Multiple build warnings when installing build dependencies
Multiple build warnings when installing build dependencies
ChadChaddington
Posts: 15Questions: 3Answers: 0
Hello! I'm trying to build DataTablesSrc in order to test a new feature I'm trying to add to the ColumnControl extension. However, upon building as per the repo's instructions, when using npm install, multiple warnings come up. Is there anything I can do regarding the software version I'm using to install and build? If not, is it possible to fix these issues, particularly the most critical ones like the package that leaks data and bower@1.3.12, which apparently has a major security issue (This Bower version has SECURITY BUG THAT ALLOWS TO WRITE TO ARBITRARY FILE ON YOUR COMPUTER when you install malicious package. Please upgrade Bower to at least version 1.8.8 if you don't want to get hacked.)?
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE package: 'karma@1.7.1',
npm warn EBADENGINE required: { node: '0.10 || 0.12 || 4 || 5 || 6 || 7 || 8' },
npm warn EBADENGINE current: { node: 'v22.17.0', npm: '10.9.2' }
npm warn EBADENGINE }
npm warn deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm warn deprecated fstream-ignore@1.0.5: This package is no longer supported.
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm warn deprecated uid-number@0.0.5: This package is no longer supported.
npm warn deprecated lodash.get@4.4.2: This package is deprecated. Use the optional chaining (?.) operator instead.
npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm warn deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm warn deprecated osenv@0.0.3: This package is no longer supported.
npm warn deprecated osenv@0.1.0: This package is no longer supported.
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm warn deprecated cryptiles@0.2.2: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm warn deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated rimraf@2.2.8: Rimraf versions prior to v4 are no longer supported
npm warn deprecated graceful-fs@2.0.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm warn deprecated graceful-fs@2.0.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm warn deprecated graceful-fs@2.0.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm warn deprecated rimraf@2.2.8: Rimraf versions prior to v4 are no longer supported
npm warn deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm warn deprecated q@1.0.1: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated q@0.9.7: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm warn deprecated
npm warn deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm warn deprecated boom@0.4.2: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm warn deprecated formatio@1.2.0: This package is unmaintained. Use @sinonjs/formatio instead
npm warn deprecated sntp@0.2.4: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm warn deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm warn deprecated minimatch@1.0.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm warn deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam
npm warn deprecated wrench@1.3.9: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm warn deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated uuid@2.0.3: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm warn deprecated hoek@0.9.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm warn deprecated node-uuid@1.4.8: Use uuid module instead
npm warn deprecated mkdirp@0.5.0: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated request@2.42.0: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated fstream@1.0.12: This package is no longer supported.
npm warn deprecated request@2.51.0: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated glob@3.2.11: Glob versions prior to v9 are no longer supported
npm warn deprecated tough-cookie@0.12.1: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm warn deprecated npmconf@2.1.3: this package has been reintegrated into npm and is now out of date with respect to npm
npm warn deprecated text-encoding@0.6.4: no longer maintained
npm warn deprecated hawk@1.1.1: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm warn deprecated glob@4.0.6: Glob versions prior to v9 are no longer supported
npm warn deprecated log4js@0.6.38: 0.x is no longer supported. Please upgrade to 6.x or higher.
npm warn deprecated bower@1.3.12: This Bower version has SECURITY BUG THAT ALLOWS TO WRITE TO ARBITRARY FILE ON YOUR COMPUTER when you install malicious package. Please upgrade Bower to at least version 1.8.8 if you don't want to get hacked. More info: https://snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction/
npm warn deprecated sinon@3.3.0: 16.1.1
npm warn deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
npm warn deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
added 877 packages, and audited 878 packages in 4m
77 packages are looking for funding
run `npm fund` for details
71 vulnerabilities (4 low, 13 moderate, 36 high, 18 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
How to replicate:
git clone https://github.com/DataTables/DataTablesSrc.git
cd DataTablesSrc
npm install
Software versions I'm using:
* WSL: 5.15.167.4-microsoft-standard-WSL2
* Ubuntu: Ubuntu 24.04.3 LTS
* NPM: 10.9.2
* NodeJS: v18.19.1
* Bash: GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu)
* PHP: PHP 8.3.6 (cli) (built: Jul 14 2025 18:30:55) (NTS), Zend Engine v4.3.6
This question has accepted answers - jump to:
Answers
Good point - it has been a while since I've updated the build dependencies. I've done so now and it is much cleaner.
The final three warnings are coming from karma, and is tracked in this issue.
Allan
Nice! Thanks, it looks great
As for the karma warnings: I looked it up, and it unfortunately seems the runner is now deprecated
The warnings from the karma dependency are about
low severity vulnerabilities, which don't seem to be covered by the "critical security issues" clause. I couldn't figure out if the Angular CLI's Web Test Runner support was marked stable or not, but karma's latest update was a little over a year ago, so I'm guessing "yes".What does that imply for DataTables? Will it need to migrate testing to another tool like Jest or Modern Web Test Runner, as suggested by the karma team, or will it be left as is?
Well damn. Yes, the upshot is that I'll need to migrate it. Thankfully it doesn't effect the code that is shipped as part of the package, so I'm not got to bust a gut working on updating it, but it is something that I'll need to do. Thanks for letting me know about it.
Allan
Update: seems there's now an issue with Lint when processing
datatables.tailwindcssIt happened after I pulled from the updated repo, installed the dependencies, and built again:
I thought it might have to do with multiple versions of the same base dependency being used since I'd already built DT previously, so I removed the whole folder with
sudo rm -r DataTablesSrcand went through the clone-build process again:The same thing happens if I only use
npm run build-debugOh, I realize you've replied meanwhile!
No need to thank me, I'm just glad it's not a stressful a realization as it could've been. Shame about the karma package, though
Doh - I saw it, moved on to something else and then forgot about it! There is Optional catch binding but I have a 10 year support window for browsers with DataTables, and that was only widely introduced around 2018. So this is one of those cases where the lint error needs to be suppressed. I've committed a change to that effect.
Allan
Thank you!!