shake on you!!! :)

[stale]

This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in 5 days if no further activity occurs.

[cseas]

Not stale, I believe this is just not priority right now

[digimbyte]

following Ionic react with the gallery example leads to this, causes hang on core-js@2.6.12
https://ionicframework.com/docs/react/your-first-app

[Pomax]

Deprecation warnings don't cause things to hang, they are versioning notices during install. Please file a new issue instead if you're certainly it's caused by create-react-app, but it's almost certainly something you'll want to start on the ionic-framework repo for: https://github.com/ionic-team/ionic-framework/issues

[Martinsos]

In our case, we are using CRA underneath our language/framework, and these deprecation messages are prominent in the logs, some of them looking really scary, e.g.:

deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.

npm WARN deprecated core-js@2.6.12: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

I understand from above that these messages are coming from the packages CRA uses and therefore you can't fix them directly, but I am wondering what is the general strategy for avoiding getting into situations like this? Is it really applying pressure to the mentioned packages as somebody above mentioned? Or fixing problems ourselves? I would be happy to try and take on one or two of these problems if they are of reasonable scope, if some guidance would be provided -> maybe issue could be created for each problem and progress could be tracked there?

At the moment of writing, I found following packages that are used in CRA (at some level) to produce deprecation messages:

- rollup-plugin-backend
- fsevents
- request-promise-native
- request
- core-js
- har-validator
- sass-loader
- tsutils

[dohnuts]

this will be fixed in the next release. To test it out https://gist.github.com/iansu/282dbe3d722bd7231fa3224c0f403fa1

Using react "react-scripts": "4.0.3" , and still massive amount of deprecation warning.

[arkapratimsarkar]

this will be fixed in the next release. To test it out https://gist.github.com/iansu/282dbe3d722bd7231fa3224c0f403fa1

Using react "react-scripts": "4.0.3" , and still massive amount of deprecation warning.

same for me too. here - #10927

[archit-p]

I'm on "react-scripts": "latest", and getting the following deprecation warnings:

[genefedorchenko]

I'm on "react-scripts": "latest", and getting the following deprecation warnings:

There is nothing more stable than react-scripts deprecation...

[arkapratimsarkar]

I'm on "react-scripts": "latest", and getting the following deprecation warnings:

There is nothing more stable than react-scripts deprecation...

Amen to that 👍

[arctic-apricity]

no other package I'm using even has a single warning 🙄

[iansu]

These are not direct dependencies of Create React App so we don't have direct control over the versions. We always update all our dependencies with each new release so eventually these should go away.

[snwfdhmp]

I'm having two security vulnerabilities due to react-scripts not being updated for 6 months. What is going on ? Is this project dead ?

[cseas]

It's not dead but create-react-app has always been a community maintained initiative aimed at making it easy for beginners to get started. If security vulnerabilities or a robust production-ready setup are a concern then you might be better off setting up your own webpack config or using a framework that's built for production use like Next.js.

The React docs really don't do a great job at making it clear that create-react-app doesn't guarantee anything if you decide to use it in production. It's under the facebook org, but is completely maintained by community volunteers.

[snwfdhmp]

@cseas Thanks for the explanation.

How can I contribute to update these packages ? Besides contributing guidelines, how can I make sure that updating one dependency won't break anything for the thousands of users of create-react-app ?

[cseas]

I'm not sure.
gaearon, @iansu
How can the community help to clean up some of these deprecations?

[astik]

No need to call for Gaearon, he already made his point very clear on his blog: https://overreacted.io/npm-audit-broken-by-design/.
Still, if you find, and i quote, "a real vulnerability that can affect the project", feel free to open a new issue.