Whose dependency is it? (AKA who is making npm print warnings on install?)

Mon Feb 12 2024 09:32:00 GMT+0000 (Greenwich Mean Time)

When you run npm install it's likely you'll eventually find a message in the console akin to...

npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead

Unfortunately sometimes it's hard to understand what's causing that warning, if you did not explicitly install the dependency that is emitting a warning.

Fortunately, npm has a command that will help you: explain. As the documentation says, it will print the chain of dependencies causing a given package to be installed in the current project.

$ npm explain abab@2.0.6
abab@2.0.6 dev
node_modules/abab
  abab@"^2.0.6" from data-urls@3.0.2
  node_modules/data-urls
    data-urls@"^3.0.2" from jsdom@20.0.3
    node_modules/jsdom
      jsdom@"^20.0.0" from jest-environment-jsdom@29.7.0
      node_modules/jest-environment-jsdom
        dev jest-environment-jsdom@"^29.7.0" from the root project
  abab@"^2.0.6" from jsdom@20.0.3
  node_modules/jsdom
    jsdom@"^20.0.0" from jest-environment-jsdom@29.7.0
    node_modules/jest-environment-jsdom
      dev jest-environment-jsdom@"^29.7.0" from the root project

So as you see, in this particular case the abab package at version 2.0.6 was installed because of data-urls which was installed because of jsdom. We know this because if we start reading, line by line (now with extra annotations):

$ npm explain abab@2.0.6
abab@2.0.6 dev  # the abab package is installed only in development mode
node_modules/abab # for this module, these are the packages that depend on it:
  abab@"^2.0.6" from data-urls@3.0.2 # data-urls@3.0.2 wants abab@2.0.6 <=
  ...

Fun fact: this command is also aliased as why. So depending on your mood, you could call the command like this: npm why thispackage.

Round-about way of finding this answer

This information is also in the package-lock.json file in the project folder, but it is not as human readable, as it shows the information for all the modules which are installed in your project. But it might be an interesting thing to look at and try to make sense of.

Can you ignore these messages?

You can choose to ignore these warning messages, which is what I see most people do, or you might want to have a look to figure out which package is causing that warning to be printed.

It could be indicative of you using an outdated dependency which you might be able to update by installing a later version, or indicative of the fact that the code of that outdated dependency itself needs updating.

In that latter case, the best thing to do would be to first check in the upstream repository if this is a known issue, and if so, try to help (if the authors are welcoming help).

Sometimes you might be able to send the authors a patch which fixes the issue, and that is a nice way of contributing back to the community.

In this particular example, there are new versions of data-urls and jsdom. If nothing else was depending on them, maybe we could make the warnings go away by installing those newer versions. But the top module that started the chain of dependencies is the latest one at the time of writing, and for some reason it's explicitly installing an older jsdom version. I went to the github repository and, given this is the popular jest project, there was already an open issue about this: [Chore]: Deprecated abab and domexception warnings in dependencies. I don't have a lot of time right now, so I'll be watching this issue, but if I had the time, I would try to update the packages and run the jest tests and see if nothing broke, and send a PR back to the project.

If you do nothing and you use a lot of dependencies and they all print warnings on install, it's likely you will end up with too much noise in your screen to make sense of what is happening, which isn't a nice place to start from.