-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packages hijacking #157
Comments
After some more investigation, it seems that asset-packagist created composer packages only for some of the git tags in the zxcvbn-ts repository. Those tags are those that are shared with zxcvbn. This explains why the old package has hijacked this one. The problem is still partly there:
Surprisingly, forcing composer to install |
Hello! |
Eventually, I understand that the wrong package ("npm-asset/zxcvbn") is displayed on this page.
composer require npm-asset/zxcvbn-ts--core
and the wrong package gets installed.In other words the package "npm-asset/zxcvbn" has hijacked "npm-asset/zxcvbn-ts--core", though they are unrelated (the latter started as a rewrite of the former, but their APIS are now incompatible).
Unless I'm mistaken, there is no way to install the real package "npm-asset/zxcvbn-ts--core". That's alright, but in any case another incompatible package should never get installed instead.
On a side note, the link on https://asset-packagist.org/package/npm-asset/zxcvbn-ts--core is wrong and sends to a 404 page:
https://npmjs.com/package/zxcvbn-ts--core should become https://www.npmjs.com/package/@zxcvbn-ts/core
The text was updated successfully, but these errors were encountered: