subdependency regression breaks node-gyp 9

[legobeat]

Verbose output (from npm or node-gyp):

CI run on current main:

# Subtest: test/test-create-config-gypi.js
    # Subtest: config.gypi with no options
        1..2
        ok 1 - should be equal
        ok 2 - should be equal
    ok 1 - config.gypi with no options # time=22.437ms
    
    # Subtest: config.gypi with --debug
        1..1
        ok 1 - should be equal
    ok 2 - config.gypi with --debug # time=3.625ms
    
    # Subtest: config.gypi with custom options
        1..1
        ok 1 - should be equal
    ok 3 - config.gypi with custom options # time=2.86ms
    
    # Subtest: config.gypi with nodedir
        1..1
        ok 1 - should be equal
    ok 4 - config.gypi with nodedir # time=6.656ms
    
    # Subtest: config.gypi with --force-process-config
        1..1
        ok 1 - should be equal
    ok 5 - config.gypi with --force-process-config # time=3.603ms
    
    # Subtest: config.gypi parsing
        1..1
        ok 1 - should be equivalent
    ok 6 - config.gypi parsing # time=1.559ms
    
    1..6
    # time=67.566ms
ok 3 - test/test-create-config-gypi.js # time=603.309ms

/home/runner/work/node-gyp/node-gyp/node_modules/path-scurry/node_modules/lru-cache/dist/cjs/index.js:52
            this.signal.onabort?.(reason);
                                ^

SyntaxError: Invalid or unexpected token
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1143:10)
# Subtest: test/test-download.js
    1..0 # no tests found
not ok 4 - test/test-download.js # time=831.278ms
  ---
  timeout: 600000
  file: test/test-download.js
  childId: 3
  command: /opt/hostedtoolcache/node/14.21.3/x64/bin/node
  args:
    - '-r'
    - /home/runner/work/node-gyp/node-gyp/node_modules/esm/esm.js
    - test/test-download.js
  stdio:
    - 0
    - pipe
    - 2
  cwd: /home/runner/work/node-gyp/node-gyp
  exitCode: 1
  ...

The incompatible syntax got introduced in lru-cache update from 8 to 9:

https://npm-diff.app/lru-cache@8.0.5...lru-cache@9.0.3#dist/cjs/index.js-L52

Here we see release history of path-scurry, which introduces this dependency:

version | dependencies["lru-cache"] | release_time
----------------------------------------
0.0.0-0		2023-02-07T05:05:40.334Z
1.0.0	^7.14.1	2023-02-07T05:15:56.753Z
1.0.1	^7.14.1	2023-02-07T05:17:31.309Z
1.1.0	^7.14.1	2023-02-07T21:47:20.011Z
1.1.1	^7.14.1	2023-02-08T20:19:45.947Z
1.2.0	^7.14.1	2023-02-09T19:01:01.835Z
1.3.0	^7.14.1	2023-02-12T04:51:56.217Z
1.4.0	^7.14.1	2023-02-13T16:51:32.302Z
1.5.0	^7.14.1	2023-02-27T05:51:44.714Z
1.6.0	^7.14.1	2023-03-01T21:56:20.111Z
1.6.1	^7.14.1	2023-03-01T22:12:52.205Z
1.6.2	^7.14.1	2023-03-22T05:30:58.343Z
1.6.3	^7.14.1	2023-03-22T18:50:47.648Z
1.6.4	^9.0.0	2023-04-09T22:06:57.282Z
1.7.0	^9.0.0	2023-04-14T23:00:30.211Z
1.7.1	^9.1.1	2023-05-10T15:40:06.773Z
1.8.0	^9.1.1	2023-05-10T16:30:57.689Z
1.9.0	^9.1.1	2023-05-14T18:26:58.094Z
1.9.1	^9.1.1	2023-05-15T04:44:45.154Z

Bumping lru-cache from ^7.14.1 to ^9.0.0 was actually a breaking change. Since the node-gyp repo does not utilize a lockfile, this meant that builds started breaking since 2023-04-09.

Suggestions:

• Fix in upstream, or pin lru-cache to unblock addressing unbreaking security fixes for node-gyp users on legacy environments.
• Then deprecate Node.js 12 (and more?) in a new major release.

[legobeat]

Some relevant conversation in #2796

[lukekarrys]

v9.4.1 has been released which reverts the dependency changes (#2917) that caused this issue. Those changes will be released again as v10.0.0 with the changelog outlining the newly supported Node versions.