-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate the ecosystem #68
Comments
@dougwilson is watching this fork. Do you plan to migrate the projects under your maintenance to @fastify/busboy? |
@dougwilson We would be happy to create PRs for that, if you would give us a list of projects you would like migrated. Note that it would probably be a semver major, since I assume most of your project have < Node 10 support. |
We should also think about the dependents of dicer. Like firebase-admin of google. Can they actually import Dicer from @fastify/busboy? |
@Uzlopak That would be a wrong approach either way. If that's something that we want to do, we'd need to extract dicer to fastify-dicer. |
Maybe we should first inform them about the dicer issues and if there is a demand, we extract it to fastify-dicer so that they can consume it. |
Sounds good! |
Having worked with
The https://github.com/mscdex/busboy/blob/5ef3f9b1d08e7ccb7c9b3690e4c071089e66285c/package.json#L7 It doesn't sit well that massive dependencies are copy-pasted in, instead of being managed as regular auditable npm package dependencies:
Also, the 739 kB install size is over the top. Tests and other superfluous files are being published: https://unpkg.com/browse/busboy@0.3.1/ There is little hope that There just hasn't really been a better choice, which is surprising considering how essential a library like this is to building for web. That said, it would be great to hear a bit more about the motivation for this fork, vs:
|
It wasn't proposed, and in a hindsight it probably was a mistake. My assumption was that since repo is mostly hibernating these days, mscdex must be no longer actively engaged with it, which is actually not true - he still comments on it very actively. We did ask him if he would be open to transfer npm package name to fastify org to avoid fragmentation, but there was no reply. That said - @mscdex - if you agree with the general direction of the package that you can already see in this fork, would you consider accepting changes that happened here so far and considering maintainers of
Unfortunately, you seem to be overestimating the amount of resources that fastify project can realistically dedicate to such an effort. fastify-busboy was mostly put together by @Uzlopak and yours truly, and incorporated plenty of pending contributions from Any ideas or PRs that would help improve |
@mscdex I kind of agree with you. But you have to consider, that mscdex did not update dicer even though it had two bugs which could result in DoS-Attacks as they could hang or crash the service, despite having two PRs in Dicer for months, which are solving those attack vectors. So to consider the packages being not actively maintained by mscdex is not unreasonable. I dont blame him, as he has hundreds of successful projects and keeping them all up to date is time consuming. But for my use case, I wrote an oauth2-authorization-server with fastify, it would mean a security issue in a critical part of my infrastructure. I dont want, that my deployment has an avoidable attack vector. On the other hand, mscdex encourages to fork his projects. So I conclude a fragmentation is considered OK by mscdex. But I can tell you that we put alot of effort to remove security issues, increase the code coverage and to extend the features of our busboy fork. I would have preferred that we take maintenance of busboy, dicer and searchstream project, but it did not happen. But hey... you can never make everybody happy. We offer here an alternative with the potential that it gets step by step refactored. |
@jaydenseric So I also encourage you to provide us with PRs or to tell what we could do better by opening issues. |
I haven't looked close enough at it to tell yet if that effort is something that could replace Maybe their code could be abstracted out into a generic multipart parser package? |
I know it seems quite intriguing to adapt that as the node-fetch implementation is small and simple and I like that. But our current structure actually provides a good separation of concerns. The node-fetch implementation is an amalgam of what dicer and searchstream does. It would imho make it harder to improve the code if we would mangling all to one Stream. I think. But maybe I am wrong (which is OK :D) |
@Uzlopak @kibertoad : please do check firebase/firebase-admin-node#1512 |
I've updated Multer 2.x to use this fork now, whilst 1.x have been deprecated, and 1.4.4-lts.1 have been updated to use Busboy 1.x 😅 Now that the original Busboy is being actively maintained again, are you committed to maintaining this fork long term? I would love some input on what version Multer 2.x should use before we make a stable release... |
We are willing to maintain this package long term |
Prerequisites
Issue
Now that 1.0.0 is out, we should go through https://www.npmjs.com/package/busboy and submit migration PRs to projects that have non-insignificant amount of users.
Done: fastify-multipart, multer.
The text was updated successfully, but these errors were encountered: