Deprecation warning for http-proxy 'util._extend'

[Torquin]

Bug report

Deprecation warning for dependency http-proxy 1.18.1

Actual Behavior

When using npm start script, I get a warning :
The 'util._extend' API is deprecated. Please use Object.assing() instead.

How Do We Reproduce?

Using the node --trace-deprecation in start script, it directs to : node_modules/http-proxy/lib/http-proxy/index.js

Results of npx webpack-cli info

System:
OS: Linux 4.18 Rocky Linux 8.10 (Green Obsidian)
CPU: (12) x64 Intel(R) Core(TM) i7-10710U CPU @ 1.10GHz
Memory: 10.02 GB / 31.11 GB
Binaries:
Node: 22.8.0 - ~/.nvm/versions/node/v22.8.0/bin/node
npm: 10.8.2 - ~/.nvm/versions/node/v22.8.0/bin/npm
Browsers:
Brave Browser: 128.1.69.168
Chrome: 130.0.6710.0
Packages:
angular-router-loader: ^0.8.5 => 0.8.5
babel-loader: ^9.1.0 => 9.2.1
compression-webpack-plugin: ^11.1.0 => 11.1.0
copy-webpack-plugin: ^12.0.2 => 12.0.2
css-loader: ^7.1.2 => 7.1.2
css-minimizer-webpack-plugin: ^7.0.0 => 7.0.0
css-to-string-loader: github:ekopranototjoa/css-to-string-loader => 0.1.3
eslint-webpack-plugin: ^4.0.1 => 4.2.0
extract-loader: ^5.1.0 => 5.1.0
file-loader: ^6.0.0 => 6.2.0
html-loader: ^5.1.0 => 5.1.0
html-webpack-plugin: ^5.6 => 5.6.0
json-loader: ^0.5.3 => 0.5.7
null-loader: ^4.0.0 => 4.0.1
postcss-loader: ^8.1.1 => 8.1.1
style-loader: ^4.0.0 => 4.0.0
url-loader: ^4.1.0 => 4.1.1
webpack: ^5.89.0 => 5.94.0
webpack-cli: ^5.1.4 => 5.1.4
webpack-dev-server: ^5.1.0 => 5.1.0
webpack-merge: ^6.0.1 => 6.0.1

[joemaller]

http-proxy-middleware was updated. They have a migration guide.

[Anubhab2003]

Hey I am Interested in this issue, How to get started

[davidenke]

http-proxy-middleware was updated. They have a migration guide.

As they mention in this issue, the problem comes from http-proxy (#1674), which is not maintained anymore and hasn't been updated for 4 years.
But as mentioned, the vite team has decided for a patch.

So @Anubhab2003 maybe using pnpm or patch-package is a suitable solution in the mean time.

[alexander-akait]

We will update http-proxy for the next major release, just ignore it now, because it doesn't breaking anything

[davidenke]

We will update http-proxy for the next major release, just ignore it now, because it doesn't breaking anything

The package hasn't been updated in 4 years and is searching for maintainers.
Others decided for a patch. Just mentioning.

[alexander-akait]

@davidenke If you wan't to send a patch - feel free to send a PR

[davidenke]

@davidenke If you wan't to send a patch - feel free to send a PR

Sure. But it's still a unmaintained dependency then. There already is a PR addressing this, but there hasn't been a release in 5 years.

Maybe it would make sense to pin the commit containing the relevant change in the mean while?

[alexander-akait]

@davidenke

Maybe it would make sense to pin the commit containing the relevant change in the mean while?

What do you mean?

[davidenke]

@alexander-akait I mean setting http-proxy as dependency explicitly by pinning the commit in the PR in the package.json.

Alternatives

Patching would mean to introduce tooling and thus new dependencies like patch-package.

Searching for an alternative to http-proxy-middleware, which perhaps would lead to breaking changes.

Or just waiting for new maintainers for http-proxy, or that the http-proxy-middleware authors come up with an alternative.