Review node-sshpk dependency (licensing and authorship issues)

TritonDataCenter / node-http-signature

Reference implementation of Joyent's HTTP Signature Scheme

https://tritondatacenter.com

MIT License

405 stars 118 forks source link

Review node-sshpk dependency (licensing and authorship issues) #74

Closed honzajavorek closed 6 years ago

honzajavorek commented 6 years ago

The node-sshpk package depends on bcrypt-pbkdf, which has unclear licensing and authorship. My concerns are explained in https://github.com/joyent/node-sshpk/issues/37#issuecomment-401051047 Since http-signature is a dependency of request, this problem spreads transitively and affects a large portion of the ecosystem.

melloc commented 6 years ago

bcrypt-pbkdf@1.0.2 is now published, with fixes for joyent/node-bcrypt-pbkdf#4 and joyent/node-bcrypt-pbkdf#6, so I'm going to close this issue, since I believe that those address your concerns. Please let me know if that is not the case.

honzajavorek commented 6 years ago

That's correct, thank you very much! ❤️