punycode deprecation message displayed with Node.js v21.0.0

[AnWeber]

Dependency psl is using deprecated punycode module (see lupomontero/psl#296). But since this error has apparently not been corrected for some time (since mid 2022), it could be problematic for tough-cookie in the future. Is there a plan to replace the dependency?

Thanks for your help

AnWeber/httpyac#577

[wjhsf]

punycode has been deprecated for many years, but the warning only appears for users of node v21, which was initially released only a few weeks ago. Given that we do not officially support v21 (per our support policy, we target only LTS versions), we have no current plans to replace the dependency. There is plenty of time prior to the release of v22 (the next LTS version we will support) for the dependency to be updated, and I expect that it will be. If, however, that does not happen by the time the release of v22 approaches, then we will re-evaluate the situation.

All that being said, I believe that we have had requests in the past to replace psl with a smaller/more performant alternative. If a suitable alternative is available, we may consider replacing the dependency for those reasons.

[AnWeber]

@wjhsf Thanks for the quick reply,

[MikeMcC399]

@wjhsf

The issue is also reproducible using Node.js v20.9.0 LTS:

git clone https://github.com/salesforce/tough-cookie
cd tough-cookie
npm ci
export NODE_PENDING_DEPRECATION=1 
npm test

Running test produces:

[DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.

additionally, there is a related deprecation warning:

[DEP0169] DeprecationWarning: url.parse() behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for url.parse() vulnerabilities.

More details are shown if the environment variable NODE_OPTIONS='--trace-deprecation' is also set:

export NODE_PENDING_DEPRECATION=1 NODE_OPTIONS='--trace-deprecation'
npm test

so perhaps steps could be started to remove these deprecations already without delaying?

[wjhsf]

To see the deprecation warning for punycode in node 20, you must set the feature flag to opt in to that behavior. The expectation of using that flag is that there will be additional warnings logged. If the additional warnings are not desired, then the solution is to simply not use that flag.

Removing the deprecation warning requires a new release of psl. We will upgrade when that release becomes available, but, until then, there is nothing that we can do.

[AnWeber]

That was exactly the hint I gave. The release is unlikely to happen. I assume that it will probably work anyway, because the import of punycode is found in node_modules (installed by tough-cookie) but hey there is a small risk. But we will see.

[MikeMcC399]

• There was a follow-up to this issue in Replace psl dependency with tldts #338 which led to PR Replace psl with tldts #346
• Replace psl dependency with tldts #338 (comment) says the fix is available in a pre-release v5 version