Fixed the punycode deprecation warning

[PratapRathi]

What kind of change does this PR introduce?
This PR will fix the punycode deprecation warning by following these step,
punycode package is used in following sub_modules -

But Node.js official documentation suggest to switch to using the userland-provided Punycode.js module instead in this way

So we updated this require statements in sub_modules and created its patch using patch-package and added a post-install script to apply these patch after installing modules using npm install this will override the default behaviour of sub_modules.

We will be using this patch, and in future until these sub_modules refactor their code, once it is done we will remove patch-package and these patches, also if required we can add more patch for any other sub_module which may create this warning in future.

Issue Number:
Fixes #2862

Did you add tests for your changes?
N/A

Snapshots/Videos:

If relevant, did you update the documentation?
N/A

Summary
Does this PR introduce a breaking change?
No

Other information

Have you read the contributing guide?
Yes

Summary by CodeRabbit

• Dependencies

  • Added patch-package to manage package modifications
  • Re-added @testing-library/dom dependency

• Scripts

  • Added postinstall script to apply package patches automatically

• Patches

  • Updated import paths for punycode module in multiple dependencies to improve module resolution

• Linting

  • Excluded patches/ directory from linting processes

[coderabbitai]

Walkthrough

This pull request addresses the deprecation of the punycode package by modifying import statements across multiple dependencies. The changes involve updating the import path from require("punycode") to require("punycode/") in several files. Additionally, the package.json has been updated to include patch-package as a dependency and add a postinstall script to apply these patches automatically during package installation.

Changes

File	Change Summary
package.json	- Added patch-package dependency - Re-added @testing-library/dom to devDependencies - Added postinstall script to run patch-package
node_modules/psl/dist/psl.js node_modules/psl/index.js node_modules/tr46/index.js node_modules/whatwg-url/dist/url-state-machine.js	Updated Punycode import path

Assessment against linked issues

Objective	Addressed	Explanation
Replace deprecated punycode package	✅
Remove deprecation warnings	❓	Requires further testing to confirm complete resolution

Possibly related PRs

• Migrating from eslintrc.json to eslint.config.js #2660: The changes in package.json regarding the addition and removal of the @testing-library/dom dependency are related to the migration of ESLint configuration, as both PRs involve modifications to the project's configuration and dependencies.

Suggested labels

ignore-sensitive-files-pr

Suggested reviewers

• palisadoes

Poem

🐰 Hop, hop, through package land we go,
Punycode's path, we've fixed just so!
With patch-package's magical might,
Dependencies now shine so bright!
A rabbit's fix, precise and neat! 🔧

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a88ae3 and 6be2841.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Our Pull Request Approval Process

Thanks for contributing!

Testing Your Code

Remember, your PRs won't be reviewed until these criteria are met:

1. We don't merge PRs with poor code quality.
   1. Follow coding best practices such that CodeRabbit.ai approves your PR.
2. We don't merge PRs with failed tests.
   1. When tests fail, click on the Details link to learn more.
   2. Write sufficient tests for your changes (CodeCov Patch Test). Your testing level must be better than the target threshold of the repository
   3. Tests may fail if you edit sensitive files. Ask to add the ignore-sensitive-files-pr label if the edits are necessary.
3. We cannot merge PRs with conflicting files. These must be fixed.

Our policies make our code better.

Reviewers

Do not assign reviewers. Our Queue Monitors will review your PR and assign them.
When your PR has been assigned reviewers contact them to get your code reviewed and approved via:

1. comments in this PR or
2. our slack channel

Reviewing Your Code

Your reviewer(s) will have the following roles:

1. arbitrators of future discussions with other contributors about the validity of your changes
2. point of contact for evaluating the validity of your work
3. person who verifies matching issues by others that should be closed.
4. person who gives general guidance in fixing your tests

CONTRIBUTING.md

Read our CONTRIBUTING.md file. Most importantly:

1. PRs with issues not assigned to you will be closed by the reviewer
2. Fix the first comment in the PR so that each issue listed automatically closes

Other

1. 🎯 Please be considerate of our volunteers' time. Contacting the person who assigned the reviewers is not advised unless they ask for your input. Do not @ the person who did the assignment otherwise.
2. Read the CONTRIBUTING.md file make

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

package.json (1)

Verified: patch-package changes are required, but testing library change should be separated

The patches directory contains legitimate punycode-related fixes for multiple dependencies (psl, tr46, whatwg-url). The addition of patch-package and postinstall script is necessary for applying these fixes. However, the addition of @testing-library/dom appears unrelated to the punycode fix and should be moved to a separate PR.

🔗 Analysis chain

Line range hint 1-185: Address pipeline security warning

The PR workflow indicates that package.json is a sensitive file requiring special approval. While the changes appear necessary for the punycode fix:

1. The patch-package addition is required for applying patches
2. The postinstall script is needed for automatic patch application
3. The @testing-library/dom addition seems unrelated and should be removed

Please request the 'ignore-sensitive-files-pr' label from maintainers after removing the unrelated changes.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify that patches exist and contain only punycode-related changes
if [ -d "patches" ]; then
  echo "Checking patches directory for punycode-related changes..."
  grep -r "require('punycode')" patches/
  grep -r "require(\"punycode\")" patches/
else
  echo "Error: patches directory not found. Please ensure patches are committed."
fi

Length of output: 491

🧰 Tools

🪛 GitHub Actions: PR Workflow

[error] Unauthorized modification or deletion of sensitive file. Apply 'ignore-sensitive-files-pr' label to override.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 495e976 and f393869.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• package.json (3 hunks)
• patches/psl+1.9.0.patch (1 hunks)
• patches/tr46+2.1.0.patch (1 hunks)
• patches/whatwg-url+8.7.0.patch (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• patches/tr46+2.1.0.patch
• patches/whatwg-url+8.7.0.patch
• patches/psl+1.9.0.patch

🧰 Additional context used

🪛 GitHub Actions: PR Workflow

package.json

[error] Unauthorized modification or deletion of sensitive file. Apply 'ignore-sensitive-files-pr' label to override.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyse Code With CodeQL (javascript)

🔇 Additional comments (1)

package.json (1)

97-97: Document patches in README

The postinstall script will apply patches automatically, but for transparency and maintainability, please document:

1. Which modules are being patched
2. What changes are being made
3. When we can remove these patches (i.e., when upstream modules fix the punycode deprecation)

🧰 Tools

🪛 GitHub Actions: PR Workflow

[error] Unauthorized modification or deletion of sensitive file. Apply 'ignore-sensitive-files-pr' label to override.

[PratapRathi]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[palisadoes]

1. This isn't a long term solution.
2. If we upgrade any of these packages we'll have to update the patches. There is a real risk of instability. We have tried this before and failed. It is too brittle.
3. How can we use the latest versions of these packages that don't use punycode which has been deprecated? We'll need to use the best solution limited to editing just package.json, with minimal updates to the codebase. We need to reduce the punycode risk without risking app stability

[PratapRathi]

1. This isn't a long term solution.
2. If we upgrade any of these packages we'll have to update the patches. There is a real risk of instability. We have tried this before and failed. It is too brittle.
3. How can we use the latest versions of these packages that don't use punycode which has been deprecated? We'll need to use the best solution limited to editing just package.json, with minimal updates to the codebase. We need to reduce the punycode risk without risking app stability

Node suggest us that import punycode like this const punycode = require("punycode/") instead of const punycode = require("punycode")

But I checked the latest versions of packages of our app are still using const punycode = require("punycode") so this problem will persist until they update their code.
So our patch file just replace this require statement from punycode = require("punycode") to punycode = require("punycode/")

If we need to update our package we can just update and update our patch using these 3 steps only -

1. Run this command grep -r -e "require('punycode')" -e 'require("punycode")' | grep -v './file:' | grep -v README.md it will list the modules which are using this require statement require("punycode")
2. Search & Replace require("punycode") with require("punycode/") , also for single quotes using VS code
3. Now create patch using this npx patch-package <package-name> give the package name we got in first step.

Also we should raise an issue on these modules repo, once the issue is fixed we can remove our patches.

[palisadoes]

We'll have to close the PR and issue. This was not the intended outcome. This is the responsibility of the package owners

[PratapRathi]

@palisadoes I checked tr46 has updated the require statement, we can update at least those packages which are updated.

[palisadoes]

1. OK, update that one.
2. Reopening
3. We don't want a patch

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.81%. Comparing base (495e976) to head (6be2841).
Report is 4 commits behind head on develop-postgres.

Additional details and impacted files

@@                  Coverage Diff                  @@
##           develop-postgres    #3194       +/-   ##
=====================================================
+ Coverage             19.77%   89.81%   +70.04%     
=====================================================
  Files                   306      329       +23     
  Lines                  7763     8526      +763     
  Branches               1690     1913      +223     
=====================================================
+ Hits                   1535     7658     +6123     
+ Misses                 6132      636     -5496     
- Partials                 96      232      +136     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[palisadoes]

1. I'm going to close this.
2. Resubmit the PR with just the change to package.json

[PratapRathi]

@palisadoes we need to close the issue for now, I checked our codebase, we are using old require statement require("punycode") in tr46 module only, and here is the tree where we are using this

In first tree
tr46, whatwg-url are updated but node-fetch is not using the latest version of whatwg-url

In second tree
tr46, whatwg-url, jsdom are updated but we are using older version of jsdom,
jsdom is the peerOptional dependency of Vitest but direct dependency of Jest, so when we will remove Jest this might get solved.