punycode deprecation

[aparajita]

Describe the bug
When running under node v22.4.1, I get a deprecation warning for punycode.

Current behavior
The following error is printed to the console:

(node:72996) [DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.

Expected behavior
No error.

Environment

• commit-and-tag-version version(s): 12.4.1
• Node/npm version: 22.4.1
• OS: macOS 14.5 (Apple Silicon)

[TimothyJones]

Thanks for the report. This is coming via jsdom, where they have an open issue about it. The easiest path is probably to wait for a fix for them - or alternatively, jsdom could be replaced - it's just used to parse some XML in the maven updater.

[aparajita]

alternatively, jsdom could be replaced - it's just used to parse some XML in the maven updater.

Using jsdom to parse XML seems like overkill. There must be lighter weight XML parsers out there.

In the meantime I fixed it with the following .pnpmfile.cjs:

function readPackage(pkg, context) {
  if (pkg.name === 'jsdom' && pkg.version.startsWith('23.2')) {
    // Replace tough-cookie v4 with v5
    pkg.dependencies = {
      ...pkg.dependencies,
      'tough-cookie': '^5.0.0-rc.3'
    }
    context.log('tough-cookie@4 => tough-cookie@5 in dependencies of jsdom')
  }

  return pkg
}

module.exports = {
  hooks: {
    readPackage
  }
}

[TimothyJones]

Thanks. It’s helpful to have the pnpmfile on the issue in case it helps others who want to work around it. I’m not super keen to muck with the dependencies of our dependencies in a released version, though.

in the meantime, it’s just a deprecation warning, there’s no loss of functionality until there are breaking changes in a later version of node

Very happy to accept a PR replacing jsdom with something lighter if you have the time

[aparajita]

I’m not super keen to muck with the dependencies of our dependencies in a released version, though.

The tough-cookie maintainers said v5 is API compatible with v4.

in the meantime, it’s just a deprecation warning

...which should be taken seriously. punycode was deprecated 3 years ago in node 16.

[Mukul1127]

alternatively, jsdom could be replaced - it's just used to parse some XML in the maven updater.

Using jsdom to parse XML seems like overkill. There must be lighter weight XML parsers out there.

In the meantime I fixed it with the following .pnpmfile.cjs:

function readPackage(pkg, context) {
  if (pkg.name === 'jsdom' && pkg.version.startsWith('23.2')) {
    // Replace tough-cookie v4 with v5
    pkg.dependencies = {
      ...pkg.dependencies,
      'tough-cookie': '^5.0.0-rc.3'
    }
    context.log('tough-cookie@4 => tough-cookie@5 in dependencies of jsdom')
  }

  return pkg
}

module.exports = {
  hooks: {
    readPackage
  }
}

It may be better to just add this into package.json:

  "pnpm": {
    "overrides": {
      "jsdom>tough-cookie": "^5.0.0-rc.4"
    }
  },

It also works with yarn:

  "resolutions": {
    "jsdom/tough-cookie": "^5.0.0-rc.4"
  }

and for npm:

  "overrides": {
    "tough-cookie": "^5.0.0-rc.4"
  }

[aparajita]

It may be better to just add this into package.json:

Thanks, I forgot about that config option.