You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
v2.9.1 (which ships the punycode fix from #294) still emits a DEP0040 deprecation warning on every run when consumed by repos that don't use the warpbuild provider:
(node:NNNN) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
The residual lives in a different transitive chain than the one #294 patched. PR #294 upgraded @actions/cache (which dropped @azure/ms-rest-js → node-fetch@2 → whatwg-url@5 → tr46@0.0.3 → require('punycode')), but the same chain still exists via @actions/warpbuild-cache@1.4.7 (the github-actions.warp-cache alias added in #247 / v2.8.0).
Because dist/restore/index.js and dist/save/index.js are produced by @vercel/ncc and bundle all three providers (default, buildjet, warpbuild) into a single file, the warpbuild provider's transitive deps are evaluated on every Node startup of the action — even when the user has not selected the warpbuild backend.
Not a blocker (stdout-only, no annotation, no exit-code change), but it's surfaced as a deprecation warning on every consumer's CI logs.
Diagnostic
Bundle inspection (dist/restore/index.js from tag v2.9.1):
Every path leads back to @actions/warpbuild-cache@1.4.7 (npm alias github-actions.warp-cache). It pulls in both @azure/ms-rest-js@2.7.0 and @google-cloud/storage@7.19.0, both of which depend on node-fetch@2.7.0, which depends on the legacy whatwg-url@5 → tr46@0.0.3 chain.
Fix paths (suggestions, not prescriptions)
Bump @actions/warpbuild-cache if a newer version drops @azure/ms-rest-js and the legacy node-fetch@2 chain (analogous to what @actions/cache@5.0.1 did via @azure/storage-blob@^12.29.1 in Bump the prd-major group with 3 updates #294). May require an upstream change in WarpBuilds/cache.
Lazy-load the warpbuild provider so its module graph is only required when cache-provider: warpbuild is selected. Splitting the bundle by provider (or dynamic import()) would prevent the unused chain from being evaluated.
overrides in package.json to force a newer node-fetch@3+ (ESM-only, may not be drop-in) or a whatwg-url@>=10 for node-fetch@2 (also non-trivial). Most fragile of the three.
Repro
Any workflow consuming Swatinem/rust-cache@v2.9.1 on a Node 20+ runner, e.g.:
The DEP0040 line appears in the Run Swatinem/rust-cache@v2.9.1 step output. No warpbuild config required — the warning fires via the default GitHub provider path because the warpbuild module graph is evaluated unconditionally during bundle initialization.
Workarounds (consumer-side)
env: NODE_OPTIONS: --no-deprecation on the cache step (suppresses all deprecation warnings, blunt instrument).
Pin to v2.7.x or earlier (predates warpbuild support, but loses other fixes).
Accept the warning as benign log noise — it has no behavioural impact.
Happy to send a PR if a fix direction is preferred.
Summary
v2.9.1(which ships the punycode fix from #294) still emits aDEP0040deprecation warning on every run when consumed by repos that don't use the warpbuild provider:The residual lives in a different transitive chain than the one #294 patched. PR #294 upgraded
@actions/cache(which dropped@azure/ms-rest-js→node-fetch@2→whatwg-url@5→tr46@0.0.3→require('punycode')), but the same chain still exists via@actions/warpbuild-cache@1.4.7(thegithub-actions.warp-cachealias added in #247 / v2.8.0).Because
dist/restore/index.jsanddist/save/index.jsare produced by@vercel/nccand bundle all three providers (default, buildjet, warpbuild) into a single file, the warpbuild provider's transitive deps are evaluated on every Node startup of the action — even when the user has not selected the warpbuild backend.Not a blocker (stdout-only, no annotation, no exit-code change), but it's surfaced as a deprecation warning on every consumer's CI logs.
Diagnostic
Bundle inspection (
dist/restore/index.jsfrom tagv2.9.1):Reverse dependency trace (from
package-lock.jsonatv2.9.1):Every path leads back to
@actions/warpbuild-cache@1.4.7(npm aliasgithub-actions.warp-cache). It pulls in both@azure/ms-rest-js@2.7.0and@google-cloud/storage@7.19.0, both of which depend onnode-fetch@2.7.0, which depends on the legacywhatwg-url@5→tr46@0.0.3chain.Fix paths (suggestions, not prescriptions)
@actions/warpbuild-cacheif a newer version drops@azure/ms-rest-jsand the legacynode-fetch@2chain (analogous to what@actions/cache@5.0.1did via@azure/storage-blob@^12.29.1in Bump the prd-major group with 3 updates #294). May require an upstream change inWarpBuilds/cache.cache-provider: warpbuildis selected. Splitting the bundle by provider (or dynamicimport()) would prevent the unused chain from being evaluated.overridesinpackage.jsonto force a newernode-fetch@3+(ESM-only, may not be drop-in) or awhatwg-url@>=10fornode-fetch@2(also non-trivial). Most fragile of the three.Repro
Any workflow consuming
Swatinem/rust-cache@v2.9.1on a Node 20+ runner, e.g.:The
DEP0040line appears in theRun Swatinem/rust-cache@v2.9.1step output. No warpbuild config required — the warning fires via the default GitHub provider path because the warpbuild module graph is evaluated unconditionally during bundle initialization.Workarounds (consumer-side)
env: NODE_OPTIONS: --no-deprecationon the cache step (suppresses all deprecation warnings, blunt instrument).v2.7.xor earlier (predates warpbuild support, but loses other fixes).Happy to send a PR if a fix direction is preferred.