2

I have installed globally pouchdb-server and I got this message about graceful-fs:

$ npm install -g pouchdb-server
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.

As the message says, the package will failwith node > 7.0 (which I use), so I would like to know how to perform the upgrade.

If I execute:

$ npm ls graceful-fs -g

I see that graceful-fs is used in several global packages, but the only one with the old version is in `pouchdb-server:

├─┬ pouchdb-server@1.2.1
│ ├─┬ couchdb-harness@0.1.6
│ │ └─┬ glob@3.1.21
│ │   └── graceful-fs@1.2.3
│ ├─┬ http-pouchdb@1.1.3
│ │ └─┬ pouchdb@5.4.5
│ │   └─┬ lie@3.0.4
│ │     └─┬ es3ify@0.2.2
│ │       └─┬ jstransform@11.0.3
│ │         └─┬ commoner@0.10.8
│ │           └── graceful-fs@4.1.11
│ ├─┬ pouchdb-adapter-node-websql@6.1.0
│ │ └─┬ websql@0.4.4
│ │   └─┬ sqlite3@3.1.8
│ │     └─┬ node-pre-gyp@0.6.31
│ │       ├─┬ tar@2.2.1
│ │       │ └─┬ fstream@1.0.10
│ │       │   └── graceful-fs@4.1.9
│ │       └─┬ tar-pack@3.3.0
│ │         └─┬ fstream@1.0.10
│ │           └── graceful-fs@4.1.9
│ └─┬ pouchdb-node@6.1.0
│   └─┬ leveldown@1.5.0
│     └─┬ prebuild@4.5.0
│       ├─┬ node-gyp@3.4.0
│       │ ├─┬ fstream@1.0.10
│       │ │ └── graceful-fs@4.1.11
│       │ └── graceful-fs@4.1.11
│       └─┬ node-ninja@1.0.2
│         └── graceful-fs@4.1.11
├─┬ webpack@1.13.1
│ ├─┬ enhanced-resolve@0.9.1
│ │ └── graceful-fs@4.1.4
│ └─┬ watchpack@0.2.9
│   └─┬ chokidar@1.5.1
│     └─┬ fsevents@1.0.12
│       └─┬ node-pre-gyp@0.6.25
│         └─┬ tar@2.2.1
│           └─┬ fstream@1.0.8
│             └── graceful-fs@4.1.3

I've tried npm update -g graceful-fs but this doesn't work, what is the proper way to uppgrade a package that is a dependency of a global package?

Just to be clear: I don't want to globally install the graceful-fs package; rather, I want to upgrade the installation of graceful-fs that is used by the pouchdb-server package.

mklement0
  • 382,024
  • 64
  • 607
  • 775
tvs
  • 737
  • 2
  • 17
  • 33

3 Answers3

2

You cannot fix this yourself, you need to ask the package maintainer(s) to upgrade their dependencies.

The best you can do is to run npm update -g (a.k.a. npm upgrade -g) to ensure that all (global, in this case) packages are upgraded to the latest version of their dependencies as allowed by their dependency specs. in their respective package.json files.

Beyond that, upgrading to higher version numbers among the dependencies cannot be done, unless the package(s) in question are themselves modified to depend (allow depending) on more recent versions of their dependent packages.

Package designers specify a permissible range of version numbers among dependent packages, and going outside that range is usually not safe due to the rules of semver (semantic versioning).
Unfortunately, that means that packages that haven't had their dependencies updated in a long time run the risk of being obsoleted by changes in Node.js/npm.

Looking at your specific case:

pouchdb-server has a dependency on "couchdb-harness": "*", which specifies that that any couchdb-harness version satisfies the dependency (which is unusually permissive, possibly at the expense of robustness).

couchdb-harness is the problem, however: it depends on "glob": "~3.1.21", which means that it won't install and work with glob package versions higher than 3.1.x - see npm's docs on semver version specifications.

(The latest glob 3.x package itself depends on "minimatch": "~0.2.11", which explains the other warning, which, however, will go away if couchdb-harness updates its dependencies to the latest glob version.)

mklement0
  • 382,024
  • 64
  • 607
  • 775
  • 1
    Thank you for a great and thorough explanation of what is going on! I've just opened an issue in couchdb-harness repository to ask them to upgrade the dependencies – tvs Dec 19 '16 at 11:37
0

Got this from here,

$ npm update minimatch
$ npm -v minimatch
2.10.1
$ npm install -g npm@3
/usr/local/bin/npm -> /usr/local/lib/node_modules/npm/bin/npm-cli.js
npm@3.10.5 /usr/local/lib/node_modules/npm
$ npm install -g minimatch@3.0.2
/usr/local/lib
└─┬ minimatch@3.0.2 
  └─┬ brace-expansion@1.1.6 
    ├── balanced-match@0.4.2 
    └── concat-map@0.0.1 

$ npm -v minimatch
3.10.5

For graceful-fs try:

npm install -g graceful-fs graceful-fs@latest
Mattia
  • 11
  • 3
  • I've edited my question to clarify what I want ... I don't want to install graceful-fs as a global package, I want to upgrade the installation of the package made by pouchdb-server – tvs Dec 19 '16 at 01:06
0

Is there a particular reason why you need to install pouchdb-server globally?

Look into adding it to your packages.json under peerDependencies, uninstalling it globally, removing your local node_modules folder, then install from scratch.

It's typically recommended against installing globally—it's preferable to install packages via devDependencies, peerDependencies, etc.

This is preferable as it avoids side effects of other packages using the same dependencies. Also, you're able keep all dependencies in version control.

References

What's the difference between dependencies, devDependencies and peerDependencies in npm package.json file?

Community
  • 1
  • 1
pygeek
  • 7,356
  • 1
  • 20
  • 41