jazzband / djangorestframework-simplejwt

A JSON Web Token authentication plugin for the Django REST Framework.
https://django-rest-framework-simplejwt.readthedocs.io/
MIT License
4.02k stars 663 forks source link

Is the repo actively maintaned? #827

Open hakan-77 opened 1 month ago

hakan-77 commented 1 month ago

This is a genuine question with zero sarcasm.

I am actively investigating to retire simple jwt and implement our own JWT generation/validation code since I am not sure if this repo is actively maintained.

If someone can clarify and confirm, I would not take any offense, thank you for the amazing work you have done so far, and just accelerate the migration.

If, on the other hand, this is a temporary hold, it would be great to know so we could plan accordingly.

Andrew-Chen-Wang commented 1 month ago

No, I do not actively maintain SimpleJWT anymore. Contributors normally ping me to look at PRs, and if they're urgent, I'll merge them and release since I'm still release manager. I'm pretty on top of releasing once there's a certain amount of PRs merged, though, and still look at PRs if it's a good feature.

But no, I do not actively commit and improve and rely on contributors for adding new source code. I just give the final stamp.

Would much rather see you become a maintainer rather than have you make something yourself to help everyone in the community; hope that answers the question!

aalmazan commented 1 month ago

Also curious about this question -- and I don't intend to sound demanding/entitled in any way. I am genuinely thankful for the existence of this package and the work all the contributors have given.

I do wonder though what are the conditions for this package to ever get a new release? There are 48 open PRs going back to 2019 which even contain one or more security updates. There's also the impending release of the next Django LTS which, based on some of the issue titles, might have issues with the current release.

What can we do to improve the situation? Or should we, as the OP puts it, "plan accordingly" sooner rather than later?

hakan-77 commented 1 month ago

Fair enough, and thank you @Andrew-Chen-Wang. Is there any chance to have a back-up release manager? I understand your interests have shifted, happens to all of us.

This is a fantastic project, and I think being in "maintenance mode" would be enough to save it. Parallel to @aalmazan's suggestion, if we could merge PR's that mostly fixes bugs, especially ones related to security, support newer Django versions etc. we could have more confidence on the future of the project.

Andrew-Chen-Wang commented 1 month ago

I think if you have some stake in this project, the best avenue is to become a maintainer and merge PRs; you'll automatically have PR merging privileges which shouldn't be taken lightly.

as for immediate tasks, I'm not sure what's in demand. If it's updating the supported Django version, I can check. If a PR for that doesn't exist, we can make a PR. I made a small cron job to check in cookiecutter-django, so we can reuse possibly. Again, review what you need but ping me:)

Andrew-Chen-Wang commented 1 month ago

To anyone looking to become a maintainer, it's simple. Head to https://jazzband.co/ to get started, then head to https://jazzband.co/projects/djangorestframework-simplejwt to join the project

aalmazan commented 1 month ago

Perfect. Thanks for the response @Andrew-Chen-Wang. As someone who doesn't regularly check out popular package repos and issues, hitting dead-ends with future support is frustrating. Knowing now how we can move forward, I'll try to set aside some time to help out here if I can.

monkut commented 4 weeks ago

@aalmazan @Andrew-Chen-Wang

Noticed this Vulnerability, any known actions on this? https://osv.dev/vulnerability/GHSA-5vcc-86wm-547q

Andrew-Chen-Wang commented 4 weeks ago

@monkut https://github.com/jazzband/djangorestframework-simplejwt/issues/779#issuecomment-2088709374

Actions Id like to take: clarify the vulnerability, add clarifying docs to the purpose and use cases of the experimental class, and potentially close it