We Keep Coding

Clean Gatsby 5.2 Install throwing `NPM WARN` flags for `react-server-dom-webpack`

After a clean Gatsby 5.2 install using the Gatsby CLI, I need help understanding my terminal output, which shows a multitude of NPM WARN flags.
I have three questions;
What is the cause of these errors?
Why are these errors happening with a clean install?
What is the preferred method for resolving issues like these?
I'm asking these questions here on S.O. because I'd like to pre-emptively learn how to understand and deal with them correctly.
I read up on some similar questions here on S.O., and some recommend using the --legacy-peer-deps flag.
I understand why someone might use the --legacy-peer-deps flag in general, but I'm struggling to understand why a new release, I.e. (Gatsby 5.0), needs to use the --legacy-peer-deps.
NPM errors are still a pain point for me, so I'm looking for easy-to-understand reading material. Or a well-rounded explanation if possible.
After running: gatsby info --clipboard
% gatsby info --clipboard
System:
OS: macOS 13.0.1
CPU: (16) x64 Intel(R) Xeon(R) W-2140B CPU # 3.20GHz
Shell: 5.8.1 - /bin/zsh
Binaries:
Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
npm: 8.19.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
Browsers:
Chrome: 108.0.5359.98
Safari: 16.1
npmPackages:
gatsby: ^5.2.0 => 5.2.0
gatsby-plugin-image: ^3.2.0 => 3.2.0
gatsby-plugin-manifest: ^5.2.0 => 5.2.0
gatsby-plugin-sharp: ^5.2.0 => 5.2.0
gatsby-source-filesystem: ^5.2.0 => 5.2.0
gatsby-transformer-sharp: ^5.2.0 => 5.2.0
npmGlobalPackages:
gatsby-cli: 5.2.0
%
The expected result after running: npm i
% npm i
removed 1505 packages, and audited 83 packages in 8s
20 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
%
Actual result after running: npm i
% npm i
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-server-dom-webpack#0.0.0-experimental-c8b778b7f-20220825
npm WARN Found: react#18.2.0
npm WARN node_modules/react
npm WARN react#"^18.2.0" from the root project
npm WARN 10 more (react-dom, gatsby, gatsby-plugin-image, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react#"0.0.0-experimental-c8b778b7f-20220825" from react-server-dom-webpack#0.0.0-experimental-c8b778b7f-20220825
npm WARN node_modules/react-server-dom-webpack
npm WARN react-server-dom-webpack#"0.0.0-experimental-c8b778b7f-20220825" from gatsby#5.2.0
npm WARN node_modules/gatsby
npm WARN
npm WARN Conflicting peer dependency: react#0.0.0-experimental-c8b778b7f-20220825
npm WARN node_modules/react
npm WARN peer react#"0.0.0-experimental-c8b778b7f-20220825" from react-server-dom-webpack#0.0.0-experimental-c8b778b7f-20220825
npm WARN node_modules/react-server-dom-webpack
npm WARN react-server-dom-webpack#"0.0.0-experimental-c8b778b7f-20220825" from gatsby#5.2.0
npm WARN node_modules/gatsby
npm WARN deprecated async-cache#1.1.0: No longer maintained. Use [lru-cache](http://npm.im/lru-cache) version 7.6 or higher, and provide an asynchronous `fetchMethod` option.
npm WARN deprecated stable#0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated babel-eslint#10.1.0: babel-eslint is now #babel/eslint-parser. This package will no longer receive updates.
added 1505 packages, and audited 1588 packages in 1m
325 packages are looking for funding
run `npm fund` for details
15 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
%

So after some time digging around online, I ended up piecing my answer together and in summary;
I learned that Gatsby explicitly asked for an experimental build of react-server-dom-webpack. After looking at the package.json file located within node_modules/react-server-dom-webpack.
After checking the official repo online for react-server-dom-webpack, I noticed that the package.json file is currently configured differently. (See the official package.json file)
I still couldn't understand why Gatsby explicitly asked for an experimental build of react-server-dom-webpack. So I folded and decided to raise an issue in the official Gatsby Repo. (Link to Issue).
The Answer
For Partial Hydration, Gatsby currently has to use an experimental version of react-server-dom-webpack that sets an experimental version of React as a peerDep.

Until Gatsby has fixed this and you want to remove this warning you can add this to your package.json to tell npm which dependency version to use:
"overrides": {
"react-server-dom-webpack#0.0.0-experimental-c8b778b7f-20220825": {
"react": "^18.2.0"
}
}
Link to comment in github where I found this fix.

Vue JS installation WARN deprecated

I have number of warnings while I am trying to do install Vue JS.How can I solve this issue?
npm i -g #vue/cli
npm WARN deprecated source-map-url#0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-resolve#0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated subscriptions-transport-ws#0.11.0: The subscriptions-transport-ws package is no longer maintained. We recommend you use graphql-ws instead. For help migrating Apollo software to graphql-ws, see https://www.apollographql.com/docs/apollo-server/data/subscriptions/#switching-from-subscriptions-transport-ws For general help using graphql-ws, see https://github.com/enisdenjo/graphql-ws/blob/master/README.md
changed 852 packages, and audited 853 packages in 16m
4 vulnerabilities (2 moderate, 2 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
Moreover, I already tried with npm audit fix --force.Please help me to solve this issue if anyone got the idea.
Thanks in advance

Errors installing Heroku toolbelt on an M1 Mac via NPM

Tried brew install heroku as I always have but that gave me a non-native binary (c'mon Heroku, Apple's M1 has been around for over 2 years!). I don't want to install Rosetta. So following the other path and installed using NPM. This spit out a bunch of errors. I'm not a Node expert. Hoping someone can tell me how to fix.
❯ npm install -g heroku
npm WARN deprecated uuid#3.2.1: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated strip-eof#2.0.0: Renamed to `strip-final-newline` to better represent its functionality.
npm WARN deprecated uuid#3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated debug#4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated cli-ux#4.9.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux#5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux#5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux#5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux#5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux#5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux#5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated cli-ux#5.6.7: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
added 739 packages, and audited 740 packages in 17s
27 packages are looking for funding
run `npm fund` for details
26 vulnerabilities (19 moderate, 7 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
FWIW: heroku seems to have installed:
❯ which heroku
/opt/homebrew/bin/heroku
❯ heroku -v
› Warning: Our terms of service have changed: https://dashboard.heroku.com/terms-of-service
heroku/7.63.0 darwin-arm64 node-v18.8.0
And strangely (to me anyway) Heroku now shows up in brew list as heroku-node?!?

npm deprecated package problem, npm audit fix --force can not run

$ npm --version
8.0.0
$ npm i uncss -g
npm WARN deprecated request-promise-native#1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
changed 115 packages, and audited 116 packages in 2s
4 packages are looking for funding
run `npm fund` for details
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
I got the above warnings. But I can not fix it as shown below. How to fix it?
$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm ERR! code ENOLOCK
npm ERR! audit This command requires an existing lockfile.
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! audit Original error: loadVirtual requires existing shrinkwrap file
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/myuser/.npm/_logs/2022-07-23T03_14_54_574Z-debug.log

Fixing vulnerabilities reported by npm audit

I'm trying to fix 3 vulnerabilities identified by npm audit, but it seems like these cant be resolved automatically with npm audit fix.
❯ npm audit fix
npm WARN audit fix ansi-regex#5.0.0 node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
npm WARN audit fix ansi-regex#5.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex#5.0.0 npm#8.5.0 at node_modules/npm
npm WARN audit fix ansi-regex#5.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex#5.0.0 Check for updates to the npm package.
npm WARN audit fix ansi-regex#3.0.0 node_modules/npm/node_modules/string-width/node_modules/ansi-regex
npm WARN audit fix ansi-regex#3.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex#3.0.0 npm#8.5.0 at node_modules/npm
npm WARN audit fix ansi-regex#3.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex#3.0.0 Check for updates to the npm package.
npm WARN audit fix strip-ansi#4.0.0 node_modules/npm/node_modules/string-width/node_modules/strip-ansi
npm WARN audit fix strip-ansi#4.0.0 is a bundled dependency of
npm WARN audit fix strip-ansi#4.0.0 npm#8.5.0 at node_modules/npm
npm WARN audit fix strip-ansi#4.0.0 It cannot be fixed automatically.
npm WARN audit fix strip-ansi#4.0.0 Check for updates to the npm package.
npm WARN audit fix string-width#2.1.1 node_modules/npm/node_modules/string-width
npm WARN audit fix string-width#2.1.1 is a bundled dependency of
npm WARN audit fix string-width#2.1.1 npm#8.5.0 at node_modules/npm
npm WARN audit fix string-width#2.1.1 It cannot be fixed automatically.
npm WARN audit fix string-width#2.1.1 Check for updates to the npm package.
up to date, audited 1898 packages in 3s
185 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/npm/node_modules/string-width/node_modules/strip-ansi
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/npm/node_modules/string-width
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
I'm not sure if this is related to this existing bug or not, as the WARN messages specifically state that it cannot be fixed automatically.
How can I fix these?
I've tried the going through the answers in this similar SO post, but that doesnt resolve any of them. I've tried installing the latest ansi-regex, but hat doesnt make any difference.
Is there any way for me to identify which dependency I have explicitly introduced (i.e. is in my dependencies or devDependencies in package.json) that has implicitly pull in this vulnerable dependency? None of the packages mentioned in the message exist in my package.json.
ansi-regex is mentioned 49 times in my package-lock.json - do I need to sift through all these and tweak versions manually (sounds dangerous).
Sorry for such a generic (yet very specific) question. Any help would be appreciated!

I had this issue as well and found this answer very helpful.
Please read the comments though because it can cause issues if you don't have thorough enough test coverage. Also, I am using shrinkwrap in place of package-lock, so I deleted my shrinkwrap file, not package-lock.
I had deleted my lock file, but the key for me was deleting the node_modules directory.
Best of luck!