So many warnings with `yarn install`

Hi,

sorry if that’s a n00b question, but coming from the Java world, it irritates me that when running yarn install (which to me seems to be something like mvn dependency-plugin:copy-dependencies?) complains about so many outdated packages, such as

warning lerna > conventional-changelog-cli > tempfile > uuid@2.0.3: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See (link) for details.
warning workspace-aggregator-297f6f9c-f48b-44ba-b94b-806d317e58b0 > browser-app > @theia/filesystem > trash > uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See (link) for details.
warning workspace-aggregator-297f6f9c-f48b-44ba-b94b-806d317e58b0 > hello-world > @theia/core > @theia/application-package > request > har-validator@5.1.5: this library is no longer supported
warning workspace-aggregator-297f6f9c-f48b-44ba-b94b-806d317e58b0 > browser-app > @theia/cli > @theia/application-manager > electron-rebuild > node-gyp > request@2.88.2: request has been deprecated, see (link)
etc. etc.

To me it reads a lot like “don’t use this, upgrade that, using this is dangerous/unsupported/…”, so I am wondering: Is this normal for JavaScript/TypeScript/node projects in general? Does just everyone ignore these? Are they less dangerous than they sound? Or is it so much effort to upgrade to newer versions or recommended libraries? (I have seen a different nodejs project at one of my customers and it was the same there, so it seems not to be limited to Theia, but I was still wondering…)

Thanks for any insights :slight_smile:
Stefan

Our application is built with Theia, and it lives in a monorepo whose structure was initially copied from the Theia main monorepo. Installing with Yarn was becoming a real pain point for our users, and at the end of last year we decided to move to PNPM.

The migration from Yarn + Lerna to PNPM was surprisingly easy to do, and it’s been such an improvement for our development team working with Theia. For us, PNPM installs all of our packages dependencies including Theia at least 3 times faster on local machine, and 5 times faster on CI.

Coming back to your question here, there are so many warning spit out by Yarn that none of them are actionable. PNPM is giving us much fewer warning, and they are actionable because PNPM points you to exact location of the dependency that needs to be fixed.

If you’d like to explore that option, I’d recommend you read this: https://www.raulmelo.dev/blog/replacing-lerna-and-yarn-with-pnpm-workspaces

For one the first warning comes from your own setup:

warning lerna > conventional-changelog-cli > tempfile > uuid@2.0.3: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See (link) for details.

None of the core packages transitively depend on conventional-changelog-cli.

This example alone should illustrate some of the pain with those warnings: You depend on some package (e.g. conventional-changelog-cli) and somewhere in its dependency tree someone depends on a bogus package range. How do you go and update those nested packages? You only have control on your direct dependencies.

Maybe some of those warnings could be fixed in the core packages by simply upgrading our direct dependencies, but it doesn’t always work for the reason I mentioned above.

In the meantime, you can specify Yarn resolutions.

1 Like