This project is back under active development and maintenance! #621
Comments
|
Will v4 based on v5? |
|
No, it will be based on v3 and be mostly backwards compatible with existing code |
|
Is it planned to implement those changes from v4 also in v5 or is v5 now dead? |
|
So are you planning to "throw-away" all of the efforts that went into v5? Isn't Typescript meanwhile the de-facto standard for writing larger JavaScript-based projects? |
|
All code has bugs - with v3 we have a somewhat battle hardened release with over 100 issues/PRs raised in this repo outlining many real bugs, doc issues and proposed features. Whereas v5 is a massive rewrite with significantly less review in comparison - it may address some existing bugs, but will undoubtedly introduce new bugs. As mentioned above, In the interest of forward momentum I'd like to fix the bugs and make the project better 👍 |
|
Thanks a lot for going this path. It's great to see, that I can continue to rely on this package. Is there a way to send a small donation 💰 to show some ❤️ |
|
We are with you. Thank you so much for the support and the awesome work you are doing? |
|
Is v5-dev branch really dead ? As i understand, typescript version is not any more in the roadmap. It's true, it's important to be backward compatible, but it's also important to move forward and update the code to support latest features of oauth2. Some of thoses features were implemented in v5-dev and we were waiting for those to be merged. Better typing, You talk about v4, but we didn't see any branch related to it. Is this really planned ? We know it's important to get help. |
|
I think it would be great to have a v4 branch and a v4 project that contains all the issues relevant for v4. By doing so we know where to put our efforts in. @thomseddon what do you think? |
|
👍 3.1 will be released next week (3.1.0-rc1 is published on npm now) The existing I'm hoping to merge the existing PKCE PR into v4 too. For those that have asked about sponsorship - thank you so much, I'd really like to spend more time on this project (there's a lot of work to do :) and I've setup github sponsorship, so for anyone who would like to help in that way it would really allow me to focus more time into this and would be greatly appreciated. |
|
Hi! Any news on PKCE implementation? |
|
This Project is imho again dead. |
|
I think there should be someone getting sponsored to tackle the remaining issued or at least to manage incoming PRs. |
|
@thomseddon honestly i'd say put v3 into maintenance mode (security fixes only), skip v4, and start pushing forward on v5 /w typescript and breaking changes. it's daunting work to build out improvements for 3 separate versions. if you don't have much time then reducing the surface area will surely help, and the typescript branch seems much cleaner to work with and build upon. |
|
Is there a branch already for v4? |
|
I agree with @night that managing 3 versions is a huge effort and maybe also the reason this repo getting stuck again? @ukneeq I think it's the dev branch |
|
I dont think, that the complexity is the reason that this project got stuck again. I suppose when @thomseddon was claiming that this project is under active development and maintenance, that he was in a jobless situation and thats why it was back under development... But soon after he was again busy with a job which supplies him with money. And so this Project is stuck again. I mean it is totally understandable, I would also be less productive in an open source project, if I have a paid Job. What you gonna do? Issue is also, that this is a security relevant product. If you have a not trustworthy contributor/maintainer which puts malicious code into the product, then alot of companies will be hackable. But on the other hand, we can have a critical community and make it necessary to have x approvals before the maintainers can actually merge into master. I would also agree that new maintainers need to disclose their identities and who their employers are, so that making them to be maintainers does not mean to make a malicious anonymous able to taint the code. I would be happy if I could support this Project. |
|
I Support the Idea |
|
If you are still in need of maintainers let me know, I really enjoy using this module and would be happy to contribute and improve it as much as I can! |
|
Maybe we should Talk with another group Like auth0 and ask if they fork it and maintain it with our community support. |
|
>This project is back under active development and maintenance! Sooo that was a lie. |
|
Would be great to have at least some kind of election for maintainers so this can continue to stay alive. |
|
I think there would be a lot of people willing to maintain this project. The only thing that is missing are specifics tasks or todos that people can assign to themselves. Personally I think the typescript version (v5) should be picked up again. |
|
If we could define some reliable criteria for someone becoming a trusted maintainer we could start elections and @thomseddon only needs to add them. I think from there we could work in fixes for 3.x and 5.0 as well The trusted maintainers can assign taks, review and merge PRs |
|
I think the minimal effort should be to at least merge in updated dependencies e.g.: #677 and similar |
|
I wrote this today to auth0:
|
|
I wrote an identical E-Mail to the CEO of auth0. Lets hope this project gets finally the love it needs. :) |
|
Published Changelog
|
|
@mjsalinger what about those who are using v3? It would be really helpful to bump dependencies for that generation. lodash is also vulnerable there! |
|
|
@mjsalinger how are things going? Need assistance with anything? Currently using |
|
Can confirm the same with our authorization code workflow and |
|
Update: Currently reviewing and testing the PKCE code - want to put that through its paces a bit, should have it merged and a dev release tagged early-mid next week sometime, possibly along with a few other smaller PRs... |
|
Would it be possible to remove the following dependencies?
|
|
@jwerre - I think you should probably open issue(s) for those things and even consider authoring the PR. |
|
Actually Changes sound interesting. Maybe the Bluebird replacement should be done in the way that we kind of dependency inject it. Fallback is native Promise implementation. If there is somebody for any reason depending on bluebird or thinks it is faster, he can just override it with Bluebird? |
|
@Uzlopak mongoose does something like that, not a bad idea. I'm not sure why you'd need to do that though, Promises have been available since version 0.12.0. There's really no need to shim Promise anymore. |
|
Exactly. I thought about mongoose. back in those days performance of native promises was slower than bluebird. But tbh we are now at node 14/16. The performance bottleneck does not exist anymore. I just think we should consider this. I personally prefer to use native Promises, without the injection technique I mentioned. |
|
@mjsalinger I'd be happy and go through the code and make these changes. That said, I understand the security implications. |
|
Please make them separate. One for promise, one for utils.promisify and one for the statuses. I would review then |
|
Status update? |
|
We just need one new, serious maintainers; there's clearly there's no communication or time from the current maintainers, and I also feel like there's no time to "build a level of trust" when the maintainers themselves aren't even active here. |
|
Everyone, I went ahead and just forked on this project and will work on it, hop on hover and let's talk about the future of the project over there. The project is now under a new organization for easier development. |
|
I will join, however I still would love to see this project getting things done or finally making people maintainers that actually have the time and commitment to improve things. I think there were numerous mentions in this thread who would participate etc. |
|
cc @Uzlopak @jwerre @dhensby @Milad @jorenvandeweyer @ukneeq @night @gabriprat @mayrbenjamin92 @desaijay315 @Rmannn please also think about what you would invest to keep this alive, maybe under a new organization, we would be enough people to cover most aspects of the development process for maintenance and maybe even continue to improve. We can use the fork of @HappyZombies in the meantime to discuss things further and don't further pollute this thread |
|
@jankapunkt good idea about making this an organization and just adding people, I'll carry the conversation over there. |
|
I see many of you reacting confused and I'd like to know why. I know it's hard to just jump from a 3.4k stars project with established level of trust to something empty but I for example can't wait for all the vulnerabilities to be closed in 2022 because we have an audit soon. I don't know your situation but I prefer to keep such a critical tool updated as possible. |
|
Hey - from my side, I'm actually happy to see the fork! As mentioned before, I've always had a security concern with promoting a maintainer without at least establishing a base line level of trust and competence. I've suggested to those who are willing to begin triaging but I can certainly see how a clean fork is easier. |
|
Can anybody suggest a good and "non vulnerable" fork? I am happy to start dedicating some of my spare time to support this project - we are heavily relying on it and having the vulnerabilities is a mess :/ |
This is an active fork with the issues fixed. |
Hello!
After a hiatus following the 3.0.0 release, I'm very happy to say that I will am planning to pick up the maintenance and development of this project. The point of this issue is to outline the plan.
History
3.0.0 was released in August 2017, when the project was already 4 years old, and was the result of a great amount of effort from a number of people in iterating towards a much improved codebase and documentation. Unfortunately, following this all of us who were involved in the release became rather busy with projects elsewhere and were not able to continue to work on the project. As such, we've been stuck on 3.0.0 since then!
I put out a request for maintainers in 2019, although I did receive a few responses I didn't find anyone who was able to start in earnest.
The action that drew most traction was a complete rewrite of the project in typescript in #564 - this was great to see, as was the amount of attention it got which showed there were still a good number of people using or interested in the project.
However, after observation of the progress of that project it's clear that the maintenance is still one of the hardest parts of such a project and I can understand why anyone would struggle to take that on. I realised that another big rewrite really wasn't what the project needed.
A change in my working situation has left me with a little more time to spare, I've been mostly using this on another OS project of mine (https://github.com/thomseddon/traefik-forward-auth) but I'd like to try and pick up this project too.
Plan
In summary:
A lot of people have been lingering on the 3.0.0 release for a long time and has certainly been battle tested. We've amassed over 100 issues and 22 PRs for this release so I would like to make a big effort to give v3 the fixes it deserves. I have already started this by updating all dependencies and releasing 3.0.2 🎉
In honour of the backwards compatibility, I will also be maintaining support for node 4/6/8 in v3.
Due to the nature of the project, most changes do change the server behaviour and so can be considered "backwards incompatible". To help prevent any jarring changes, the plan is for a v4 release which is as backwards compatible as possible. My goal is to keep the integration entirely backwards compatible, so there should be no client code changes required at all for this entire release. We will drop support for EOL node.js version 4/6/8 and plough through as many fixes and improvements as possible.
Thanks for your patience over the years, I'm already enjoying getting stuck back in again!
The text was updated successfully, but these errors were encountered: