Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Missing deprecation information for the package in npm #579

Closed
1 task done
Tracked by #581
kenkku opened this issue Jun 27, 2023 · 13 comments
Closed
1 task done
Tracked by #581

[BUG] Missing deprecation information for the package in npm #579

kenkku opened this issue Jun 27, 2023 · 13 comments
Labels
Bug thing that needs fixing Needs Triage needs an initial review

Comments

@kenkku
Copy link

kenkku commented Jun 27, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Based on this comment, you are not supporting any other major version than 7. Please mark all versions prior to 7 as deprecated in the NPM registry, this will increase users' awareness that they are using unsupported software. Based on NPM download statistics, major version 7 only accounts for less than half of downloads in the last seven days. If you are only supporting v7, that's a major issue that needs to be honestly communicated to the users who download deprecated versions 150M+ times every week.

Expected Behavior

No response

Steps To Reproduce

No response

Environment

No response

@kenkku kenkku added Bug thing that needs fixing Needs Triage needs an initial review labels Jun 27, 2023
@ljharb
Copy link
Contributor

ljharb commented Jun 27, 2023

Deprecation isn’t the same thing as unsupported.

@kenkku
Copy link
Author

kenkku commented Jun 27, 2023

Deprecation isn’t the same thing as unsupported.

Thank you for the comment. English is not my first language, so perhaps I'm missing a nuance here. What do you want to communicate with this comment, though? Even if it's not the same thing, do you think that NPM depreciations would be an unsuitable way to communicate lack of support? I don't appreciate useless nitpicking, only useful nitpicking.

Edit:
I would also like to point you to the documentation for npm-deprecate, which uses a message about an unsupported version as one of the examples. So I would say that NPM deprecation warnings are an appropriate tool for this use.

@ljharb
Copy link
Contributor

ljharb commented Jun 27, 2023

Deprecation means you actively shouldn’t use a version. Being unsupported doesn’t inherently mean you shouldn’t use that version - it just means if a problem arises you won’t be guaranteed a fix.

@kenkku
Copy link
Author

kenkku commented Jun 27, 2023

Deprecation means you actively shouldn’t use a version. Being unsupported doesn’t inherently mean you shouldn’t use that version - it just means if a problem arises you won’t be guaranteed a fix.

Thanks for the explanation. In any case, I propose using the npm-deprecate tool to inform users of unsupported versions (<7). Since that's obviously one of the things it was meant for. Satisfied?

@ljharb
Copy link
Contributor

ljharb commented Jun 27, 2023

Like 40 million people still have semver 6 in their dep trees; that’s a lot of noise that isn’t particularly valuable, especially when the only “problem” is a CVE that in practice never is actually a vulnerability.

That deprecation can be used to convey something is unsupported doesn’t mean it’s a good use of it.

@kenkku
Copy link
Author

kenkku commented Jun 27, 2023

Like 40 million people still have semver 6 in their dep trees; that’s a lot of noise that isn’t particularly valuable, especially when the only “problem” is a CVE that in practice never is actually a vulnerability.

That deprecation can be used to convey something is unsupported doesn’t mean it’s a good use of it.

So you don't feel that being informed about unsupported software in your supply chain is valuable - we'll agree to disagree.

@kenkku
Copy link
Author

kenkku commented Jun 27, 2023

To be clear, I would prefer that Npm/Github/Microsoft kept supporting v5 and V6, but if that's not happening, I would rather have people be aware of this. Hiding problems because they feel unfixable is bad.

@ljharb
Copy link
Contributor

ljharb commented Jun 27, 2023

I didn't say that, but since deprecation doesn't programmatically convey "supported" or not, and since virtually no packages use deprecation in this way, that's not a good way to signal that.

Being unsupported is not inherently a problem.

@kenkku
Copy link
Author

kenkku commented Jun 27, 2023

Being unsupported is not inherently a problem.

Yes it is.

@kenkku
Copy link
Author

kenkku commented Jun 27, 2023

Anyway, you have made several valid points @ljharb, thank you for that. Let's hear what the maintainer has to say about this.

@Gornator Gornator mentioned this issue Jul 2, 2023
1 task
@lukekarrys
Copy link
Contributor

To address the original point made here, we will be releasing fixes for the latest CVE in v5 (ref: #585) and v6 (ref: #591).

As for whether to deprecate old versions, there are many many old major versions or our libraries that we do not support, but I don't think npm-deprecate is the right tool for that. Previously, I created an issue in our statusboard for how we might define our support for our open source projects: npm/statusboard#613 and I'll add to it a note about specifying support for old versions. My current thinking is that we'll create a SUPPORT.md document in each repo detailing the level of support the latest version gets, as well as any older versions.

I'm going to close this specific issue now, but further thoughts are welcome in the issue I linked above.

@ljharb
Copy link
Contributor

ljharb commented Jul 8, 2023

@lukekarrys you may want to adopt the node package maintenance working group's process: https://github.com/pkgjs/support (you can check an example of it in use here: inspect-js/object-inspect@ca20ba3 and inspect-js/object-inspect@e2618d2 )

@kenkku
Copy link
Author

kenkku commented Jul 24, 2023

It's great that the issue got resolved by backporting the fix to previous versions and also good to hear that you are taking action to communicate the level of support for the package. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Needs Triage needs an initial review
Projects
None yet
Development

No branches or pull requests

3 participants