npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
It looks like inflight is being installed by bcrypt:
Ok. Is bcrypt still needed for Meteor to work? I had npm build issues after upgrading to Meteor 3 (most likely because I am still on bcrypt version 3) and noticed that I do not get a warning anymore if I removed it completely. If it still makes sense to re-add it, which version should I use? I’m also asking because I got dependies of older packages which I would have to patch, too.
It’s being used by the accounts-password package here, so if you’re using that package than bcrypt is still needed. FWIW I’ve been on version 5 of bcrypt for awhile now (on Meteor 2) with no issues. Can’t speak to any issues with npm build issues yet as I’m working on getting my Dockerfile working again with Meteor 3.
Thanks for the info. IIRC, earlier Meteor used a software version of bcrypt if one did not install it directly. But this seems to have changed. I added bcrypt 5.1.1 now, and it works fine, so I’ll keep it as this, just to be on the safe side.
I am curious whether you use Ask AI on Meteor. This is kind of … opinion survey question. The feature is a bit “deep” into the Meteor website and I am not sure it gets exploited enough.
While bcrypt is not strictly required, it is highly recommended for Meteor applications using password-based authentication. Here's why:
1. Security: bcrypt is a secure password hashing algorithm that helps protect user passwords in case of a database breach.
2. Performance: The native bcrypt implementation is significantly faster than the pure JavaScript version.
3. Warnings: Meteor will display warnings if you're not using the native bcrypt implementation.
To install bcrypt, you should run:
meteor npm install --save bcrypt
It's important to use `meteor npm` instead of just `npm` to ensure compatibility with the version of Node.js bundled with Meteor.
If you don't install bcrypt, Meteor will fall back to a pure JavaScript implementation, but you'll see warnings like this:
Note: you are using a pure-JavaScript implementation of bcrypt.
While this implementation will work correctly, it is known to be
approximately three times slower than the native implementation.
In order to use the native implementation instead, run
meteor npm install --save bcrypt
in the root directory of your application.
For the best security and performance, it's recommended to follow this advice and install the native bcrypt implementation.
[Meteor npm documentation](https://v3-docs.meteor.com/cli/#meteor-npm) provides more details on using `meteor npm` for package installation.
Thanks. I wasn’t aware of this feature. But obviously, the information is outdated. Meteor does not show any warnings if you omit the package, and also, someone posted in another thread that Meteor’s account package actually imports from bcrypt, so I guess it’s mandatory now (at least, if you’re using accounts-password). Added it now, and it works without issues with 5.1.1. Just the 3.x version I used before won’t compile on my Apple M3 machine anymore.
The new V3 documentation makes a reference to the algorithm but doesn’t clearly indicate that the NPM must be installed. Same in V2. I think the dependency requirement has been lost somewhere in between V1 and V2 or at the time of deprecation of the npm-bcrypt meteor package. Then the dependency on brcypt has been added directly where it is needed, in the accounts-password package: meteor/packages/accounts-password/package.js at a7825712f373b6152e8653e0ee3a872f0e57f4c7 · meteor/meteor · GitHub
My understanding now is that, technically, if you use accounts-password you don’t need to add the bcrypt NPM because the package has it as dependency so it will install it anyway (an older V5 version though). If you don’t use accounts-password then you don’t need it anyway.
So I think it should be ok to either keep it or remove it.
On the other hand, there is an active discussion to have bcrypt replaced to something more … maintained:
I will go back to Ask Ai and ask the same question so that I can rank down the answer ;).
It was very constructive for me to have this conversation as I realized I was adding bcrypt to all my projects but I don’t use accounts-password in any of them…
Interesting. I didn’t know that accounts-password adds it automatically. If this is the case, I will remove the explicit dependency. This would also ensure that I am always using the right version, I guess.
Thanks for this great info.