npm links to wrong repository

[jsachs]

npm currently links to https://github.com/shaneGirish/bcryptJS instead of https://github.com/shaneGirish/bcrypt-nodejs. This is causing one of my dependency checkers to break, as the former page is a 404.

[joelgarciajr84]

Same here

[OmgImAlexis]

@shaneGirish this should really be addressed as it's an easy fix.

[jsachs]

Looks like @peteratticusberg is the one making commits to master now, and maybe he can update npm.

[jacob-rogers]

Would be appreciated if anybody of maintainers fix this link. Nice library, but that spoils the effect

[peteratticusberg]

Unfortunately I don't have access to npm and can't update the links.

As stated in the README however, this project is no longer actively maintained and our recommendation is that you use https://github.com/dcodeIO/bcrypt.js instead which is a fork of this repo.

[jsachs]

@peteratticusberg the problem is that many of the people commenting here use libraries that in turn still depend on this repo, and we cannot force them to update their dependencies. I believe it is possible to contact npm directly in situations like this.

I understand that this would be a lift on your part but it would be super helpful for cleaning up vulnerability management.

[peteratticusberg]

After checking on npm, I found one library that depends on this that has ~22 downloads/day. The next most used package had 6 downloads/day.

If there were more dependents, with higher download counts, I'd feel differently, but I think the proper fix here is to put up a PR for sei-core that updates its dependencies. If I could just simply update npm I would, but unfortunately I can't.

https://github.com/dcodeIO/bcrypt.js exposes the same api as this library so it should be an easy fix. It also runs 2.5x faster than this library, so it should improve the hashing performance of that package as well.

[OmgImAlexis]

Yeah... it's a little more than a few that use this library.
47,581 Repositories and 444 Packages.

https://github.com/shaneGirish/bcrypt-nodejs/network/dependents

One of the largest being Parse Server.
https://github.com/parse-community/parse-server/blob/master/package.json#L54

[peteratticusberg]

Touché. Who'd've guessed that Github has more information on the npm dependency graph than npm itself? Or that so many projects depend on the v0.0.3 release of a package? The world we live in.

So I just emailed Shane for npm access, if I get it I can cut a new release and publish it to npm but the package.json file for the current release (v0.0.3) is still going to link to a dead github url.

I don't know if this will fix the issue with commonly used dependency checkers (npm-check/npm-check-updates/depcheck) because I don't understand the circumstances under which they're using a github url rather than npm package names to locate package information. But for packages using optimistic versioning constraints hopefully it helps. (parse-server does not)

tldr hopefully the cavalry is on the way for dependency checkers.

In the mean time, I'd encourage people to put up PRs for repos using this package that replace it with bcrypt.js which has an identical interface, is faster, and actively maintained.