Improve npm audit and deprecated packages with better output messages

[felquis]

Hello everybody, thank you for reading for your time and hope this may help everybody saves time in the future.

A few months ago I created a very simple project which used a single "direct" dependency, here is what my package.json looks like:

{
  "name": "web-page",
  "version": "0.0.1",
  "description": "web page",
  "keywords": [],
  "license": "unlicensed",
  "author": "Me",
  "scripts": {
    "build": "parcel build index.html",
    "dev": "parcel index.html --open",
    "start": "npm run build && npm run dev",
  },
  "devDependencies": {
    "parcel-bundler": "^1.12.5"
  }
}

Everything worked fine, time to put it to rest. A few months passed, and now I need to do a little tweak, I have this habit to always run npm audit to see if anything have changed since I last used it.

npm audit

Output sample:

npm audit
# npm audit report

glob-parent  <5.1.2
Severity: moderate
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    @parcel/watcher  <=1.12.1
    Depends on vulnerable versions of chokidar
    node_modules/parcel-bundler/node_modules/@parcel/watcher
      parcel-bundler  >=1.4.0
      Depends on vulnerable versions of @parcel/watcher
      Depends on vulnerable versions of css-modules-loader-core
      Depends on vulnerable versions of fast-glob
      Depends on vulnerable versions of node-forge
      Depends on vulnerable versions of terser
      node_modules/parcel-bundler
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob

jsdom  <=16.4.0
Severity: moderate
Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98
fix available via `npm audit fix`
node_modules/jsdom
  uncss  >=0.15.0
  Depends on vulnerable versions of jsdom
  node_modules/uncss
    htmlnano  >=0.1.7
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of purgecss
    Depends on vulnerable versions of svgo
    Depends on vulnerable versions of uncss
    node_modules/parcel-bundler/node_modules/htmlnano

node-forge  <=1.2.1
Severity: moderate
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-forge
  parcel-bundler  >=1.4.0
  Depends on vulnerable versions of @parcel/watcher
  Depends on vulnerable versions of css-modules-loader-core
  Depends on vulnerable versions of fast-glob
  Depends on vulnerable versions of node-forge
  Depends on vulnerable versions of terser
  node_modules/parcel-bundler

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/parcel-bundler/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/parcel-bundler/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/parcel-bundler/node_modules/svgo
      htmlnano  >=0.1.7
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of purgecss
      Depends on vulnerable versions of svgo
      Depends on vulnerable versions of uncss
      node_modules/parcel-bundler/node_modules/htmlnano
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/parcel-bundler/node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/parcel-bundler/node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/parcel-bundler/node_modules/cssnano

postcss  <=7.0.35
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/css-modules-loader-core/node_modules/postcss
node_modules/postcss-modules-extract-imports/node_modules/postcss
node_modules/postcss-modules-local-by-default/node_modules/postcss
node_modules/postcss-modules-scope/node_modules/postcss
node_modules/postcss-modules-values/node_modules/postcss
node_modules/purgecss/node_modules/postcss
  css-modules-loader-core  *
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-modules-values
  node_modules/css-modules-loader-core
    parcel-bundler  >=1.4.0
    Depends on vulnerable versions of @parcel/watcher
    Depends on vulnerable versions of css-modules-loader-core
    Depends on vulnerable versions of fast-glob
    Depends on vulnerable versions of node-forge
    Depends on vulnerable versions of terser
    node_modules/parcel-bundler
  postcss-modules-extract-imports  <=1.2.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-local-by-default  <=1.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-local-by-default
  postcss-modules-scope  <=1.1.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-modules-values  <=1.3.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-values
  purgecss  <=1.0.1 || 2.0.1-beta.0 - 3.0.0
  Depends on vulnerable versions of postcss
  node_modules/purgecss
    htmlnano  >=0.1.7
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of purgecss
    Depends on vulnerable versions of svgo
    Depends on vulnerable versions of uncss
    node_modules/parcel-bundler/node_modules/htmlnano

terser  <4.8.1
Severity: moderate
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/parcel-bundler/node_modules/terser
  parcel-bundler  >=1.4.0
  Depends on vulnerable versions of @parcel/watcher
  Depends on vulnerable versions of css-modules-loader-core
  Depends on vulnerable versions of fast-glob
  Depends on vulnerable versions of node-forge
  Depends on vulnerable versions of terser
  node_modules/parcel-bundler

23 vulnerabilities (16 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Questions:

1 - It does not tell parser-blunder is deprecated

npm audit fix

npm audit fix
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.

added 157 packages, removed 94 packages, changed 3 packages, and audited 939 packages in 15s

59 packages are looking for funding
  run `npm fund` for details

# npm audit report

glob-parent  <5.1.2
Severity: moderate
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    @parcel/watcher  <=1.12.1
    Depends on vulnerable versions of chokidar
    node_modules/@parcel/watcher
      parcel-bundler  >=1.4.0
      Depends on vulnerable versions of @parcel/watcher
      Depends on vulnerable versions of css-modules-loader-core
      Depends on vulnerable versions of fast-glob
      Depends on vulnerable versions of node-forge
      Depends on vulnerable versions of terser
      node_modules/parcel-bundler
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob

jsdom  <=16.4.0
Severity: moderate
Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98
fix available via `npm audit fix`
node_modules/jsdom
  uncss  >=0.15.0
  Depends on vulnerable versions of jsdom
  node_modules/uncss
    htmlnano  >=0.1.7
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of purgecss
    Depends on vulnerable versions of svgo
    Depends on vulnerable versions of uncss
    node_modules/htmlnano

node-forge  <=1.2.1
Severity: moderate
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-forge
  parcel-bundler  >=1.4.0
  Depends on vulnerable versions of @parcel/watcher
  Depends on vulnerable versions of css-modules-loader-core
  Depends on vulnerable versions of fast-glob
  Depends on vulnerable versions of node-forge
  Depends on vulnerable versions of terser
  node_modules/parcel-bundler

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      htmlnano  >=0.1.7
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of purgecss
      Depends on vulnerable versions of svgo
      Depends on vulnerable versions of uncss
      node_modules/htmlnano
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano

postcss  <=7.0.35
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
node_modules/postcss-modules-extract-imports/node_modules/postcss
node_modules/postcss-modules-local-by-default/node_modules/postcss
node_modules/postcss-modules-scope/node_modules/postcss
node_modules/postcss-modules-values/node_modules/postcss
node_modules/purgecss/node_modules/postcss
  css-modules-loader-core  *
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-modules-values
  node_modules/css-modules-loader-core
    parcel-bundler  >=1.4.0
    Depends on vulnerable versions of @parcel/watcher
    Depends on vulnerable versions of css-modules-loader-core
    Depends on vulnerable versions of fast-glob
    Depends on vulnerable versions of node-forge
    Depends on vulnerable versions of terser
    node_modules/parcel-bundler
  postcss-modules-extract-imports  <=1.2.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-local-by-default  <=1.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-local-by-default
  postcss-modules-scope  <=1.1.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-modules-values  <=1.3.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-values
  purgecss  <=1.0.1 || 2.0.1-beta.0 - 3.0.0
  Depends on vulnerable versions of postcss
  node_modules/purgecss
    htmlnano  >=0.1.7
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of purgecss
    Depends on vulnerable versions of svgo
    Depends on vulnerable versions of uncss
    node_modules/htmlnano

terser  <4.8.1
Severity: moderate
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/terser
  parcel-bundler  >=1.4.0
  Depends on vulnerable versions of @parcel/watcher
  Depends on vulnerable versions of css-modules-loader-core
  Depends on vulnerable versions of fast-glob
  Depends on vulnerable versions of node-forge
  Depends on vulnerable versions of terser
  node_modules/parcel-bundler

23 vulnerabilities (16 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Questions:

1 - The fist line says WARN deprecated svgo, but it does not mention parser-blunder is deprecated.

npm i

npm i

up to date, audited 939 packages in 9s

59 packages are looking for funding
  run `npm fund` for details

23 vulnerabilities (16 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Question:
1 - It doesn't mention any deprecation or warning.

npm install after rm -rf node_modules

 npm i
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated [email protected]: Parcel v1 is no longer maintained. Please migrate to v2, which is published under the 'parcel' package. See https://v2.parceljs.org/getting-started/migration for details.
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 938 packages, and audited 939 packages in 19s

59 packages are looking for funding
  run `npm fund` for details

23 vulnerabilities (16 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Questions
1 - it does mention parcer-blunder is deprecated but it is one of the last lines

What are my observations

1. the project have 1 direct dependency, but when it display deprecation warns, it mentions the dependency's dependencies deprecations first, giving less highlight to the dependency I can directly action upon to change the project for the better.
2. npm audit could potentially also show a dependency is deprecated, also showing direct dependencies first, in a way I can use npm audit to have a glance in a project to see if anything may need my attention.
3. If I open the package page https://www.npmjs.com/package/parcel-bundler it becomes very clear it is deprecated.

---

Hope you enjoy this discussion and find it valuable, I wish you a wonderful day.