-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
replace crypto-js #275
Comments
When i was introducing crypto-js i was already aware of crypto-es and decided for crypto-js for several reasons:
|
I don't like to argue popularity as the primary reason for choosing one over another, but in this case I do fear that crypto-es doesn't have enough eyes on it, and ultimately this library won't gain much from switching to it. We already use deep imports which provides most of the advantage that tree-shaking the ES modules port would provide. Looking forward, we should be able to eventually use the Web Crypto APIs directly. There are projects like webcrypto-liner which might let us move off of crypto-js sooner while we wait for ubiquitous webcrypto support, but for now I think the safest option is to continue using crypto-js. |
Crypto.subtle would be really nice and natively supported, but it only working in a secure context (HTTPS), which makes it useless for development proposes where most people operate with HTTP. This will be a pity in the very long run. I would really prefer native (browser + nodejs) support, which is currently not possible :-(
|
As an aside, these days I tend to use https for development, because if I don't I end up hitting too many CORS issues - so I find it's easier to "bite the bullet" and just use https throughout. |
@pamapa this is a really great library in our team and we would like to plus one 👍 this feature request |
@pamapa this also effects esm-only environments (e.g. native browser modules). currently it isn't possible to use oidc-client-ts in a browser natively because crypto-js ships commonjs. the benefits of oidc-client shipping an esm entrypoint go out of the window because of that. do you have any suggestions for how this could be moved forward? unless you plan on contributing ESM upstream to crypto-js, it looks like whatever solution you choose will result in dropping that package. if alternatives have downsides, they're probably worth it compared to this package being useless without a bundler. happy to help figure it out if needed |
@43081j Have you tried https://cdnjs.com/libraries/oidc-client-ts? |
to what end? it isn't really a solution to move off npm to using CDNs for dependencies. and even if we did that somehow, the only CDNs that'd work are themselves running bundlers internally. ultimately, crypto-js doesn't work natively in browsers (it is a commonjs module). therefore, oidc-client-ts doesn't work natively in browsers. the only solutions really are to make crypto-js work in browsers (contribute upstream so they publish a browser entrypoint) or move off crypto-js to something which already works in browsers. of course, bundlers can solve this by transforming commonjs dependencies into es modules. but we shouldn't really put constraints on consumers' workflows to be able to use this package. its not a straight forward problem to solve though, i understand. |
We need so little crypto. Maybe we simply check if It looks like only
|
thats possible. it may be worth looking around for any more modern wrappers around crypto too (i.e. ones which already fall back to native when available). would save us a lot of time if someone already went through the trouble alternatively we just have two entrypoints (esm/browser and cjs) which each define their own crypto somehow (entrypoints so we don't mess around with conditionally importing stuff etc). |
@pamapa just catching up on this again. it looks like browser support for crypto is pretty widespread at this point. what do you think to simply using the browser's crypto implementation in a breaking version? anyone who runs on very old browsers can use the old major version, since no new features would be added anytime soon. im happy to put a PR together if we're in agreement one thing to also keep in mind is that crypto is async in the browser. right now you compute all this stuff in constructors of classes. a fair chunk of refactoring will need doing to move this logic into some async methods instead, which means breaking changes to the public API i imagine too. |
a possible temporary solution is to just change the browser entrypoint to be ESM rather than IIFE. is there really anyone out there using oidc-client-ts via an IIFE script? highly doubtful unless im missing something. "browser" these days should really mean an ES module. in this case, one which is bundled. we could pretty much set the browser bundle's you'd still need to replace crypto eventually just because the parts depending on it will basically import a stub meanwhile. |
Work as expected with crypto-es -> https://github.com/RoXuS/oidc-client-ts/tree/crypto-es We have to fork and push this version on our private registry to use it... |
Thanks for taking efforts here. Would be awesome if you can come up with a proof of concept merge request, such we can see what all needs to change... |
have created a draft #909 for anyone curious don't expect that PR to land, its more to help us get this moving and bounce some ideas around |
Crypto-js was recently tagged with a critical CVE (see CVE-2023-46233). Is there anything I can do to help move along a PR to remove it as a dependency? |
@shawnrice I plan to remove it myself next week unless the author for this draft merge request #1196 resolves the conflicts and i can merge it. After this is merge you can help testing. I plan to make a v3 beta release soon... |
When using
oidc-client-ts
in an Angular application, the following warning is raised:There is a solution to explicitely make the warning silent in the application :
But I was thinking that, maybe,
oidc-client-ts
could simply migrates to crypto-es. What do you think ?Because unfortunately
crypto-js
doesn't seem to care about moving to es module.. #60 and #236The text was updated successfully, but these errors were encountered: