Skip to content

Replace unmaintained keytar (pulls deprecated prebuild-install) with @napi-rs/keyring #6

Description

@chirag127

Summary

codeep transitively depends on keytar@7.9.0, which pulls in the deprecated prebuild-install@7.1.3. Both upstreams are archived and no longer accept issues/PRs:

Since neither upstream can be fixed, the change has to happen in Codeep.

Repro

npm install -g codeep@latest

Warnings:

npm warn deprecated prebuild-install@7.1.3: No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts:
npm warn allow-scripts   keytar@7.9.0 (install: prebuild-install || npm run build)

Suggested fix

Swap keytar for @napi-rs/keyring (https://github.com/Brooooooklyn/keyring-node):

  • Actively maintained (last push 2026-06-24, v1.3.0)
  • Same OS-keychain surface (macOS Keychain, Windows Credential Manager, libsecret on Linux)
  • Prebuilt N-API binaries via napi-rs — no prebuild-install, no node-gyp fallback
  • MIT licensed

API sketch:

// before
const keytar = require('keytar');
await keytar.setPassword('service', 'account', 'secret');
const pw = await keytar.getPassword('service', 'account');

// after
const { Entry } = require('@napi-rs/keyring');
const entry = new Entry('service', 'account');
entry.setPassword('secret');
const pw = entry.getPassword();

Note: @napi-rs/keyring is synchronous (Rust-backed, no thread hop needed), so await goes away.

Happy to send a PR if useful.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions