npm Deprecation Manager

A manager for npm deprecation warnings.

Turn:

$ npm clean-install
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @humanwhocodes/config-array@0.12.3: Use @eslint/config-array instead
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/config-array@0.6.0: Use @eslint/config-array instead
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm warn deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated @humanwhocodes/object-schema@1.2.1: Use @eslint/object-schema instead
npm warn deprecated eslint@8.0.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.

Into:

$ depreman
glob@8.1.0 ("Glob versions prior to v9 are no longer supported"):
        mocha@10.7.0 > glob@8.1.0
        publint@0.2.10 > npm-packlist@5.1.3 > glob@8.1.0

Usage

1. Install:

   npm install depreman
   

2. Create an .ndmrc file in the root of your project.

3. Run:

   npx depreman
   

4. Configure.

Configuration

CLI

The CLI has a couple of options:

• --help/-h: show help text.
• --errors-only: output only deprecation warnings that are not ignored.
• --report-unused: report and fail if there is an ignore directive that is unused. This is recommended if you have a lockfile but discouraged if you do not.
• --omit=<dev|optional|peer>: ignore deprecation warnings in development, optional, or peer dependencies. Can be repeated.

File

An .ndmrc file is just a JSON file with rules for deprecated dependencies to ignore. The object hierarchy should reflect the dependency hierarchy with keys representing <package>@<version> pairs (semver version ranges supported).

The * wildcard can be used to match 0-or-more dependencies in a hierarchy and the + wildcard can be used to match 1-or-more dependencies in a hierarchy.

Use the "#ignore" directive when a deprecation for a given dependency should be ignored and assign it a reason as a string (or a boolean if you prefer). Optionally, use the "#expire" directive to set a date (YYYY-MM-DD) on which the rule expires.

For example:

{
  "ignore@v0": {
    "#ignore": "ignore deprecation warnings for ignore@v0 but not its children"
  },

  "not-ignored@v1": {
    "package-a@v2": {
      "#ignore": "ignore deprecation warnings for not-ignored@v1 > package-a@v2"
    },
    "package-b@v3": {
      "#ignore": "and for package-b@v3 only until December 31, 2024",
      "#expire": "2024-12-31"
    }
  },

  "ignore-it@v4": {
    "*": {
      "#ignore": "ignore direct and transitive deprecation warnings with '*'"
    }
  },
  "also-not-ignored@v5": {
    "+": {
      "#ignore": "ignore transitive deprecation warnings only with '+'"
    }
  },

  "*": {
    "ignored@v6": {
      "#ignore": "ignore deprecation warnings anywhere in the tree"
    }
  },

  "no-reason@v7": {
    "#ignore": true
  }
}

License

This software is available under the AGPL-3.0-only license, see LICENSE for the full license text. Documentation is available under the GFDL-1.3-or-later license, see GNU Free Documentation License v1.3 for the full license text.

Changelog

All notable changes to depreman will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

• No changes yet

[0.3.9] - 2025-06-18

• Fix support for Windows.

[0.3.8] - 2025-05-10

• Add support for Node.js v24.
• Add support for npm v11.

[0.3.7] - 2025-04-21

• Add CLI argument validation and error messaging.
• Add configuration validation and error messaging.
• Fix missing output when there are no disallowed deprecation warnings.
• Fix missing deprecation warnings due to npm output parsing.

[0.3.6] - 2025-03-17

• Add support for projects that do not have a package-lock.json.
• Fix potentially poor performance when parsing npm aliases.

[0.3.5] - 2025-01-23

• Add --omit=<dev|optional|peer> flag to control the review scope.
• Make the output ordered alphabetically (by package name).
• Fix an unexpected runtime error if there are no dependencies.
• Add validation of expiry dates.

[0.3.4] - 2024-12-09

• Add --report-unused flag to report on unnecessary ignore directives.
• Disallow expiry dates with prefixes or suffixes.
• Fix ignoring of the expiry date when using the * wildcard.

[0.3.3] - 2024-11-16

• Add support for Node.js v20.
• Add support for npm v9.
• Fix support for aliases in dependencies.
• Fix an error if there are no dependencies or devDependencies.
• Type check the #ignore value.

[0.3.2] - 2024-11-09

• Add + to match 1-or-more dependencies.
• Let * properly match 0-or-more (i.e. match the dependency itself too).

[0.3.1] - 2024-11-04

• Fix bug where rules following a wildcard would not be matched.
• Fix matching deprecation warnings for npm: aliased dependencies.
• Improve matching of aliased dependencies in deprecation paths.
• Let * match 0-or-more instead of 1-or-more.

[0.3.0] - 2024-11-03

• Add a --help message.
• Add --errors-only (replaces undocumented --complete).
• Add support for expiry dates using the #expire directive.
• Improve the path-to-the-deprecated package output by adding an indicator for the current project to the list.

[0.2.0] - 2024-10-29

• Add support for exact path deprecation rules.
• Add support for wildcards in deprecation paths.
• Add support for using semver ranges in deprecation rules.
• Improve messaging when the configuration file is invalid.

[0.1.0] - 2024-10-28

• Initial release.