whitlockjc / path-loader Goto Github PK

Originally reported here: apigee-127/sway#24

Your patch version update is actually a major version upgrade since you have bumped superagent dependency from 3.8.3 to 7.1.6.
And superagent has this upgrade on its dependency:

formidable@1.2.6 -> formidable@2.0.1

Which now on my version of node hits the following error:

formidable/src/index.js:27
  ...parsers,
  ^^^
SyntaxError: Unexpected token ...

At https://github.com/whitlockjc/path-loader/blob/master/test/test-loaders-browser.js#L121 , I see "should support non-JSON with options.processContent" as a condition, though the file indicated is actually JSON and there is no inclusion of options.processContent. Similarly at https://github.com/whitlockjc/path-loader/blob/master/test/test-loaders-node.js#L164 (and https://github.com/whitlockjc/path-loader/blob/master/test/test-loaders-node.js#L100 there is a non-JSON file but it also has no options.processContent).

https://github.com/whitlockjc/path-loader/blob/master/index.js#L32

API documentation for load method lists location parameter to be of type module:path-loader~LoadOptions instead of string and does not specify options as a parameter at all.

There is an advisory for the npm package qs that can be solved by upgrading your dependency of superagent to the latest version (currently at v3.5.2), or at the very least v2.0.0

Some additional info from snyk and the qs github issue.

Should be a simple bump as there haven't been too many changes from 5 to 6 that would break.

Path loader is a dependent or transitive dependent of several swagger related packages.

gulpjs/gulp#2324

Karma has support to serve static files and that would be much simpler to use than spinning up a server in the Gulp file.

It would be slick to allow for the consumer to add/replace loaders.

As of right now, NSP has an exception for https://nodesecurity.io/advisories/479 and it should be removed once ladjs/superagent#1259 is fixed.

This repository is a nested dependency of my project. The latest version (1.0.11) added the node v14 engine as mandatory (it wasn't even defined before). My project uses node v12 and the pipeline broke due to this change. Any engine update should be done on a major, so everyone that directly depends on it could test it. Please, deprecate the latest tag and release it as a major (if node engine 14 is really necessary).

From this code:

...there actually still is always a warning in the browser because:

https://github.com/visionmedia/superagent/blob/ec987f6f154de764435da2f5cbd88a3a85d1fb7f/lib/client.js#L631-L635

...contains a stub for this method.

I think the warning could be avoided by checking for window and self (as superagent does in the beginning of that same file:

https://github.com/visionmedia/superagent/blob/ec987f6f154de764435da2f5cbd88a3a85d1fb7f/lib/client.js#L6-L13

...and if neither is present, only then do the check to run the buffer method...

Bower is no longer maintained and should be migrated away from.

Superagent has a bug that breaks it in web workers: ladjs/superagent#673

path-loader uses superagent to load http, which makes path-loader subject to any security advisory that might be issued against superagent. there are 2 that can be resolved by updating to the latest version of superagent:

• https://nodesecurity.io/advisories/534
• https://nodesecurity.io/advisories/535

It looks like nsp was shut down so we should migrate to snyk.

It would be nice to have a clearable cache so that multiple loads of the same path do not duplicate efforts. Might even make sense to allow for disabling cache via an option.

Would you be able to deploy the changes that have been made to the npm registry? The version that exists in the npm registry is missing any updates from the last 2 years that have been made, including security vulnerabilities (such as the older version of jQuery).

You'll likely need to bump your package version for it to be deployed.

This package depends on superagent 7.1.6. This is giving a deprecation warning.

npm WARN deprecated [email protected]: Please downgrade to v7.1.5 if you need IE/ActiveXObject support OR upgrade to v8.0.0 as we no longer support IE and published an incorrect patch version (see ladjs/superagent#1731)