Closed honzajavorek closed 6 years ago
bcrypt-pbkdf@1.0.2
is now published, with fixes for joyent/node-bcrypt-pbkdf#4 and joyent/node-bcrypt-pbkdf#6, so I'm going to close this issue, since I believe that those address your concerns. Please let me know if that is not the case.
That's correct, thank you very much! ❤️
The
node-sshpk
package depends onbcrypt-pbkdf
, which has unclear licensing and authorship. My concerns are explained in https://github.com/joyent/node-sshpk/issues/37#issuecomment-401051047 Sincehttp-signature
is a dependency ofrequest
, this problem spreads transitively and affects a large portion of the ecosystem.