Skip to content

chore: avoid deprecation warning #1793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
homura wants to merge 1 commit into from
Closed

chore: avoid deprecation warning #1793

homura wants to merge 1 commit into from
+1 −1

Conversation

@homura
Copy link

@homura homura commented Dec 4, 2023
edited
Loading

Purpose

NodeJS 21 warns that the punycode is deprecated. The whatwg-url@5.x dependent by node-fetch depends on the deprecated punycode, therefore, it is better to upgrade the whatwg-url to the latest one

jsdom/whatwg-url#261

To reproduce it, try the below piece example

const fetch = require('node-fetch') // 2.7.0

fetch('https://jsonplaceholder.typicode.com/todos/1')
      .then(response => response.json())
      .then(json => console.log(json))
➜  node-fetch git:(2.7) ✗ node x.js
(node:4461) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
{ userId: 1, id: 1, title: 'delectus aut autem', completed: false }

Changes

Upgrade whatwg-url to the latest

@homura homura mentioned this pull request Dec 4, 2023
Open
@jimmywarting
Copy link
Collaborator

jimmywarting commented Dec 4, 2023

Uhm, sry... we can't
whatwg-url@14 requires NodeJS v18

where as node-fetch@2.x still has backwards compatible all the way back to NodeJS v4

node-fetch@v2.x is currently locked to only receiving bug/security fixes.

Your option is either to update to node-fetch@3 or using the new built-in fetch from NodeJS themself now that it's shipped with NodeJS v18+

This was referenced Dec 6, 2023
Closed
Closed
@jimmywarting jimmywarting mentioned this pull request Dec 21, 2023
Open
@spetrac spetrac mentioned this pull request Jan 3, 2024
Open
@justmoon justmoon mentioned this pull request Apr 2, 2024
Closed
@avallete avallete mentioned this pull request Apr 19, 2024
Merged
@silverwind silverwind mentioned this pull request May 14, 2024
Open
@bradymholt bradymholt mentioned this pull request May 30, 2024
Open
@abdulajet abdulajet mentioned this pull request Jun 14, 2024
Closed
@eliellis eliellis mentioned this pull request Jun 20, 2024
Closed
@genio genio mentioned this pull request Jul 15, 2024
Open
@cristiand391 cristiand391 mentioned this pull request Jul 24, 2024
Merged
@rlindner81
Copy link

rlindner81 commented Jul 29, 2024

Uhm, sry... we can't whatwg-url@14 requires NodeJS v18

where as node-fetch@2.x still has backwards compatible all the way back to NodeJS v4

node-fetch@v2.x is currently locked to only receiving bug/security fixes.

Your option is either to update to node-fetch@3 or using the new built-in fetch from NodeJS themself now that it's shipped with NodeJS v18+

@jimmywarting I don't follow this logic. nodejs below v18 is out of maintenance.
https://nodejs.org/en/about/previous-releases

So, it clearly falls under "security fixes" to update node-fetch@2.x to at least nodejs v18... Our project, and I would expect the majority of others, uses commonjs and are locked into node-fetch@2.x. Unfortunately, the native fetch in nodejs v18 (or v20) is not really usable enough, when it comes to streaming to replace node-fetch.

@radist2s
Copy link

radist2s commented Aug 6, 2024

@rlindner81, I agree.

I guess I'm not the only one who's intimidated by the Node.js 22 warning:

(node:90843) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.

@radist2s radist2s mentioned this pull request Aug 6, 2024
Closed
@rowanc1 rowanc1 mentioned this pull request Aug 22, 2024
Closed
cjihrig added a commit to cjihrig/javascript that referenced this pull request Oct 18, 2024
@cjihrig
override whatwg-url dependency
c0a3a4c 
The generated client on the release-1.x branch relies on the
node-fetch@2.x module, which depends on whatwg-url@5.0.0, which
uses the Node core punycode module. Node's punycode module was
runtime deprecated v21, which causes this module to print a
deprecation warning when used on newer versions of Node.

whatwg-url@9.0.0 stopped using punycode directly, but continued
to use it indirectly via its own tr46 dependency. The problematic
use of punycode was finally removed in whatwg-url@12.0.1.

node-fetch will not update its 2.x release line to incorporate the
fix due to backwards compatibility.

node-fetch@2.x claims backwards compatibility to Node v4, but the
fixed version of whatwg-url only claims compatibility back to
Node 12. For this reason, the node-fetch project has stated that
they will not address this issue. For reference, Node v4 went
EOL in 2018, and Node v12 when EOL in early 2022. Node 18 is
currently the oldest supported version, and Node v23 was released
this week.

Ideally, the generator will move to a newer version of node-fetch,
native fetch, or even the undici module that implements fetch in
core. Until that happens, this module can override whatwg-url
and silence the deprecation warning.

It's also worth noting that this punycode deprecation is not the
same one as the punycode deprecation on the master branch.

This change has been tested locally on v18.0.0.

Refs: nodejs/node#47202
Refs: node-fetch/node-fetch#1793
cjihrig added a commit to cjihrig/javascript that referenced this pull request Oct 18, 2024
@cjihrig
override whatwg-url dependency
392ad9d 
The generated client on the release-1.x branch relies on the
node-fetch@2.x module, which depends on whatwg-url@5.0.0, which
uses the Node core punycode module. Node's punycode module was
runtime deprecated in v21, which causes this module to print a
deprecation warning when used on newer versions of Node.

whatwg-url@9.0.0 stopped using punycode directly, but continued
to use it indirectly via its own tr46 dependency. The problematic
use of punycode was finally removed in whatwg-url@12.0.1.

node-fetch@2.x claims backwards compatibility to Node v4, but the
fixed version of whatwg-url only claims compatibility back to
Node 12. For this reason, the node-fetch project has stated that
they will not address this issue. For reference, Node v4 went
EOL in 2018, and Node v12 when EOL in early 2022. Node 18 is
currently the oldest supported version, and Node v23 was released
this week.

Ideally, the generator will move to a newer version of node-fetch,
native fetch, or even the undici module that implements fetch in
core. Until that happens, this module can override whatwg-url
and silence the deprecation warning.

It's also worth noting that this punycode deprecation is not the
same one as the punycode deprecation on the master branch.

This change has been tested locally on v18.0.0.

Refs: nodejs/node#47202
Refs: node-fetch/node-fetch#1793
@cjihrig cjihrig mentioned this pull request Oct 18, 2024
Merged
@andrew-chang-dewitt andrew-chang-dewitt mentioned this pull request Oct 23, 2024
Closed
1 task
@Phoscur Phoscur mentioned this pull request Nov 2, 2024
Open
@adrai adrai mentioned this pull request Jan 23, 2025
Closed
@tbroyer
Copy link

tbroyer commented Feb 10, 2025

punycode was removed from whatwg-url in v9, which is the version that dropped support for Node.js 10: https://github.com/jsdom/whatwg-url/releases/tag/v9.0.0

This means that node-fetch v2 could safely be updated to some version of whatwg-url between v9 and v12 (v13 being the one removing support for Node.js 14)

In the mean time, adding an override in my package.json (as many others have done already) does the job.

@marsal marsal mentioned this pull request May 12, 2025
Open
5 tasks
This was referenced Oct 29, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@homura @jimmywarting @rlindner81 @radist2s @tbroyer