Summary
@huggingface/transformers@4.2.0 pins onnxruntime-node at the exact version 1.24.3 (no caret). That version still depends on global-agent@3.x, which in turn depends on the deprecated boolean@3.2.0 package. As a result, every install of @huggingface/transformers emits:
npm warn deprecated boolean@3.2.0: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
Dependency chain
@huggingface/transformers@4.2.0
└─┬ onnxruntime-node@1.24.3 # exact pin
└─┬ global-agent@3.0.0
├── boolean@3.2.0 # deprecated
└─┬ roarr@2.15.4
└── boolean@3.2.0 (deduped)
Upstream fix is already available
onnxruntime-node@1.26.0 is published and depends on global-agent@^4.1.3, which removed boolean entirely:
$ npm view onnxruntime-node@1.26.0 dependencies
{
'adm-zip': '^0.5.16',
'global-agent': '^4.1.3',
'onnxruntime-common': '1.26.0'
}A one-line bump in package.json resolves the issue for every downstream consumer.
Why overrides isn't a workaround for downstream packages
Consumer-side overrides only work at the top-level root package.json. CLIs and other packages that depend on @huggingface/transformers (e.g. globally-installed binaries via npm i -g) cannot propagate an overrides entry to their end users, so every npm i -g <our-cli> still prints the deprecation warning.
Additionally, because @huggingface/transformers pins onnxruntime-node at an exact version rather than with a caret, even a downstream direct dependency on onnxruntime-node@^1.26.0 ends up with a nested 1.24.3 install next to it, so the warning still fires.
Suggested fix
In package.json:
- "onnxruntime-node": "1.24.3",
+ "onnxruntime-node": "^1.26.0",
(Or, if ABI/behavior drift is a concern, at minimum widen the range to ^1.24.3 so downstream overrides can resolve to 1.26.0.)
Environment
@huggingface/transformers: 4.2.0onnxruntime-node: 1.24.3 (transitive)- npm: 10.9.3
- Node.js: 22.18.0
Happy to open a PR if the maintainers would welcome it
Summary
@huggingface/transformers@4.2.0pinsonnxruntime-nodeat the exact version1.24.3(no caret). That version still depends onglobal-agent@3.x, which in turn depends on the deprecatedboolean@3.2.0package. As a result, every install of@huggingface/transformersemits:Dependency chain
Upstream fix is already available
onnxruntime-node@1.26.0is published and depends onglobal-agent@^4.1.3, which removedbooleanentirely:$ npm view onnxruntime-node@1.26.0 dependencies { 'adm-zip': '^0.5.16', 'global-agent': '^4.1.3', 'onnxruntime-common': '1.26.0' }A one-line bump in
package.jsonresolves the issue for every downstream consumer.Why
overridesisn't a workaround for downstream packagesConsumer-side
overridesonly work at the top-level rootpackage.json. CLIs and other packages that depend on@huggingface/transformers(e.g. globally-installed binaries vianpm i -g) cannot propagate anoverridesentry to their end users, so everynpm i -g <our-cli>still prints the deprecation warning.Additionally, because
@huggingface/transformerspinsonnxruntime-nodeat an exact version rather than with a caret, even a downstream direct dependency ononnxruntime-node@^1.26.0ends up with a nested1.24.3install next to it, so the warning still fires.Suggested fix
In
package.json:(Or, if ABI/behavior drift is a concern, at minimum widen the range to
^1.24.3so downstream overrides can resolve to1.26.0.)Environment
@huggingface/transformers: 4.2.0onnxruntime-node: 1.24.3 (transitive)Happy to open a PR if the maintainers would welcome it