Fix for Issue #50 not released for over two years

[MartinRamm]

Can you make a new release that fixes #50 (PR #52)? The issue has been solved, but unreleased, since Jul 18, 2017...

I just ran into this issue again, trying to sign a compressed payload: https://runkit.com/embed/mnbqn7bakltj

const pako = require('pako');
const jws = require('jws');

//function copy pasted from https://github.com/brianloveswords/node-jws/blob/master/lib/sign-stream.js#L8
function base64url(buf) {
    return buf
        .toString('base64')
        .replace(/=/g, '')
        .replace(/\+/g, '-')
        .replace(/\//g, '_');
}

const payload = Buffer.from(
    pako.deflateRaw('asdfasdfasdfasdf') //returns a Uint8Array
);

//expected: "SyxOSUtEwgA"
console.log(
    base64url(
        payload
    )
);
//actual: "SyxOSUtE77-9AA"
console.log(
    jws.sign({
        header: { alg: 'none' },
        payload,
        encoding: 'utf8'
    }).split('.')[1]
);

[EricKwan2014]

haha, happy new year, 3 yrs is coming :)

[awatson1978]

Is this going to ever get released? People need this functionality!

[davidgtonge]

I strongly recommend migrating to this library: https://github.com/panva/jose

[awatson1978]

Considered it, but jose only has 500K weekly downloads, while jws has 8.8M weekly downloads. We’re not looking for bleeding-edge functionality. Rather, looking for ubiquity of use, support for legacy hardware, and stability.

Talked with somebody from Microsoft yesterday, and we identified that issue #50 has beeen merged into the default branch and not been published to NPM, so an acceptable workaround for us was to specify the package via GitHub packages, using the following syntax in our package.json dependencies:

"jws": "github:auth0/node-jws"

[davidgtonge]

This library is clearly no longer being actively maintained, whereas jose is.

@panva @dschenkelman do you know what the plan is for this library? Personally I think it should be deprecated and people pointed to jose

[awatson1978]

You mean no longer providing free development services? No longer pushing regular breaking changes? Sounds like a feature, not a flaw.

People judge tech requirements according to different requirements, some of which don’t include keeping up with every latest idea or proposal. 2 to 4 years between releases is completely reasonable for a mature library, such as jws, that has completed what it set out to implement.

The maintenance headaches with these kinds of libraries once they go mature is migrating them between package management systems and getting them loaded up in compilers and emulators. That tends to be more systems maintenance work than library programming.

So, as far as I can tell, the programming work was completed for #50 by way of the open source community, and it was only the publication process that broke down. But Microsoft has stepped in and provided an alternative.

Seems like it’s being maintained to me. Responsibilities are organized differently than they used to be, though, and being managed by the open-source community and Microsoft. Which is sort of the intent of open-source in the first place.
¯\(ツ)/¯