Deprecation errors when installing from a meteor bundle

willemx · December 27, 2025, 5:13pm

I am trying to deploy my meteor app to a linux server by creating a bundle with meteor build and copying the tarball to the linux server. This has worked for years, but now I am getting errors when installing the dependencies on the linux server with npm install after unpacking the tarball:

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated npmlog@5.0.1: This package is no longer supported.
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated are-we-there-yet@2.0.0: This package is no longer supported.
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm warn deprecated gauge@3.0.2: This package is no longer supported.

I’m on meteor version 3.3.2
Any suggestions on how to fix this?

welkinwong · December 28, 2025, 1:29am

Looks like these are just NPM package deprecation warnings. You probably haven’t updated your NPM packages in quite a while.

willemx · December 28, 2025, 10:10am

Yes, they are indeed NPM deprecation errors, but they are not from my app’s package.json, these are all up-to-date. Instead, the errors come from the package.json that is generated by the meteor build command. It is located in /bundle/programs/server and the contents are:

{
  "name": "meteor-dev-bundle",
  "private": true,
  "dependencies": {
    "promise": "8.3.0",
    "@meteorjs/reify": "0.25.4",
    "@babel/parser": "7.25.0",
    "lru-cache": "6.0.0",
    "underscore": "1.13.7",
    "source-map-support": "https://github.com/meteor/node-source-map-support/tarball/81bce1f99625e62af73338f63afcf2b44c6cfa5e",
    "@types/semver": "7.5.8",
    "semver": "7.6.3",
    "node-gyp": "10.2.0",
    "@mapbox/node-pre-gyp": "1.0.11"
  },
  "devDependencies": {
    "@types/underscore": "1.11.15",
    "split2": "3.2.2",
    "multipipe": "2.0.1",
    "chalk": "4.1.2"
  },
  "scripts": {
    "install": "node npm-rebuild.js"
  }
}

All of these packages are outdated:

Package               Current  Wanted  Latest  Location                           Depended by
@babel/parser          7.25.0  7.25.0  7.28.5  node_modules/@babel/parser         server
@mapbox/node-pre-gyp   1.0.11  1.0.11   2.0.3  node_modules/@mapbox/node-pre-gyp  server
@types/semver           7.5.8   7.5.8   7.7.1  node_modules/@types/semver         server
lru-cache               6.0.0   6.0.0  11.2.4  node_modules/lru-cache             server
node-gyp               10.2.0  10.2.0  12.1.0  node_modules/node-gyp              server
semver                  7.6.3   7.6.3   7.7.3  node_modules/semver                server

I don’t know if I should update these packages myself?

welkinwong · December 30, 2025, 1:36am

@willemx If this is an NPM package in a Meteor package.json, it can be ignored for now as the Meteor team regularly updates dependencies.

paulishca · December 30, 2025, 4:36am

@willemx do you use eslint-plugin-meteor? This package should not make it to production, but I see this package has a couple of the NPM dependencies listed in your first post.
Perhaps you could try to generate a package-lock.json locally and search for some of those packages and see where they are coming from.
npm ls package_name might also help up to some extent.
You could also try to run an audit: npm-audit | npm Docs

willemx · December 30, 2025, 12:11pm

I did some more investigation:

➜  server npm why inflight
inflight@1.0.6
node_modules/inflight
  inflight@"^1.0.4" from glob@7.2.3
  node_modules/rimraf/node_modules/glob
    glob@"^7.1.3" from rimraf@3.0.2
    node_modules/rimraf
      rimraf@"^3.0.2" from @mapbox/node-pre-gyp@1.0.11
      node_modules/@mapbox/node-pre-gyp
        @mapbox/node-pre-gyp@"1.0.11" from the root project
➜  server npm why npmlog  
npmlog@5.0.1
node_modules/npmlog
  npmlog@"^5.0.1" from @mapbox/node-pre-gyp@1.0.11
  node_modules/@mapbox/node-pre-gyp
    @mapbox/node-pre-gyp@"1.0.11" from the root project
➜  server npm why are-we-there-yet
are-we-there-yet@2.0.0
node_modules/are-we-there-yet
  are-we-there-yet@"^2.0.0" from npmlog@5.0.1
  node_modules/npmlog
    npmlog@"^5.0.1" from @mapbox/node-pre-gyp@1.0.11
    node_modules/@mapbox/node-pre-gyp
      @mapbox/node-pre-gyp@"1.0.11" from the root project
➜  server npm why gauge           
gauge@3.0.2
node_modules/gauge
  gauge@"^3.0.0" from npmlog@5.0.1
  node_modules/npmlog
    npmlog@"^5.0.1" from @mapbox/node-pre-gyp@1.0.11
    node_modules/@mapbox/node-pre-gyp
      @mapbox/node-pre-gyp@"1.0.11" from the root project

It appears that the deprecated NPM packages are all dependencies of @mapbox/node-pre-gyp.
I don’t know why this module is needed; I do not use any binary dependencies in my app.
Maybe it is needed by some internal meteor process?

italojs · January 14, 2026, 4:53pm

Meteor pulls in @mapbox/node-pre-gyp because several bundled/native dependencies (like bcrypt , visible at the top of password_server.js) rely on it to download or load prebuilt binaries instead of compiling from source on every install. The dev bundle package manifest (dev_bundle/lib/package.json) declare @mapbox/node-pre-gyp directly, ensuring those binary helpers are available whenever Meteor installs or rebuilds the native modules used by features like password hashing.

As I can see, 3.3.2 is using @mapbox/node-pre-gyp@1.0.11, after that is the version 2.x that introduces breaking changes, please, open an issue around that so we will update it.

But dont worry, the version node-pre-gyp@1.0.11 havent any vunerability, you are seeing just a few warnings