zxcvbn - npm Package Compare versions

Comparing version 3.1.0 to 3.2.0

package.json

 {
   "name": "zxcvbn",
-  "version": "3.1.0",
+  "version": "3.2.0",
   "description": "realistic password strength estimation",
-  "main": "lib/zxcvbn.js",
+  "main": "lib/main.js",
   "repository": {
@@ -11,4 +11,5 @@ "type": "git",
   "scripts": {
-    "build": "browserify --debug  --standalone zxcvbn -t coffeeify --extension='.coffee' -t uglifyify src/main.coffee |   exorcist lib/zxcvbn.js.map >| lib/zxcvbn.js",
-    "watch": "watchify --debug -v --standalone zxcvbn -t coffeeify --extension='.coffee' -t uglifyify src/main.coffee -o 'exorcist lib/zxcvbn.js.map >| lib/zxcvbn.js'"
+    "prepublish": "coffee -o lib --compile --bare --map src/*.coffee",
+    "build": "browserify --debug  --standalone zxcvbn -t coffeeify --extension='.coffee' -t uglifyify src/main.coffee |   exorcist dist/zxcvbn.js.map >| dist/zxcvbn.js",
+    "watch": "watchify --debug -v --standalone zxcvbn -t coffeeify --extension='.coffee' -t uglifyify src/main.coffee -o 'exorcist dist/zxcvbn.js.map >| dist/zxcvbn.js'"
   },
@@ -36,2 +37,3 @@ "keywords": [
     "browserify": "^11.0.1",
+    "coffee-script": "^1.9.3",
     "coffeeify": "^1.1.0",
@@ -38,0 +40,0 @@ "mocha": "^2.2.5",

README.md

@@ -10,3 +10,3 @@ ```
 
-zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative entropy calculations, it recognizes and weighs 10k common passwords, common names and surnames according to US census data, popular English words, and other common patterns like dates, repeats (`aaa`), sequences (`abcd`), keyboard patterns (`qwertyuiop`), and l33t speak.
+`zxcvbn` is a password strength estimator inspired by password crackers. Through pattern matching and conservative entropy calculations, it recognizes and weighs 10k common passwords, common names and surnames according to US census data, popular English words, and other common patterns like dates, repeats (`aaa`), sequences (`abcd`), keyboard patterns (`qwertyuiop`), and l33t speak.
 
@@ -16,3 +16,3 @@ Consider using zxcvbn as an algorithmic alternative to password policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".
 * __More secure__: policies often fail both ways, allowing weak passwords (`P@ssword1`) and disallowing strong passwords (`incorrectdonkeyvoltaicclip`).
-* __More flexible__: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are either terrible or great depending on length and number of turns, and capitalization adds more complexity when it's unpredictABLe. Neither crackers nor zxcvbn are fooled by `'@'` for `'a'` or `'0'` for `'o'`.
+* __More flexible__: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are either terrible or great depending on length and number of turns, and capitalization adds more compleity when it's unpredictaBle. Neither crackers nor zxcvbn are fooled by `'@'` for `'a'` or `'0'` for `'o'`.
 * __More usable__: Dumping a list of password rules onto users hurts usability. Understanding and satisfying said rules can be time-consuming and frustrating, leading to passwords that are [harder to remember](https://xkcd.com/936/). Use zxcvbn instead to build simple, rule-free interfaces that give instant feedback.
@@ -22,2 +22,4 @@
 
+[Release notes](https://github.com/dropbox/zxcvbn/releases)
+
 For more motivation, see:
@@ -57,3 +59,3 @@
 
-## Node / npm / browserify
+## Node / npm
 
@@ -69,4 +71,2 @@ zxcvbn works identically on the server.
 
-And should automatically work with browserify. The easiest browserify setup is to include zxcvbn in your main bundle. If script size is an issue, see the [performance](#perf) section below for tricks to reduce latency.
-
 ## RequireJS
@@ -82,2 +82,25 @@
 
+## Browserify / Webpack
+
+If you're using `npm` and have `require('zxcvbn')` somewhere in your code, browserify and webpack should just work. But we recommend against bundling zxcvbn via tools like browserify and webpack, for three reasons:
+
+* Minified and gzipped, zxcvbn is still several hundred kilobytes. (Significantly grows bundle size.)
+* Most sites will only need zxcvbn on a few pages (registration, password reset).
+* Most sites won't need `zxcvbn()` immediately upon page load; since `zxcvbn()` is typically called in response to user events like filling in a password, there's ample time to fetch `zxcvbn.js` after initial html/css/js loads and renders.
+
+See the [performance](#perf) section below for tips on loading zxcvbn stand-alone.
+
+Tangentially, if you want to build your own standalone, consider tweaking the browserify pipeline used to generate `dist/zxcvbn.js`:
+
+``` shell
+browserify --debug --standalone zxcvbn -t coffeeify --extension='.coffee' -t uglifyify src/main.coffee | exorcist dist/zxcvbn.js.map >| dist/zxcvbn.js
+```
+
+* `--debug` adds an inline source map to the bundle. `exorcist` pulls it out into `dist/zxcvbn.js.map`.
+* `--standalone zxcvbn` exports a global `zxcvbn` when CommonJS/AMD isn't detected.
+* `-t coffeeify --extension='.coffee'` compiles `.coffee` to `.js` before bundling. This is convenient as it allows `.js` modules to import from `.coffee` modules and vice-versa. Instead of this transform, one could also compile everything to `.js` first (`npm run prepublish`) and point `browserify` to `lib` instead of `src`.
+* `-t uglifyify` minifies the bundle through UglifyJS, maintaining proper source mapping.
+
+Note that it is not advisable to "rebrowserify" or webpack `dist/zxcvbn.js`; make sure to bundle from `lib/*` (complied js), or, alternately `src/*` (coffee) using a transform/loader.
+
 ## Manual installation
@@ -179,3 +202,3 @@
 
-zxcvbn is built with CoffeeScript, browserify, and uglify-js. CoffeeScript source lives in `src`, which gets compiled, bundled and minified into `lib/zxcvbn.js`.
+zxcvbn is built with CoffeeScript, browserify, and uglify-js. CoffeeScript source lives in `src`, which gets compiled, bundled and minified into `dist/zxcvbn.js`.
 
@@ -191,2 +214,4 @@ ``` shell
 
+For node developers, in addition to `dist`, the zxcvbn `npm` module includes a `lib` directory (hidden from git) that includes one compiled `.js` and `.js.map` file for every `.coffee` in `src`. See `prepublish` in `package.json` to learn more.
+
 # Acknowledgments
@@ -193,0 +218,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

AI-detected potential code anomaly

Supply chain risk

AI has identified unusual behaviors that may pose a security risk.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

7235907

increased by70.34%

Number of package files

21

increased by75%

Number of lines in readme file

222

increased by12.69%

Number of low supply chain risk alerts

2

decreased by-50%

Worsened metrics

Dev dependency count

7

increased by16.67%

Lines of code

8101

decreased by-39.49%

No dependency changes