Security issues / Deprecate?

[good-idea]

During install, npm logs the notice:

warning bcrypt-as-promised > bcrypt@0.8.7: bcrypt < v2.0.0 is susceptible to bcrypt wrap-around bug. Upgrade to bcrypt >= v2.0.0 for improved support for newer bcrypt hashes

There's another security issue with a nested dependency, growl -> https://nodesecurity.io/advisories/146

The bcrypt package now supports promises:

with promises

bcrypt uses whatever Promise implementation is available in global.Promise. NodeJS >= 0.12 has a native Promise implementation built in. However, this should work in any Promises/A+ compliant implementation.
Async methods that accept a callback, return a Promise when callback is not specified if Promise support is available.

bcrypt.hash(myPlaintextPassword, saltRounds).then(function(hash) {
   // Store hash in your password DB.
});

There also hasn't been an update to this package in 2 years. It's still getting a lot of downloads, which means a lot of vulnerabilities --- this package should either be upgraded or deprecated.

[monteslu]

agree 100%
should be deprecated. thanks for the reminder

[JBallin]

+1 on deprecation. bcrypt supports promises now, this package just adds confusion.

[monteslu]

done! https://www.npmjs.com/package/bcrypt-as-promised

Thanks for the reminder!