Foundation-emails: Deprecated, un-secure and discontinued dependencies messages on latest node

Created on 20 Apr 2018  路  24Comments  路  Source: foundation/foundation-emails

How can we reproduce this bug?

Following the manual setup from command line (have not tried the cli installation yet) with the latest node version, I get messages of deprecated, un-secure and discontinued dependencies. Also several failing test from dependencies

What did you expect to happen?

I expected to not have any issues at all or at least keep the project as updated as possible.

What happened instead?

I got a lot of warnings and advices to update deprecated, un-secure and discontinued dependencies. Tried to update them manually but even if I reduced the warnings to just the dependencies that where not updatable, I got several other issues, being update babel preset to the latest version one among them.

What email clients does this happen in?

NOT APPLY

Most helpful comment

I found this earlier thread which seems to have come to the same conclusion. I have one of my junior devs researching MJML as a replacement.

All 24 comments

Update of issues:
npm WARN deprecated [email protected]: 馃檶 Thanks for using Babel: we recommend using babel-preset-env now: please read babeljs.io/env to update!
npm WARN deprecated [email protected]: Use UnCSS through gulp-postcss instead.
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: the module is now available as 'css-select'
npm WARN deprecated [email protected]: Use uuid module instead
npm WARN deprecated [email protected]: This package is discontinued. Use lodash@^4.0.0.
npm WARN deprecated [email protected]: This project is unmaintained
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm WARN deprecated [email protected]: the module is now available as 'css-what'
npm WARN deprecated [email protected]: This project is unmaintained
npm WARN deprecated [email protected]: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js

I am beginning to think Foundation for Emails is a dead project; they haven't had a release in over 2 years. These dependencies warnings are just going to get worse.

It might be time to look at alternatives. Which is a great shame as this has made our workflow much smoother.

@burgiuk have you found frameworks / kits that are comparable? I've reach out to Zurb via Twitter just to give this thread some attention. I recommend you do the same. I too would like to know what the status of this project is.

@burgiuk yeah, it looks like that Foundation for Emails is dead project, so I looked up for alternatives and found out MJML which looks really nice - https://mjml.io/

I found this earlier thread which seems to have come to the same conclusion. I have one of my junior devs researching MJML as a replacement.

Situation probably hasn't improved over the last few months?

He's dead, Jim.

You can safely ignore the warnings.

I think you are missing the point. A lot of these warnings are referencing security failings in the dependencies.

The best case scenario is that at some point in the future these warnings will become errors and the framework just will not work.
The worst case is that you have just opened a huge security hole into your project that any malicious actor could exploit.

I think you are missing the point. A lot of these warnings are referencing security failings in the dependencies.

Which are not critical as these are dev dependencies and only used for building the html output.

The best case scenario is that at some point in the future these warnings will become errors and the framework just will not work.

This will not be the case as deprecation warnings are automatically pulled from npmjs which do not break current builds. Also we would see this in CI.

The worst case is that you have just opened a huge security hole into your project that any malicious actor could exploit.

Which exact one(s) would affect production builds or your local den environment?

To sum up, just these 2 packages have some ReDoS vuln. Nothing which affects local builds using gulp.

npm WARN deprecated [email protected]: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

Which we do not use in any of the vulnerable ways.

A lot of these

Just 3 as I can see, but 2 packages.

@markadrake I can understand why you are upset but keep in mind that deprecations are normal in a fast changing and often breaking JS world and vulns do not affect every use case like I already wrote.

Show me one of the findings which affects the production build and we'll push a fix. Otherwise it's like many big maintainers and even the npm team see it, you are not affected by them (this is also why there are CVSS scores, every vuln is not like another).

You will push a fix to where? There is no-one at Zurb to accept the PR. Also, I don't think he is upset, I just think he disagrees with your assessment.

I'm one of the core contributors of Foundation Sites. If there us a critical issue, we can address the right people internally.

@ncoden what do you think? Shall we make a patch release to patch the wrong Gulp tag and try to update some of the deps?

@DanielRuf could you reach out to someone in Zurb to comment on the future of Foundation Emails?

I've tried MJML and while it has some interesting features, it's quite limited in the ways you can build the e-mail structure. That's why I would reaaaally welcome FE back from the dead.

Foundation Emails itself is not dead (at work our team still uses it in many projects) there is just a lack of active contributors and maintainers (like in many opensource projects).

You can still use it and it still works (in general).

I'm one of the core contributors of Foundation Sites. If there us a critical issue, we can address the right people internally.

Hi @DanielRuf,
thanks for your support, very nice to see someone from Zurb keeping us informed on project status :slightly_smiling_face: .

I'm switching to node.js v8 and during my tests through my various projects, I got a critical error during npm run build:

Node Sass does not yet support your current environment: Windows 64-bit with Unsupported runtime

Looking at package-lock.json, seems node-sass v3 doesn't support nodejs v8; node-sass v3 is a dependency of gulp-sass v2, so you should probably update that package to solve :wink: .

Right now I'm still able to run node-js v6 through nvm, but please keep in mind that v6 is EOL by April 2019.

Thanks in advance, hope you'll keep this cool project alive :slightly_smiling_face::upside_down_face:.

See https://github.com/zurb/foundation-emails/pull/939

But you should be able to compile node-sass against your Node.js version using npm rebuild node-sass --force which will run node-gyp.

Also there is no script with the name build.

yarn init -y && yarn add gulp-sass@2
...

./node_modules/.bin/node-sass --version && node --version
node-sass       3.13.1  (Wrapper)       [JavaScript]
libsass         3.3.6   (Sass Compiler) [C/C++]
v10.12.0

I'm switching to node.js v8 and during my tests through my various projects, I got a critical error during npm run build:

To be exact, every time when you switch the Node.js version you have to rebuild / recompile binaries like node-sass so this is normal so far and expected.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

rockse picture rockse  路  3Comments

AmeliePoulain92 picture AmeliePoulain92  路  5Comments

GBratsos picture GBratsos  路  4Comments

lspoor picture lspoor  路  5Comments

frecklebit picture frecklebit  路  5Comments