Open mytskine opened 1 year ago
After some more investigation, it seems that asset-packagist created composer packages only for some of the git tags in the zxcvbn-ts repository. Those tags are those that are shared with zxcvbn. This explains why the old package has hijacked this one.
The problem is still partly there:
Surprisingly, forcing composer to install zxcvbn-ts--core@3.0.*
did work now, so there is a workaround for the main problem.
Hello! Thanks for digging! Yes, this is not right and could be improved. We will leave this issue open and get back to it during the next project maintenance session. And PRs are always welcome if you would like to put some effort into this task.
composer require npm-asset/zxcvbn-ts--core
and the wrong package gets installed. In other words the package "npm-asset/zxcvbn" has hijacked "npm-asset/zxcvbn-ts--core", though they are unrelated (the latter started as a rewrite of the former, but their APIS are now incompatible).Unless I'm mistaken, there is no way to install the real package "npm-asset/zxcvbn-ts--core". That's alright, but in any case another incompatible package should never get installed instead.
On a side note, the link on https://asset-packagist.org/package/npm-asset/zxcvbn-ts--core is wrong and sends to a 404 page: https://npmjs.com/package/zxcvbn-ts--core should become https://www.npmjs.com/package/@zxcvbn-ts/core