[ FEATURE REQUEST] SFDMU depends on unsupported and outdated libraries.

[PawelWozniak]

Describe the bug
Just installed plugin and got many warnings during this process, here is an output:

PS D:\git> sf plugins install sfdmu
Polling for new version(s) to become available on npm... done
Successfully validated digital signature for sfdmu.
Finished digital signature check.
npm warn deprecated [email protected]: flatten is deprecated in favor of utility frameworks such as lodash.
npm warn deprecated [email protected]: this library is no longer supported
npm warn deprecated @oclif/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated @oclif/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated [email protected]: No longer maintained. Moved to https://npm.im/@reallyland/node_mod.
npm warn deprecated @oclif/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated [email protected]: This package has been moved to the @jetstreamapp organization starting on version 6.0.0. Update your dependency to use @jetstreamapp/soql-parser-js.
added 252 packages in 16s

To Reproduce
Unsinstall whole SF CLI so it remove also plugins.
Install SF CLI.
Install sfdx-git-delta with command sf plugins install sfdx-git-delta

Expected behavior
Plugin install without warning.

export.json
Not applicable to this issue.

Log file
Not applicable to this issue.

_target.csv file.
Not applicable to this issue.

[hknokh]

Hello, @PawelWozniak

Thank you for reporting a bug.
I will take a look at it as soon as possible and let you know of any updates.

Cheers

[wrt83]

I would add to this that both alasql and madge are very outdates and contain multiple "high" level vulnerabilities.

alasql latest is 4.5.1, sfdmu is on 0.6.4
madge latest is 8.0.0, sfdmu is on 3.8.0

[hknokh2]

Hello,

All these vulnerabilities do not matter since the tool is used only locally. I do not plan to update dependencies in the near future, as it might require refactoring and regression tests due to breaking changes in the newest versions. If you have any doubts regarding security, please stop using sfdmu.

[PawelWozniak]

In my opinion since this tool is developed under Salesforce Developers official account and Salesforce repeatedly says that Trust is number one for them then security should be considered as important.

[hknokh2]

Ok. This is your opinion and understanding of "trust" in context of this tool as well as a reported issues. Your use of the product is under the code of conduct and terms of use. Please take in account that this is not Salesforce product and sf can't take full responsibility on it. From my side, I give the best what I can to maintain this tool. The rest is on the end-user which sees what he uses and this is the value of sf "trust" in terms of "transparency".
The reported issues seem not critical for this tool and will be fixed when I will have more time for this because of complexity of these fixes.

[PawelWozniak]

I understand that fixing such dependency is complex as it can cause some side effects. I am glad that you improve this tool it is beneficial for everyone.

[hknokh]

Converted to "feature request" and put to my roadmap.

I am closing this issue for now. I will review the feature request at a later time, but please note that there is no guarantee that this update will be implemented. I will provide further updates if there are any developments.

Best regards.

[hknokh]

I would add to this that both alasql and madge are very outdates and contain multiple "high" level vulnerabilities.

alasql latest is 4.5.1, sfdmu is on 0.6.4 madge latest is 8.0.0, sfdmu is on 3.8.0

These dependencies has been updated to the latest version.
Generally, I'm working on moving the plugin to the V2 of the SF CLI which is based on @salesforce/core which will solve other outdated dependencies.
Opened the new feature request for that:Upgrade the SFDMU to V2 of SF CLI
Since a lot of work there is no exact ETA for this.

[hknokh2]

Hello @PawelWozniak,

Thanks again for pointing out the outdated libraries used in the project.
I wanted to inform you that I’ve been working on converting SFDMU to the latest SF CLI ESM plugin template. However, since SFDMU was originally developed using the older SFDX CLI CommonJs architecture and relies on libraries that are not fully compatible with the latest SF CLI plugin architecture, the conversion process seems nearly impossible or extremely difficult. It would require almost a complete rewrite of the code.

My priority is to avoid any breaking changes or regressions, as SFDMU is actively used by a large number of organizations and businesses. Therefore, I prefer not to proceed with the upgrade at this time, as SFDMU continues to function well despite some minor warnings that may appear.

For now, I’ve postponed this upgrade, but it might be revisited later when it becomes more feasible.

[PawelWozniak]

@hknokh2 Thank you for the update. This tool works well so keep it going. Thank you.