shaozi
commented
3 weeks ago It's is because my lack of automation to auto publish whenever a new version is pushed. Currently working on that part.
Open matsaleh13 opened 3 weeks ago
shaozi
commented
3 weeks ago It's is because my lack of automation to auto publish whenever a new version is pushed. Currently working on that part.
matsaleh13
commented
3 weeks ago It's is because my lack of automation to auto publish whenever a new version is pushed. Currently working on that part.
Thanks for the reply.
However, could you please clarify "publish" and "pushed"? Are you "publishing" to NPM and "pushing" to GitHub? Or the other way around?
Either way, NPM shows the most recent version, but I can't find any reference back to the commits that were included in the NPM package.
I'm not trying to be difficult here, just trying to do proper due diligence to verify the software we plan to use. Thanks in advance for your patience.
shaozi
commented
2 weeks ago Publish means I published to npm. Push (a release) means I pushed a release in GitHub release.
joshwalker9115
commented
6 days ago Hi @shaozi, and thank you for all the work maintaining this!
Seconding the above comment, can you create a v3.2.2 release on GitHub from the current state so that it matches npm? It sounds like I'm not the only one who needs to prove the security of this library 😄
shaozi
commented
3 days ago ok. I have added the GitHub action to sync Github release and NPM package. Now both of them should see the same version.
I'm looking for a JS package that supports LDAP+STARTTLS for my employer and was leaning towards this one. However, I noticed that the version published by NPM is v3.2.2, dated June 2024, while this GitHub repo shows latest release is v.3.0.1, dated March 2023.
I don't normally pay that much attention to these things when I get an NPM package, but since this is a) for my work, and b) a security-related package, it caught my attention.
I followed the links from the NPM page back to this repo, but I see nothing here that accounts for the more recent version on NPM.
I'm interested in this package, but I'm a little wary now. Is the NPM version legit?
I promise I'm not trolling. I'm not an expert at JS or NPM, but I've used them off and on over the years, so if there is a common explanation for this that I'm not aware of, please forgive me and educate me.
Thanks!