secure-password version < 1.0.0 is not available anymore

[sharadendu-sinha]

I was using secure-password version 0.1.2. However after the publish of version 2.0.0 for some reason npm is forcefully downloading version 2.0.0 despite my package.json asking for version 0.1.2. Below is a snippet from my package.json .

"secure-password": "0.1.2"

Because of the above, my current implementation is breaking. I can however move to the newer implementation but I am not confident if my old passwords will work with the library.

Request you to do the needful to restore the older version along with the newer version.

[emilbayes]

It must be an issue with your local machine. It works just fine here:

null $ mkdir project
null $ cd project
project $ echo '{}' > package.json
project $ npm install --save secure-password@0.1.2
/tmp/null/project
└─┬ secure-password@0.1.2 
  └── coffee-script@1.2.0 

npm WARN project No description
npm WARN project No repository field.
npm WARN project No license field.
project $ node -e 'console.log(require("secure-password"))'
{ makePassword: [Function: makePassword],
  verifyPassword: [Function: verifyPassword] }

I don't know if this has to do with the npm cache, but you can try rm -rf node_modules and npm cache clean. Version >=1.0.0 is not compatible with earlier version, hence the semver major bump. You can migrate to the newer version by rehashing your users passwords as they log in, but you still need the old version around to verify the old hash. Even better, you reset your old users and request them add a new password since the old version was not secure.

[emilbayes]

Additional output:

project $ npm view secure-password versions
[ '0.0.1', '0.1.0', '0.1.1', '0.1.2', '1.0.0', '1.0.1', '2.0.0' ]

[emilbayes]

If you uncover new information, please reopen :)