How to increase visibility of new scoped @node-saml/passport-saml npmjs package (starting from 4.0.0-beta.1)?

[srd90]

passport-saml npmjs package (versions up to 3.x) is renamed (”rescoped”) to @node-saml/passport-saml npmjs package starting from 4.0.0-beta.1 version ( #705 ).

Popular xmldom/xmldom ended up doing similar rename operation due known reason (xmldom/xmldom#271). It seems that large number/most of dependants of old npm package (xmldom) have not picked up new npm package (@xmldom/xmldom). They have since then tried to increase visibility/awarness/discoverability of new package with renovatebot rules (xmldom/xmldom#271 (comment) and renovatebot/renovate#15588).

It is obvious that passport-saml (dependants) shall have similar issue ahead of them.

This discussion thread was created to collect ideas how to increase chances that dependants of passport-saml could find new @node-saml/passport-saml package as easily as possible.

Renovatebot rules are one possibility and maybe releasing e.g. new versions of 3.x and adding some info logging to it…

---

node-saml npm package (up to version 4.0.0-beta.2) --> @node-saml/node-saml npm package (starting from 4.0.0-beta.3 due node-saml/node-saml#91) has similar ”migration issue”. node-saml might have extra issue which is related to the fact that node-saml npm package is not maintained by same maintainers as npm node-saml organization even though at least few beta versions were released as node-saml package in npmjs (node-saml/node-saml#21). I.e. could there be some challenges to get e.g. renovatebot rules accepted if renovatebot maintainers require that old maintainers of npmjs packages are the ones who request adding migration rules(?)

[markstos]

I like the renovatebot idea, but not everyone will be using that.

[markstos]

A new 3.x release with some extra logging about the chage also sounds good. "This package is deprecated, please follow these steps to switch to the scoped package...".

[cjbarth]

@markstos if you have some verbiage in mind, feel free to make a PR and I'll merge it and release it. I hesitate to do anything until we actually get 4.0 out the door though.

[cjbarth]

I think our primary line of defense against people using a deprecated package will be using NPM to properly deprecate it. I also note that there is a way to deprecate specific versions, which might make sense for everything before v3 even right now.

[markstos]

Sounds good to me. @cjbarth Can you deprecate 3.x?

[srd90]

@markstos : @cjbarth already deprecated unscoped passport-saml: see #807 (reply in thread)

Interesting question is whats going to happen for (unscoped) node-saml https://www.npmjs.com/package/node-saml
At the moment its dist-tag latest points to unrelated fork's newest version (3.1.1) and dist-tag beta points to old version (4.0.0-beta.2) from node-saml/node-saml

Update/edit: unscoped node-saml's popularity is rising and it seems (based on counters at Versions tab) 4.0.0-beta.2 version is by far most popular version.

[cjbarth]

@zoellner , would you consider adding a deprecation label to the unscoped node-saml package and directing people to the @node-saml/node-saml package? I used the following command to deprecate passport-saml: npm deprecate <package-name> "<message>" I used the message For versions >= 4, please use scopped package @node-saml/passport-saml ; you might want to use something similar.

Here is a reference on deprecating packages in NPM.

[zoellner]

I thought the goal was to eventually publish this repo as node-saml but I can also just mark the old package as deprecated

[cjbarth]

It was, but moving to a namespace keeps everything consistent and makes ownership a little easier for long-term maintenance of the project/package. Thanks for doing this @zoellner .

[srd90]

One more thing. Dunno how this list is maintained: https://www.passportjs.org/ —> select ”Strategies” from menu or click ”View all strategies”

At the moment https://www.passportjs.org/packages/passport-saml/ has 3.2.1 related documentation (i.e. content is not fetched from https://github.com/node-saml/passport-saml/blob/master/README.md which npmjs badge already refers to upcoming scoped package ... maybe content is fetched from npmjs package home page https://www.npmjs.com/package/passport-saml ... ).

Anyways if upcoming @node-saml/passport-saml does not end up to that passportjs'es catalog automatically via some ”passport strategy discovery process” it might be good idea to promote it somehow to that particular catalog (and make sure passport-saml strategy is marked deprecated also at passportjs strategy catalog).

fwiw there are few documents which refer to passportjs'es passport-saml package documentation (see https://www.google.com/search?q=%22www.passportjs.org/packages/passport-saml%22&filter=0 ).

[cjbarth]

I've posted about the listed strategies: jaredhanson/passport#916