Gulp installation warning: “Please update to minimatch 3.0.2”

Question

I am new to npm and node.js, and I am trying to set up my working environment, after installing node.js, npm, and git for windows. I am trying to install gulp globally and as a dev dependency. both times im getting these warnings:

npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

which causing npm to cancel the installation. I am running minimatch 3.0.2

C:\WINDOWS\system32>npm -v minimatch
3.10.10

but the npm still does not recognize it as the installed version as it keeps pushing the warnings. any idea on how to solve it?

any help is appreciated.

Answer 1

This gives the npm verion not minmatch verion,

npm -v minimatch

Go to node_modules and delete minimatch and in the packge.json make sure minmatch version is ">=3.0.2" , then try again

Or, you can just install the latest globally using

npm install -g minimatch@3.0.2

Answer 2

Having run into the same issue and searched the internet a bit, I want to record my explanation here for future reference.

The problem is not that your installed version of minimatch is too low or out of date. Neither should npm abort the installation, when these warnings are displayed.

It is gulp that indirectly depends on outdated versions of minimatch , which can be verified using npm ls -g minimatch (if you installed gulp locally, leave the -g out). One part of the output should look like the following:

+-- gulp@3.9.1
| `-- vinyl-fs@0.3.14
|   +-- glob-stream@3.1.18
|   | +-- glob@4.5.3
|   | | `-- minimatch@2.0.10  deduped
|   | `-- minimatch@2.0.10
|   `-- glob-watcher@0.0.6
|     `-- gaze@0.5.2
|       `-- globule@0.1.0
|         +-- glob@3.1.21
|         | `-- minimatch@0.2.14  deduped
|         `-- minimatch@0.2.14

This excerpt explains that gulp 3.9.1 depends on vinyl-fs 0.3.14, which again depends on glob-stream 3.1.18 and so on. You can see that some nested dependencies depend on minimatch 2.0.10 and others depend on minimatch 0.2.14, which are exactly the versions npm complained about during the installation.

You are not probably able to solve this issue on your own. What you can do is contact the authors of the packages with the outdated dependencies, in this case glob, glob-stream and globule, and ask them to update their dependencies to a newer version (or do it yourself and submit a pull request, if the packages are open source).

Chances are, though, that these warnings have no negative consequences whatsoever, given that there hasn't been an update to solve this yet, although there are many people actively using and relying on gulp.