node-sass: Breaking changes for next major

when will V5 be released?

Is there a release date/roadmap? How can we as a community help to release v5 and with that help to remove the outdated (and vulnerable) dependencies?

Is there a release date for version 5?

Stats for version 4.12.0 (available since April 2018, using @realityking’s gist, updated)

I crunched the numbers for one release (4.7.2 to be exact) really quick. This might warrant digging a bit more (e.g. more release), so here’s the code: https://gist.github.com/realityking/5f29d001ed96f1e9e6a318bb71122508

The result I got is this:

I’ll leave the decision-making to others 😄

Removing Node 8 while it is in LTS could cause an uproar.

The EOL for 8 is in December https://github.com/nodejs/release

are there any plans to drop node-gyp for cmake-js (or other) eliminating the requirement of python 2.7 to be installed?

I’m growing concerned that the Active LTS and Current support target may be

• complicated to communicate, and
• too aggressive

Looking at our release binary download stats, Node 4 (46) is getting a significant number of downloads.

We’re forced to drop Node < 4 due to our dependencies. And we agree that using Node < 4 is unsafe and should be discouraged.

There are some Node milestones coming up in April

• Node 4 reaches EOL on the 30th, and
• Node 10 is due to be stable on the 24th

Given that we want to get a final 4.x release out with a LibSass bump. We should take this opportunity to add the Node 10 binaries, and monitor the release binary download numbers.

With any luck there will be a significant drop off in Node 4 installs. If not I would be more comfortable aiming for Node >= 4 support.

Reference

You can see the download stats with the following query in GitHub’s GraphQL API explorer.

query { 
  repository(owner: "sass", name: "node-sass") {
    releases(last: 5) {
      nodes {
        name,
        releaseAssets(first: 100) {
          nodes {
            name,
            downloadCount
          }
        }
      }
    }
  }
}

Just fyi, this repo supports node-pre-gyp for node-sass and publishes to github: https://github.com/bruce-one/node-sass (the binaries can be seen on the releases page). Eg npm i bruce-one/node-sass with node 8 installs using the binaries off github for me.

Just if of interest (never quite got round to making a PR :-s it’s not very complicated though 😃 also, fyi, the commit history is a mess because of trying to force travis builds. The diff isn’t all that much.)

In v5, will anything change for the importer option that has been documented as experimental for a while?

No changes in the API here.

We’re likely to only support node >= 10. This will allow us to seriously consider n-api again.

On Mon, 21 Oct 2019, 8:03 pm Marcin Cieślak, notifications@github.com wrote:

the description ^^ and the README.md file still say

As of node-sass@v5 only Node 6 and above will be officially supported.

As of 21 October 2019, Node 8 is the oldest LTS. Does this mean we drop node 6? That would mean finally dropping CentOS 5 \o/ (despite what the release page says, node 7 does not work on CentOS5).

Do we drop node 6?

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/sass/node-sass/issues/2111?email_source=notifications&email_token=AAENSWHPXPIYVOVUPWEQB5TQPVV55A5CNFSM4D57ZSL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBZTHHY#issuecomment-544420767, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAENSWCCP3F4FNQZKQGKXN3QPVV55ANCNFSM4D57ZSLQ .

No

On Tue., 15 Jan. 2019, 10:15 pm Victoria French <notifications@github.com wrote:

are there any plans to drop node-gyp for cmake-js (or other) eliminating the requirement of python 2.7 to be installed?

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/sass/node-sass/issues/2111#issuecomment-454664836, or mute the thread https://github.com/notifications/unsubscribe-auth/AAjZWHL3Vy_8MvrYYjEfBzIbpMJlEiALks5vDsNlgaJpZM4Pv8yX .

@nschonni – that would help. Even though node-pre-gyp still uses request 2.81.0 it eliminates the current package vulnerability.

Even though tunnel-agent is only used for internal build per this closed issue, it would be helpful if request were upgraded >2.83.0 in node-sass@v5.

Package vulnerability scanners don’t differentiate between packages used only for install vs. runtime… which means we have to mentally keep track of ‘this one is okay’ for tunnel-agent under node-sass / requests.

Would be great if this dependency upgrade could be included.

@bruce-one thanks! looks good, think we’d clean out a bunch of our custom SASS_BINARY stuff if we implement that. Also could rename the binding.node to the more standard node_sass.binding too. I won’t do my own PR for now, but I’ll ping you when we’re ready for this 😄

Maybe take a look at node-pre-gyp again as it looks like someone setup a GH releases piece https://github.com/bchr02/node-pre-gyp-github