Multiple build warnings when installing build dependencies

Multiple build warnings when installing build dependencies

ChadChaddingtonChadChaddington Posts: 15Questions: 3Answers: 0

Hello! I'm trying to build DataTablesSrc in order to test a new feature I'm trying to add to the ColumnControl extension. However, upon building as per the repo's instructions, when using npm install, multiple warnings come up. Is there anything I can do regarding the software version I'm using to install and build? If not, is it possible to fix these issues, particularly the most critical ones like the package that leaks data and bower@1.3.12, which apparently has a major security issue (This Bower version has SECURITY BUG THAT ALLOWS TO WRITE TO ARBITRARY FILE ON YOUR COMPUTER when you install malicious package. Please upgrade Bower to at least version 1.8.8 if you don't want to get hacked.)?

npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: 'karma@1.7.1',
npm warn EBADENGINE   required: { node: '0.10 || 0.12 || 4 || 5 || 6 || 7 || 8' },
npm warn EBADENGINE   current: { node: 'v22.17.0', npm: '10.9.2' }
npm warn EBADENGINE }
npm warn deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm warn deprecated fstream-ignore@1.0.5: This package is no longer supported.
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm warn deprecated uid-number@0.0.5: This package is no longer supported.
npm warn deprecated lodash.get@4.4.2: This package is deprecated. Use the optional chaining (?.) operator instead.
npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm warn deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm warn deprecated osenv@0.0.3: This package is no longer supported.
npm warn deprecated osenv@0.1.0: This package is no longer supported.
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm warn deprecated cryptiles@0.2.2: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm warn deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated rimraf@2.2.8: Rimraf versions prior to v4 are no longer supported
npm warn deprecated graceful-fs@2.0.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm warn deprecated graceful-fs@2.0.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm warn deprecated graceful-fs@2.0.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm warn deprecated rimraf@2.2.8: Rimraf versions prior to v4 are no longer supported
npm warn deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm warn deprecated q@1.0.1: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated q@0.9.7: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated boom@0.4.2: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm warn deprecated formatio@1.2.0: This package is unmaintained. Use @sinonjs/formatio instead
npm warn deprecated sntp@0.2.4: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm warn deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm warn deprecated minimatch@1.0.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm warn deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam
npm warn deprecated wrench@1.3.9: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm warn deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated uuid@2.0.3: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated hoek@0.9.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm warn deprecated node-uuid@1.4.8: Use uuid module instead
npm warn deprecated mkdirp@0.5.0: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated request@2.42.0: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated fstream@1.0.12: This package is no longer supported.
npm warn deprecated request@2.51.0: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated glob@3.2.11: Glob versions prior to v9 are no longer supported
npm warn deprecated tough-cookie@0.12.1: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm warn deprecated npmconf@2.1.3: this package has been reintegrated into npm and is now out of date with respect to npm
npm warn deprecated text-encoding@0.6.4: no longer maintained
npm warn deprecated hawk@1.1.1: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm warn deprecated glob@4.0.6: Glob versions prior to v9 are no longer supported
npm warn deprecated log4js@0.6.38: 0.x is no longer supported. Please upgrade to 6.x or higher.
npm warn deprecated bower@1.3.12: This Bower version has SECURITY BUG THAT ALLOWS TO WRITE TO ARBITRARY FILE ON YOUR COMPUTER when you install malicious package. Please upgrade Bower to at least version 1.8.8 if you don't want to get hacked. More info: https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction/
npm warn deprecated sinon@3.3.0: 16.1.1
npm warn deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
npm warn deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 877 packages, and audited 878 packages in 4m

77 packages are looking for funding
  run `npm fund` for details

71 vulnerabilities (4 low, 13 moderate, 36 high, 18 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

How to replicate:

git clone https://github.com/DataTables/DataTablesSrc.git
cd DataTablesSrc
npm install

Software versions I'm using:
* WSL: 5.15.167.4-microsoft-standard-WSL2
* Ubuntu: Ubuntu 24.04.3 LTS
* NPM: 10.9.2
* NodeJS: v18.19.1
* Bash: GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu)
* PHP: PHP 8.3.6 (cli) (built: Jul 14 2025 18:30:55) (NTS), Zend Engine v4.3.6

This question has accepted answers - jump to:

Answers

  • allanallan Posts: 65,206Questions: 1Answers: 10,804 Site admin

    Good point - it has been a while since I've updated the build dependencies. I've done so now and it is much cleaner.

    The final three warnings are coming from karma, and is tracked in this issue.

    Allan

  • ChadChaddingtonChadChaddington Posts: 15Questions: 3Answers: 0

    Nice! Thanks, it looks great :smiley:

    As for the karma warnings: I looked it up, and it unfortunately seems the runner is now deprecated

    Based on the current state of the web testing ecosystem, we have made the hard decision to deprecate Karma.
    [...]
    Critical security issues in Karma will still be triaged and fixed as necessary. This will continue until 12 months after Angular CLI's Web Test Runner support is marked stable.

    The warnings from the karma dependency are about low severity vulnerabilities, which don't seem to be covered by the "critical security issues" clause. I couldn't figure out if the Angular CLI's Web Test Runner support was marked stable or not, but karma's latest update was a little over a year ago, so I'm guessing "yes".

    What does that imply for DataTables? Will it need to migrate testing to another tool like Jest or Modern Web Test Runner, as suggested by the karma team, or will it be left as is?

  • allanallan Posts: 65,206Questions: 1Answers: 10,804 Site admin
    Answer ✓

    Well damn. Yes, the upshot is that I'll need to migrate it. Thankfully it doesn't effect the code that is shipped as part of the package, so I'm not got to bust a gut working on updating it, but it is something that I'll need to do. Thanks for letting me know about it.

    Allan

  • ChadChaddingtonChadChaddington Posts: 15Questions: 3Answers: 0

    Update: seems there's now an issue with Lint when processing datatables.tailwindcss

    npm run build-debug
    
    > datatables.net-src@2.0.5 build-debug
    > cd build; ./make.sh build debug
    
    
      DataTables build () - branch: master
    
      Deploying to build repo
      JS js
      JS mjs
      Styling frameworks JS
        JS processing dataTables.bootstrap5
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.bootstrap4
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.bootstrap
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.bulma
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.foundation
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.jqueryui
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.semanticui
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.material
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.uikit
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.dataTables
          Creating ES module
          Creating UMD
          Linting UMD
        JS processing dataTables.tailwindcss
          Creating ES module
          Creating UMD
          Linting UMD
      CSS
      Types
      Examples
      Lint
    
    /mnt/c/Users/laika/Desktop/DTExtended/DataTablesSrc/built/js/dataTables.js
       4194:14  error  'e' is defined but never used  no-unused-vars
      10995:13  error  'e' is defined but never used  no-unused-vars
      11029:13  error  'e' is defined but never used  no-unused-vars
      12722:10  error  'e' is defined but never used  no-unused-vars
    
    ✖ 4 problems (4 errors, 0 warnings)
    
      Lint failed
        Updating package descriptors
    
      Done
    

    It happened after I pulled from the updated repo, installed the dependencies, and built again:

    git pull
    npm install
    npm run build-debug extension ColumnControl
    

    I thought it might have to do with multiple versions of the same base dependency being used since I'd already built DT previously, so I removed the whole folder with sudo rm -r DataTablesSrc and went through the clone-build process again:

    git clone https://github.com/DataTables/DataTablesSrc.git
    cd DataTablesSrc
    npm install
    npm run build-debug extension ColumnControl
    

    The same thing happens if I only use npm run build-debug

  • ChadChaddingtonChadChaddington Posts: 15Questions: 3Answers: 0

    Oh, I realize you've replied meanwhile!

    No need to thank me, I'm just glad it's not a stressful a realization as it could've been. Shame about the karma package, though :/

  • allanallan Posts: 65,206Questions: 1Answers: 10,804 Site admin
    Answer ✓

    Doh - I saw it, moved on to something else and then forgot about it! There is Optional catch binding but I have a 10 year support window for browsers with DataTables, and that was only widely introduced around 2018. So this is one of those cases where the lint error needs to be suppressed. I've committed a change to that effect.

    Allan

  • ChadChaddingtonChadChaddington Posts: 15Questions: 3Answers: 0

    Thank you!!

Sign In or Register to comment.