Make package deprecation warnings more useful

[evelant]

• I'd be willing to implement this feature (contributing guide)

Describe the user story

When running pnpm install it's common to get deprecation warnings that aren't very useful or actionable because they come from unknown depepdencies of dependencies that the user has little/no control over. For example:

 WARN  deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
 WARN  deprecated @oclif/screen@3.0.4: Deprecated in favor of @oclif/core
 WARN  deprecated read-package-tree@5.1.6: The functionality that this package provided is now in @npmcli/arborist
 WARN  deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
 WARN  deprecated har-validator@5.1.5: this library is no longer supported
 WARN  deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
 WARN  deprecated readdir-scoped-modules@1.1.0: This functionality has been moved to @npmcli/fs
 WARN  deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
 WARN  deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
 WARN  deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
 WARN  deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility

None of those are direct dependencies of my library. I don't know which package is including them or why and there's not much action I can take with the information.

Describe the solution you'd like

Two possible solutions:

1. Don't show deprecation warnings for depdencies that aren't in package.json
2. Show the path of depdencies to the package that's being warned about and a link to the repo of the package importing the deprecated dependency. This at least informs users why the warning is happening and gives them a pointer to where they can contribute or request a fix.

Describe the drawbacks of your solution

1. Hiding deprecations of indrect dependencies might hide an important message. In practice I've never seen a useful or actionable deprecation warning from an indirect dependency however. It's usually just noise to be ignored.
2. No drawbacks for to showing more useful information that I can see.

Describe alternatives you've considered

Perhaps a single warning could be shown such as warn: 17 indirect dependencies are deprecated. run with --show-all-deprecated to list them?

[zkochan]

Hiding deprecations of indrect dependencies might hide an important message. In practice I've never seen a useful or actionable deprecation warning from an indirect dependency however. It's usually just noise to be ignored.

We used to show only the deprecation messages of direct dependencies but then one time a user has spent days investigating an issue because pnpm wasn't printing the message (related change #4231). Both npm and Yarn print all the deprecation messages.

Perhaps a single warning could be shown such as warn: 17 indirect dependencies are deprecated. run with --show-all-deprecated to list them?

Something like this could work. All the deprecation messages are also written to the lockfile. So, it would be possible to just search for deprecated: in the lockfile.

---

Also, pnpm is able to mute some deprecation messages using the setting: https://pnpm.io/package_json#pnpmalloweddeprecatedversions

[mcmxcdev]

Yeah, I can recommend muting the indirect dependency warnings with pnpm.allowedDeprecatedVersions. Even better, you open an issue in that dependencies repository to ask them nicely to get rid of that dependency.

I have opened a similar issue to this in #5951 which would make pnpm.allowedDeprecatedVersions more user-friendly. In the issue, you can see how we use that pnpm feature.

[Dzieni]

Show the path of depdencies to the package that's being warned about and a link to the repo of the package importing the deprecated dependency. This at least informs users why the warning is happening and gives them a pointer to where they can contribute or request a fix.

@zkochan what about this part of the issue? I'm fighting with deprecated subdeps and this kind of message would be super helpful :)

[zkochan]

You can run pnpm why <pkg> to find what requires the deprecated package.

a link to the repo of the package importing the deprecated dependency. This at least informs users why the warning is happening and gives them a pointer to where they can contribute or request a fix.

I don't think this is necessary. The real fix is to update the dependencies in most cases.