No deprecation warning/notice in the NPM registry for the deprecated passport-azure-ad Node module

[ethanherbertson]

The default and only widely-used public registry for NodeJS packages, https://registry.npmjs.org/, does not currently flag the "passport-azure-ad" package as being deprecated, despite the deprecation notice published to the README of that project months ago, here: https://github.com/AzureAD/passport-azure-ad?tab=readme-ov-file#node-js-validation-replacement-for-passportjs.

This means that the many thousands of weekly installs of that module are not generating warnings visible to users that they are using unsupported/deprecated software.

Additionally, in the NPM registry's page for the package, the links to the project's repository and homepage are currently pointing to https://github.com/AzureAD/microsoft-authentication-library-for-js, which also does not contain a deprecation notice... and indeed does not obviously contain the project in question at all.

Instructions on how to properly deprecate Node packages are available here: https://docs.npmjs.com/deprecating-and-undeprecating-packages-or-package-versions

(Apologies if this issue is being filed on the wrong repository. I was directed by the deprecation notice to a discussion on this project, so I assume this is where the ownership of this issue belongs.)

[jennyf19]

Thanks @ethanherbertson

@EmLauber Can you look into this one?

[EmLauber]

NPM is now appropriately updated to reflect that passport-azure-ad is deprecated.

[nwalters512]

It looks like this is the deprecation message:

This is not very useful to me as a user as it doesn't tell me what I should replace the package with. Can you provide a better deprecation message to point me to the appropriate replacement package?

[ethanherbertson]

@nwalters512 if you weren't aware, the latest info from the devs is that there is no recommended replacement yet.

@EmLauber Thank you for doing this! I would strongly recommend replacing the link to NPM support with a link to the deprecation message here: https://github.com/AzureAD/passport-azure-ad?tab=readme-ov-file#node-js-validation-replacement-for-passportjs

NPM support is really more for package maintainers, and your users would likely appreciate a breadcrumb towards the official explanation and discussion links.

[nwalters512]

if you weren't aware, the latest info from the devs is that there is no recommended replacement yet.

I'm unfortunately all too aware of this, with multiple large applications in production that rely on said deprecated package with no replacement 😢 truly insane behavior and decisions from Microsoft, but whatever. I just want the deprecation message to be upfront about the situation, instead of the generic "contact npm support" message that's currently there. Folks shouldn't have to hunt to find this important information.

[EmLauber]

Thank you for your feedback. We have updated the depreciation message to link to https://github.com/AzureAD/passport-azure-ad?tab=readme-ov-file#node-js-validation-replacement-for-passportjs

[andrew-corliss]

@EmLauber - has there been any decision made from MS or can there be an update to the thread linked as to what developers should use instead for authenticating via MSAL or what a valid Passport strategy alternative is? There is no information on what should be the next steps?

side note in MS own documentation : https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-in-node-web-app-with-api is still pointing to use passport-azure-ad Can this be updated?