-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm links to wrong repository #67
Comments
Same here |
@shaneGirish this should really be addressed as it's an easy fix. |
Looks like @peteratticusberg is the one making commits to |
Would be appreciated if anybody of maintainers fix this link. Nice library, but that spoils the effect |
Unfortunately I don't have access to npm and can't update the links. As stated in the README however, this project is no longer actively maintained and our recommendation is that you use https://github.com/dcodeIO/bcrypt.js instead which is a fork of this repo. |
@peteratticusberg the problem is that many of the people commenting here use libraries that in turn still depend on this repo, and we cannot force them to update their dependencies. I believe it is possible to contact npm directly in situations like this. I understand that this would be a lift on your part but it would be super helpful for cleaning up vulnerability management. |
After checking on npm, I found one library that depends on this that has ~22 downloads/day. The next most used package had 6 downloads/day. If there were more dependents, with higher download counts, I'd feel differently, but I think the proper fix here is to put up a PR for sei-core that updates its dependencies. If I could just simply update npm I would, but unfortunately I can't. https://github.com/dcodeIO/bcrypt.js exposes the same api as this library so it should be an easy fix. It also runs 2.5x faster than this library, so it should improve the hashing performance of that package as well. |
Yeah... it's a little more than a few that use this library. https://github.com/shaneGirish/bcrypt-nodejs/network/dependents One of the largest being Parse Server. |
Touché. Who'd've guessed that Github has more information on the npm dependency graph than npm itself? Or that so many projects depend on the v0.0.3 release of a package? The world we live in. So I just emailed Shane for npm access, if I get it I can cut a new release and publish it to npm but the package.json file for the current release (v0.0.3) is still going to link to a dead github url. I don't know if this will fix the issue with commonly used dependency checkers (npm-check/npm-check-updates/depcheck) because I don't understand the circumstances under which they're using a github url rather than npm package names to locate package information. But for packages using optimistic versioning constraints hopefully it helps. (parse-server does not) tldr hopefully the cavalry is on the way for dependency checkers. In the mean time, I'd encourage people to put up PRs for repos using this package that replace it with bcrypt.js which has an identical interface, is faster, and actively maintained. |
npm currently links to https://github.com/shaneGirish/bcryptJS instead of https://github.com/shaneGirish/bcrypt-nodejs. This is causing one of my dependency checkers to break, as the former page is a 404.
The text was updated successfully, but these errors were encountered: