mytskine
commented
1 year ago After some more investigation, it seems that asset-packagist created composer packages only for some of the git tags in the zxcvbn-ts repository. Those tags are those that are shared with zxcvbn. This explains why the old package has hijacked this one.
The problem is still partly there:
- The releases displayed by asset-packagist were wrong, they were never released under this name on npm. Clicking "Fetch updates from npm" has solved it for this package, but those releases should never have been there.
- The page now claims "This package is OK to use!" but the SHA column is always at "n/a" with no link to sources.
- The link to npm is broken.
Surprisingly, forcing composer to install zxcvbn-ts--core@3.0.* did work now, so there is a workaround for the main problem.
SilverFire
composer require npm-asset/zxcvbn-ts--coreand the wrong package gets installed. In other words the package "npm-asset/zxcvbn" has hijacked "npm-asset/zxcvbn-ts--core", though they are unrelated (the latter started as a rewrite of the former, but their APIS are now incompatible).Unless I'm mistaken, there is no way to install the real package "npm-asset/zxcvbn-ts--core". That's alright, but in any case another incompatible package should never get installed instead.
On a side note, the link on https://asset-packagist.org/package/npm-asset/zxcvbn-ts--core is wrong and sends to a 404 page: https://npmjs.com/package/zxcvbn-ts--core should become https://www.npmjs.com/package/@zxcvbn-ts/core