Remove `bunyan`

[avi12]

Is this a feature request or a bug?

In-between

What is the current behavior?

web-ext depends on

web-ext/package.json

Line 61 in 0d9f5e1

"bunyan": "1.8.15",

which depends on moment@2.19.3, that has a security vulnerability that affects my Chrome extensions

What is the expected or desired behavior?

Please switch to a different package other than bunyan, as it seems to no longer be maintained (the last update was 2 years ago)

[willdurand]

That makes sense. I think we adopted Pino in our other projects. Pino used to be a drop-in replacement for bunyan a long time ago but it has evolved a lot since then. That might still be a straightforward replacement, though.

[fregante]

Are you open to a PR? Dependency-wise the project is huge and quite behind:

• https://npmgraph.js.org/?q=web-ext
• https://github.com/mozilla/web-ext/pulls

I worked on this before and I can do a little more cleaning again:

• Reduce dependencies addons-linter#3601

[willdurand]

sure thing

[fregante]

Sounds good! I can send a PR after most of the dependabot PRs are merged, there are a lot of low-hanging fruits there that would cause conflict with a Bunyan replacement PR.

update-notifier for example just dropped 21 dependencies

• Update all dependencies sindresorhus/update-notifier#234

And the PR on this repo is ready and mergeable.

open v10 also shed a lot of weight: https://packagephobia.com/result?p=open

[fregante]

Good to see that those PRs were merged last week! I sent a PR for Pino:

• feat: replace Bunyan logger with Pino #3214

Also there the open PRs failed but for unrelated reasons. It just needs a rebase:

• chore(deps): bump open from 9.1.0 to 10.1.0 #3075

You can see how big v9 was: https://packagephobia.com/result?p=open@10.0.0