sdk icon indicating copy to clipboard operation
sdk copied to clipboard
verified publisher icon bitwarden

BWS CLI appears to be abandoned

Open kyzyl opened this issue 2 months ago • 7 comments

Steps To Reproduce

  1. Go releases page, observe that the most recent release is more than 1 year ago.
  2. Go to issues, observe dozens of open issues which are unaddressed in the intervening year, even from before v1.0.0
  3. Go to releases page, observe large random jumps (v0.5.0->v1.0.0) rather than regular patches and bug fixes.
  4. Go to releases page and observe that significant development hasn't happened since late 2023.
  5. Clone and build main, observe that things have changed since v1.0.0 (e.g. #941 is fixed) but there is no release for people to use.

Expected Result

Some form of regular release cycle for this highly sensitive software which you are asking your customers to trust with their secrets.

Actual Result

There are no releases, and thus no bug fixes or security updates in over a year. Some fixes that have been implemented are in main somewhere, so nobody can tell what has been fixed via e.g. release notes or updated issues.

Screenshots or Videos

No response

Additional Context

We are a BWS customer. The BWS CLI is the primary interface for the product we pay for. There appear to have been no major versions, features, security updates or bug fixes release in over a year.

Currently I have automation which builds the CLI from main just to get a few bug fixes that have happened some time in 2025. For example #941 (outstanding for >14 months) is actually fixed, but not in v1.0.0 (>12 months old).

This is not what I would expect from software which is supposedly at v1.0. We already use bitwarden for credential management which is why we are trying it out for secrets, but having to do extra work to paper over bad process and do paid beta testing is not going to keep customers on board very long. Especially when the paid beta testing doesn't result in any fixes or features...

So what's going on? Did management pull the development resources or something?

Operating System

Linux

Operating System Version

No response

Shell

Bash

Build Version

:-|... main.

Issue Tracking Info

  • [x] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

kyzyl avatar Oct 01 '25 00:10 kyzyl

Thanks for the feedback. We’re currently planning the next CLI release and aligning updates from recent development work. We appreciate your input and your patience!

maxkpower avatar Oct 08 '25 10:10 maxkpower

Can you be a bit more specific on a possible timeline and continuous updates of the client in the future?

I looked through Open issues, and this comment does not give much confidence in following up on things: https://github.com/bitwarden/sdk-sm/issues/34#issuecomment-1743925522

I believe secrets still can only be fetched by UUID.

DrPsychick avatar Oct 11 '25 20:10 DrPsychick

@maxkpower Any update on the project? I was just about to dive into using it when I found out that it won't even build with pip on MacOS. This issue has been known about for over a year!

awfulwoman avatar Oct 26 '25 17:10 awfulwoman

@DrPsychick For now, we don’t plan to support any fetch mechanisms other than by UUID. You can, however, fetch all entries and filter them locally. Since secrets manager is really fully end-to-end encrypted, we can’t perform any server-side validation for unique key values, which means it’s possible to have multiple secrets with the same name. We’re exploring ways to improve this and are open to suggestions, but there won’t be support for this in the near term.

@awfulwoman the fix should be available within the coming weeks.

maxkpower avatar Oct 27 '25 14:10 maxkpower

@maxkpower is it possible for you to be more precise other than "coming weeks"?

nogweii avatar Nov 03 '25 20:11 nogweii

@maxkpower is it possible for you to be more precise other than "coming weeks"?

It does feel like “the coming weeks” could easily mean “sometime next year”. :(

awfulwoman avatar Nov 03 '25 22:11 awfulwoman

Well here we are, nearly two months later. There was ample time to explain why Oct. 2024 is the last time a commit passed CI checks, or how their processes are going to change in the future, or even just cut a release so their paying customers can get on with their lives. If I can do it, so can they. But instead BW went with the tried-and-true strategy of platitude=>promise=>inaction.

Unsurprisingly, they did not deliver. Fortunately for me, I spent the interim migrating off of BWS, and will be cancelling our subscription shortly. For anybody else considering this product, stay away. Your secrets manager is not something you want managed by vibes. This particular failure isn't even getting into the numerous other shortcomings of the product:

  • We have to maintain our own CI to build from main keep the CLI from crashing under basic usage.
  • We have to maintain our own CI to build from main to get cross-arch support.
  • We to maintain our own wrappers around the CLI to get a usable product like project filtering, cloning, name collision detection, etc.
  • The CLI crashes if your token has access to no secrets
  • The CLI crashes if you have duplicate secret names
  • The CLI crashes if used with moderately old versions of glibc
  • In fact, crashing with a backtrace appears to be the CLI's preferred method of reporting any error.
  • The web UI is extremely slow, taking seconds to do simple actions like displaying dialogs
  • Secrets are not versioned in any way
  • No project hierarchy or secrets paths are supported
  • No project, secret or token policies are supported
  • The API rate limits randomly for extremely modest requests rates over ~1Hz
  • The code is a mess of layer-upon-layer of generated bindings and indirection, to the point where it's hard to even find the code that actually does simple things like list projects.
  • Basic pip install doesn't work unless you do surgery to get just the right (old!) python version
  • The python API is not pythonic, the Rust API is not idiomatic, etc.
  • And many more. See all the rest of the open issues in this repo.

It's unfortunate, because I quite like the password manager product, but this just isn't gonna cut it. Maybe management is too busy planning the Series E AI integrations to remember the users, but this is a high stakes product, and there are currently multiple incumbents that beat you on every front. The old adage, "nobody ever got fired for buying IBM" somehow seems relevant here...

I've been a Bitwarden evangelist since the beginning, but this sort of experience definitely makes me re-evaluate them as a company.

#wontfix

kyzyl avatar Nov 22 '25 06:11 kyzyl