[Bug]: npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it.

[tannnxr]

Version

29.7.0

Steps to reproduce

I was installing jest and NPM hit me with this message:

npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

I have not tested for validity of any memory leaks, but I think it's worth looking into for the devs. Sorry I can't give any more information.

Expected behavior

NPM Shouldn't warn me about a package that has memory leaks that Jest depends on.

Actual behavior

NPM Does give me a warning about memory leaks.

Additional context

No response

Environment

System:
    OS: Windows 11 10.0.22631
    CPU: (24) x64 AMD Ryzen 9 5900X 12-Core Processor
  Binaries:
    Node: 20.9.0 - C:\Program Files\nodejs\node.EXE
    npm: 10.8.0 - C:\Program Files\nodejs\npm.CMD
  npmPackages:
    jest: ^29.7.0 => 29.7.0

[mrazauskas]

Looks like the warning originates from Jest's dependencies. These are updated with each version. I just checked, installing jest@next does not print a warning. You just have to update Jest. The next version 30 is currently in beta. You can use it or wait for stable release.

[alexey-sh]

Is there any appropriate workaround for people who don't use alpha/beta/gamma/non-stable versions?

[mrazauskas]

I think Yarn's resolutions or similar config options from other package managers are worth to try. Reference: https://yarnpkg.com/configuration/manifest#resolutions

[alexey-sh]

It seems that the issue needs someone more competent. The mentioned package is out of date. The last update was 8 years ago and all versions contain memory leaks.
@mrazauskas Would you mind assigning this to someone on the team who has experience in the required areas?

[SimenB]

It's from glob, which has been upgraded in jest@next via #14509

[Arthur-Carbonari]

This is true. But all packages that depend on 29.7.0 (almost all packages) are currently unsafe. And jest@next is still a alpha version at the moment.
It would be better to issue an emergency bug fix as 29.7.1.

[SimenB]

It's a breaking change to update to newer versions of glob, so that cannot be done.

[nsgpriyanshu]

I keep receiving the same warning! They should release a secure version of Jest until they complete their v30.

[alexey-sh]

I don't agree that fix security issue cannot be done. It must be done.
The MR #14509 with "chore" in the title with breaking changes

contains glob v10.3.10

while the glob v10.3.10 does not use inflight library
https://github.com/isaacs/node-glob/blob/v10.3.10/package.json

So there are literally 0 reasons to close the issue

[mrazauskas]

Where do you see security issue? The warning mentioned in the OP says: "This module is not supported, and leaks memory." If there are any security issues, better open another issue.

[anomiex]

I tried jest@next just now and still saw the problem.

$ npm install jest@next
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported

added 308 packages in 14s

46 packages are looking for funding
  run `npm fund` for details

While jest itself no longer directly uses a deprecated version of glob, @jest/transform depends on babel-plugin-istanbul 6.1.1 → test-exclude 6.0.0 → glob 7.2.3 → inflight 1.0.6.

Unfortunately there's not an updated version of babel-plugin-istanbul to update to. Someone has already filed istanbuljs/babel-plugin-istanbul#294, but that repo doesn't seem to have been very active lately.

[alexey-sh]

@jest/core -> @jest/reporters -> glob@^7.1.3 -> inflight

[anomiex]

@jest/core -> @jest/reporters -> glob@^7.1.3 -> inflight

That one was already fixed in #14509. Which I think you know already.

[alexey-sh]

@anomiex it is not fixed in the stable version(https://github.com/jestjs/jest/blob/v29.7.0/packages/jest-reporters/package.json#L25). I think you know that people do not use alpha version in production.

[anomiex]

And I think you know that continuing to complain about that isn't going to accomplish anything with the Jest maintainers. They won't make the change in the v29 branch because it would require dropping support for old nodejs versions, as they already told you, so it has to wait for v30.

OTOH, my comment, if they don't ignore it because it was buried by your complaining, points out something that still isn't fixed in @next.

[alexey-sh]

it would require dropping support for old nodejs versions

let's check jest v29 node versions

    "node": "^14.15.0 || ^16.10.0 || >=18.0.0"

what about glob v10?

    "node": ">=16 || 14 >=14.18"

As far as I understand, both support nodejs v14 and there is no need to drop support for old nodejs versions.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.