DEP0005 deprecation persists in v19.6.5 despite jsonparse override (PR #1389) #1611
Description
- I have searched for similar issues
I've created this issue with the help of AI given my inexperience with web development, the conclusion is that of the AI after I found the previous PR and merge to main.
Steps to Reproduce
- Install npm-check-updates v19.6.5
- Configure Node.js to throw on deprecation (.npmrc or env var):
node-options=--throw-deprecation - Run: npm run ncu:interactive
Current Behavior
DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
at new Buffer (node:buffer:304:3)
at new de (build/index.js:488:2023)
The process crashes with code: 'DEP0005' before interactive mode starts.
Expected Behavior
PR #1389 merged the override to use https://github.com/ARitz-Cracker/jsonparse/tree/patch-1 which replaces deprecated new Buffer() with Buffer.from(). Version v19.6.5 should not trigger this deprecation.
Evidence
• Installed version: npm-check-updates@19.6.5
• Override commit: 1ab67cd (March 28, 2024) ✅ Merged before v19.6.5 publish date
• Stack trace shows deprecated code at: build/index.js:488:2023
• Source map confirms: jsonparse is bundled at build time
• Override in package.json: Present and correctly configured
Hypothesis
The GitHub URL-based override in package.json:
"overrides": { "jsonparse": "https://github.com/ARitz-Cracker/jsonparse/tree/patch-1" }
...was not properly applied during the npm publish build process. The compiled build/index.js contains the unpatched jsonparse from npm-registry-fetch's dependency chain, not the ARitz-Cracker fork.
Environment
• Node.js: v25.8.2
• npm-check-updates: 19.6.5
• OS: Windows 11