fix issue on import of legacy dependent packages

[tchakabam]

see https://stackoverflow.com/a/69564152/589493

this only fixes the issue for v1, additional patches needed for the other versions
not sure this is a desired "fix" as i am not sure this is considered a bug itfp by maintainers.

[ctavan]

Deep requires have intentionally been deprecated in v7.x and removed v8.x, upgrade instructions are given in the CHANGELOG, more context in #361 (comment).

Why do you want to re-introduce deep requires?

[tchakabam]

not sure if you saw the link to SO post in the description.

this seems to be an issue for a number of people in different setups. i can only explain what mine is:

i am not importing/requiring the module directly in our src. uuid is being used by a jest dependency in our case afaict.

the problem comes up when bundling with webpack.

our project is bundled by webpack to a bin for node runtime. unfortunately it seems to bundle this part of the dev deps, which i agree is another root cause to solve this as well here.

OTOH it seemed to me that generally moving away from "deep requires" in your dist breaks loading other consuming packages (maybe only in certain module-loading i.e bundling modes). i guess that these dependent consumers of uuid just got the latest dist as they use a ^ version in their deps? which is one explanation why this issue suddenly came up updating our deps probably?

[TrySound]

@tchakabam Jest itself doesn't use uuid and doesn't have it as transitive dependency.
Do you use additional plugins? This issue looks more like wrong usage which should be fixed instead of fixing uuid.

[tchakabam]

@TrySound @ctavan Jest-reporter is a sub-package of jest that does use uuid. And also other packages in our tooling (webpack worker-loader) seem to be using it and aren't able to use the novel import mode it seems.

i have to admit, rather than looking in detail into this issue and understanding it in depth, I am just trying to find workarounds or fix compatibility somhow. Because it isn't my project directly as you may understand :)

[TrySound]

Here's the whole jest/reporters dependencies tree. There is no uuid there.
https://npm.anvaka.com/#/view/2d/%2540jest%252Freporters

Webpack and worker-loader do not use it as well. Please look in your lock file for dependency which uses uuid and list here.

[TrySound]

Or you can put here your lockfile (in gist please)

[broofa]

@TrySound For future reference, npmgraph.js.org is way better for inspecting dependency graphs.
https://npmgraph.js.org/?q=%40jest%2Freporters

(* cough * Disclaimer * cough * )

[tchakabam]

Ok, apologies I agree my report may be confusing and not accurate in the analysis. I am still trying to figure this out. Will get back to you with some data asap.

Thanks for your help so far!

[tchakabam]

anyhow seems i am not the only one with this issue, see #594

[tchakabam]

Or you can put here your lockfile (in gist please)

Probably we were not using the latest version of all this stuff, and thus what you were looking at was not my depedencies. I am completely sure i saw from the lockfile jest-reporter was using uuid package.

But I am wondering what can be your concept here at all? Do you expect all dependents to change their import mode (and also all the user projects with different bundling tools/modes) as you people released a new version that just breaks the previous distro/import mode? Why dont you just keep backward compatible?

[TrySound]

Because it doesn't break anything if uuid has version with ^ or ~ as recommended. Major releases exist to change anything without breaking dependents.

I am completely sure i saw from the lockfile jest-reporter was using uuid package.

Maybe it's some very old version with incorrectly specified version. Latest jest version doesn't have this problem so better upgrade.

[tchakabam]

Major releases exist to change anything without breaking dependents.

I get your point :) Meanwhile, that´s in theory ;)

So, I cant provide our plain package-lock file for project disclosure reasons, but here is the bit where uuid is used by node-notifier, which itself is used by @jest/reporters v26.6.2. Our uuid is clamped at 7.0.3 now (in our package deps) and that fixed the issue.

Hope that helps! thanks anyhow.

    "uuid": {
      "version": "7.0.3",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-7.0.3.tgz",
      "integrity": "sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg=="
    },

"node-notifier": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.2.tgz",
      "integrity": "sha512-oJP/9NAdd9+x2Q+rfphB2RJCHjod70RcRLjosiPMMu5gjIfwVnOUGq2nbTjTUbmy0DJ/tFIVT30+Qe3nzl4TJg==",
      "dev": true,
      "optional": true,
      "requires": {
        "growly": "^1.3.0",
        "is-wsl": "^2.2.0",
        "semver": "^7.3.2",
        "shellwords": "^0.1.1",
        "uuid": "^8.3.0",
        "which": "^2.0.2"
      },
      "dependencies": {
        "uuid": {
          "version": "8.3.2",
          "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
          "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
          "dev": true,
          "optional": true
        }
      }
    },

    "@jest/reporters": {
      "version": "26.6.2",
      "resolved": "https://registry.npmjs.org/@jest/reporters/-/reporters-26.6.2.tgz",
      "integrity": "sha512-h2bW53APG4HvkOnVMo8q3QXa6pcaNt1HkwVsOPMBV6LD/q9oSpxNSYZQYkAnjdMjrJ86UuYeLo+aEZClV6opnw==",
      "dev": true,
      "requires": {
        "@bcoe/v8-coverage": "^0.2.3",
        "@jest/console": "^26.6.2",
        "@jest/test-result": "^26.6.2",
        "@jest/transform": "^26.6.2",
        "@jest/types": "^26.6.2",
        "chalk": "^4.0.0",
        "collect-v8-coverage": "^1.0.0",
        "exit": "^0.1.2",
        "glob": "^7.1.2",
        "graceful-fs": "^4.2.4",
        "istanbul-lib-coverage": "^3.0.0",
        "istanbul-lib-instrument": "^4.0.3",
        "istanbul-lib-report": "^3.0.0",
        "istanbul-lib-source-maps": "^4.0.0",
        "istanbul-reports": "^3.0.2",
        "jest-haste-map": "^26.6.2",
        "jest-resolve": "^26.6.2",
        "jest-util": "^26.6.2",
        "jest-worker": "^26.6.2",
        "node-notifier": "^8.0.0",
        "slash": "^3.0.0",
        "source-map": "^0.6.0",
        "string-length": "^4.0.1",
        "terminal-link": "^2.0.0",
        "v8-to-istanbul": "^7.0.0"
      }
    },

[tchakabam]

Maybe it's some very old version with incorrectly specified version. Latest jest version doesn't have this problem so better upgrade.

Ok will try to confirm this asap

[tchakabam]

    "node_modules/node-notifier": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/node-notifier/-/node-notifier-8.0.2.tgz",
      "integrity": "sha512-oJP/9NAdd9+x2Q+rfphB2RJCHjod70RcRLjosiPMMu5gjIfwVnOUGq2nbTjTUbmy0DJ/tFIVT30+Qe3nzl4TJg==",
      "dev": true,
      "optional": true,
      "dependencies": {
        "growly": "^1.3.0",
        "is-wsl": "^2.2.0",
        "semver": "^7.3.2",
        "shellwords": "^0.1.1",
        "uuid": "^8.3.0",
        "which": "^2.0.2"
      }
    },
    "node_modules/node-notifier/node_modules/uuid": {
      "version": "8.3.2",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
      "dev": true,
      "optional": true,
      "bin": {
        "uuid": "dist/bin/uuid"
      }
    },

that bit is also interesting. seems that now that we have enforced installing uuid 7.0.3 in the top level, the node-notifier is relying on its sub node_modules install rather than the top-level one. and that somehow then works all well.

honestly this is quite a cluster and i cant really dive in too deep in this atm, sorry.

i am not claiming to know what the issue is, or that it is necessarily to be fixed on uuid project side.

just saw what i saw and tried to find a solution here somehow :) thanks so far!!

[ctavan]

Major releases exist to change anything without breaking dependents.

I get your point :) Meanwhile, that´s in theory ;)

The whole purpose of Semantic Versioning is to provide library authors with a way for safely introducing breaking changes, and developers with a safe way of dealing with such changes by specifying appropriate dependency version ranges.

If we start supporting legacy forever just because some other library or application specifies dependencies in a wrong way it would defeat the original purpose of Semantic Versioning.

We will therefore not start fixing other people's code by re-introducing technical debt.

[tchakabam]

see #594 (comment)

[tchakabam]

@ctavan just wanted to help you with providing data as it was requested before.

you're welcome ...

[TrySound]

node-notifier uses uuid correctly. See https://unpkg.com/browse/node-notifier@8.0.2/notifiers/toaster.js

Maybe it's the issue with npm which install wrong dependencies. Anyway many packages change their api in major releases. "Fixing" uuid doesn't change anything if npm installs packages incorrectly. Just something else will break.