Context
After installing bcrypt, I received several warnings about deprecated packages, but the first one is especially troubling:
$ npm install bcrypt
npm WARN deprecated [email protected]: This module is not supported, and leaks memory.
Do not use it. Check out lru-cache if you want a good and tested way to coalesce
async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: This package is no longer supported.
$ npm ls inflight
└─┬ [email protected]
└─┬ @mapbox/[email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
This warning about a potential memory leak leaves me concerned about whether bcrypt is safe for long-running applications in a production environment.
As you can see, the suggested fix per npm is to use lru-cache instead of inflight, which would require overriding rimraf by updating package.json with this:
{
...
"overrides": {
"rimraf": "^4.0.0"
}
...
}
However, I'm hesitant to do that.
(Also, I can't update [email protected] or @mapbox/[email protected] since these are the latest versions of each)
My questions are:
- Do these deprecated dependencies pose a significant risk if I use
bcryptin production as-is? - If so, should I override this dependency the way I described above?
Any guidance would be greatly appreciated!
Additional Context:
- Node.js version: v20.13.0
- npm version: 10.5.2
- Operating System: Windows 10 Pro (64-bit)