npm install and deprecated warnings

Question

I've started to use npm recently and sometimes during installations some warnings pop up.

For example, running

 npm install gulp-chimp --save-dev

yields the following warnings

npm WARN deprecated [email protected]: to-iso-string has been deprecated, use @segment/to-iso-string instead.

npm WARN deprecated [email protected]: Jade has been renamed to pug, please install the latest version of pug instead of jade

npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

npm WARN deprecated [email protected]: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130

My question is not specific to gulp-chimp but to npm in general. Should I try to update these packages or not? I understand it's the developer's call to use the updated package or not and I feel like I may break something by trying to update the packages myself but I'm also anxious about letting vulnerabilities be.

Answer 1

To ensure that updating the dependencies doesn't break anything, version control is a must. Often you can update the deprecated dependencies without much trouble, but there are definitely times where doing so will cause breakage in the package using it.

What I don't recommend doing is ignoring the deprecation errors. While it's true that the package maintainer needs to update it on their end, the problem is still very much yours. Many of these outdated packages have known security vulnerabilities that are now going to be impacting your application.

To get a solid picture of which dependencies are outdated, run something like:

npm outdated -depth=3

It defaults to a depth of 0 which will only check top-level dependencies, so increasing the depth level to some extent (3 is just an example) will reveal many more dependencies that are out of date.

The more important thing, as you already noted, is finding out which of these dependencies may have known vulnerabilities. You can test for these vulnerabilities using a tool like Snyk, which checks your dependencies against an open-source database of vulnerabilities. Snyk will let you patch your vulnerabilities (using either a CLI or automated Github pull requests) without upgrading, in the case that those upgrades break your code.

Full disclosure: I work at Snyk. :) That being said this is exactly the problem it's meant to help with.