You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, deprecated packages show a short string with some information from the deprecated property. This often includes information about another package to migrate to, either due to a package rename or a fork. Unfortunately, this makes it hard or impossible to automate any sort of migration, in the same way that tools like Dependabot or Renovate can for version upgrades.
Allowing structured data in the deprecated property, with information about a replacement package or packages, would allow these tools to perform package migrations as well as package upgrades.
Example
Renovate currently has a manually curated list of these package migrations1, and I am discussing whether or not this addition makes sense as part of the Open Source Vulnerability schema2. I think there are definitely security applications for deprecated packages that have CVEs, it would also be useful for general package migrations.
How
Current Behaviour
The deprecated property in package.json currently only allows a string or boolean to show some information about what package to migrate to. For example:
"deprecated": "No longer supported. Migrate to @example/package-name"
Desired Behaviour
Allowing for structured data in the deprecated property would allow for automation to perform migrations in users code. For example:
"deprecated": {
"description": "No longer supported. Migrate to @example/package-name",
"migration": {
"name": "@example/package-name",
"version": "2.0.0"
}
}
Motivation ("The Why")
Currently, deprecated packages show a short string with some information from the
deprecated
property. This often includes information about another package to migrate to, either due to a package rename or a fork. Unfortunately, this makes it hard or impossible to automate any sort of migration, in the same way that tools like Dependabot or Renovate can for version upgrades.Allowing structured data in the
deprecated
property, with information about a replacement package or packages, would allow these tools to perform package migrations as well as package upgrades.Example
Renovate currently has a manually curated list of these package migrations1, and I am discussing whether or not this addition makes sense as part of the Open Source Vulnerability schema2. I think there are definitely security applications for deprecated packages that have CVEs, it would also be useful for general package migrations.
How
Current Behaviour
The
deprecated
property inpackage.json
currently only allows a string or boolean to show some information about what package to migrate to. For example:Desired Behaviour
Allowing for structured data in the
deprecated
property would allow for automation to perform migrations in users code. For example:References
Footnotes
https://github.com/renovatebot/renovate/blob/main/lib/config/presets/internal/replacements.ts ↩
https://github.com/ossf/osv-schema/issues/230 ↩
The text was updated successfully, but these errors were encountered: