Running npm install -g purescript gives the following output;
> npm install -g purescript
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 154 packages, and audited 156 packages in 10s
6 moderate severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
One completely unsupported package, one that appears to be severely outdated (v3 vs v7+), and a final one that has been deprecated. In addition there are 6 unspecified vulnerabilities. This does not inspire confidence and makes me question whether PureScript is actively maintained and a good idea to invest in. Am I doing something wrong or is this expected behaviour?
I come from Elm but the limitations of the language and the glacial pace of updates and the feeling of it being abandoned made me look for alternatives. Came across Flame and PureScript and it seemed like just what I wanted but the above makes me uncertain.
AFAIK the npm package uses purescript-installer and this one seems to be in need of some attention - in the end it’s only use is to grab the right binary (or compile it) so personally I tend to ignore those warnings and move on.
Purescript itself has a much faster release cycle compared to Elm
This is correct - the security warnings are safe to ignore because all this code is doing is downloading the compiler binary. It’s not receiving untrusted input or running as part of a server or anything. The ecosystem is active, it’s just that a language ecosystem has a lot of components and not all of them are going to receive frequent attention, especially if they do actually work fine (apart from printing some warnings), as is the case for the installer.
It’s true that this is quite off-putting though, especially as it’s someone’s very first encounter with the ecosystem. It would definitely be good to address at some point.