Adopting HAR validator

[pimterry]

Hi @ahmadnassri! I use HAR validator heavily, and I've seen the deprecation message and related issues (#196, #173).

I'd find it useful to have an actively maintained version of this library, and I'd be happy to adopt it to do so. I already maintain one npm library with 10 million+ downloads per week, and many other smaller libraries (see https://www.npmjs.com/~pimterry) so I'm well aware what this involves.

I take your point that the library is feature complete, and I don't have any large changes planned either, but at some point I expect there will be a security update or similar required here, and if this library is unmaintained that's going to result in a lot of ecosystem churn and github issues for everybody. The current deprecation message is also a mild annoyance that it'd be nice to be able to remove.

Would this be useful to you? Let me know if you're interested.

[dynamiclover]

Bump on this if @pimterry is still down!

[pimterry]

I'm still down! Haven't heard anything from @ahmadnassri but very happy to take responsibility for the package any time if he's open to it.

[joaomelo]

I take your point that the library is feature complete, and I don't have any large changes planned either, but at some point I expect there will be a security update or similar required here, and if this library is unmaintained that's going to result in a lot of ecosystem churn and github issues for everybody. The current deprecation message is also a mild annoyance that it'd be nice to be able to remove.

Apparently what you said just happened, seems that Cypress can't compile due to har-validator. see: cypress-io/cypress#19102

[ahmadnassri]

I'll revisit this discussion and the issues highlighted this week.

[csrl]

@pimterry any chance you can provide an up to date fork of the repo that people can reference until @ahmadnassri provides npm access for you to maintain the package? That might help @ahmadnassri decision as well, seeing that activity.

[pimterry]

Thanks @csrl. I'd be happy to if that were useful, but I think the only key change required in the short-term is just un-deprecating the package and having an active maintainer in case issues appear in future. There aren't any major outstanding issues that I'm aware of that need fixing right now, so I'm not sure a fork would be particularly helpful today.

Forking also potentially creates new issues here: if we fork and many depending projects migrate, and then har-validator does become actively maintained in future, we now have two modules that do the same thing which both need to be updated going forward, or we need to somehow migrate everybody back to a single package. I'd avoid that for now, until there's a concrete issue that makes it necessary.

Other than the deprecation, is there a specific issue that you'd like a fork to fix @csrl?

[csrl]

Hi @pimterry , thank you for the response. What brought me here are the dependencies that have security vulnerabilities. So a maintained fork that has up to date dependencies would be great.

[gryftir]

I'm just going to heart @ahmadnassri 's comment above, and recommend others do so, and hope @pimterry is allowed to take over. I've seen a lot of discussions elsewhere of this being an issue, it affects a bunch of diverse things (bash-language-server is what brought me here), which is really a testament to how great har-validator is, and why it should be continued forward.

[kshartman]

Its embedded in many things including meteor. @ahmadnassri is correct that there is no known security vulnerabilities and it probably is feature complete. It's just annoying to see the deprecation warning in all my build logs.

[SugarD-x]

It seems that there are quite a few dependencies now out of date. It would be awesome to see this project continue. :)