node-oauth2-server
node-oauth2-server copied to clipboard
oauthjs
Plan next v3 release
It's been almost a year now since last v3 was released from master. Quite few things have been fixed and others added since then. I've been installing from #dev branch for a while now, and now I'm wondering when I'll be able to switch to a more stable option.
What are your plans for a next v3 release?
This should probably also be in the next release: https://github.com/oauthjs/node-oauth2-server/pull/464
I agree. Create project, but missing updates. Have been waiting for #452 and #464.
Just an update here - waiting on a few responses on a couple of more PRs to see if we can get it in. There's a breaking change, so we'll be making this next release v4.0.0.
We shoud get not-breaking changes in v3 as well. Not doing so means discontinuing v3, thus leaving all of us, the users, with "latest" legacy.
I can help out if time is a problem.
@razvanz It's a very small breaking change - changing the server_error status code from 503 to 500. I'm not sure if it's worth keeping the 3.x version around just for that. It's been merged into dev already and there's a lot of other PRs there. I'd prefer not to maintain 3 different release branches. So the way I see it is I could either reverse out this change for now, get a 3.1.0 release out, and then do 4.0 later with this change, or release it all as 4.0 with the understanding that this is the only breaking change (and the fact that we are possibly dropping support for node 4.x).
WDYT?
@mjsalinger Considering the small impact of the (503 -> 500) breaking change, it wouldn't be a problem to go straight to v4. However, now that dropping support for node@4 has been brought to discussion, there might be users with a hard-dependecy on this version of the engine, so for their sake a v3.1 before v4 would be more appropriate.
TLDR: Withought dropping support for node@4, going straigt to v4 it's acceptable, otherwise, it would be nice to have a v3.1 before.
@razvanz The problem I'm running into here is security-related. node v4 is completely EOL by the node.js project, and no longer has security support; also, the linter we are using, jshint, has a security issue and is lo longer maintained. The recommended path is to go to eslint, but that package has dropped support for node 4. I don't feel comfortable doing another release that has vulnerabilities.
Today I published two versions of node-oauth2-server:
3.0.1 contains dependency upgrades only
3.1.0-beta.1 installed under the next tag in npm, this contains a bunch of fixes and a couple of new features. Please submit any issues with this release as seperate issues, and we'll try to get a GA release in the next couple of weeks.
This will be the last 3.x branch release and last branch to support node 4.x . After this we'll turn attention to 4.0.0.
While this is in beta, I'll work to get the express wrapper in line with the new versions and tested.
Also added 4.0.0-dev.1 to the dev tag, will update this every few days with merged PRs.. Once 3.1.0 goes stable, we'll move 4.0.0 to a beta.
@mjsalinger I have been using the 4 beta version and it has been working fine. Any plans to make it a stable version? Thanks.
