Please update NPM package

[bluepuma77]

What's the story behind the npm package, it is already 2 years old. @nifgraup

npm audit shows several critical issues because of node-forge.

It has 110.000 weekly downloads, it would be great if everyone could use a secure version.

[nifgraup]

There are just two commit on master since the 3.1.0 release, the package is working fine and is used in an upcoming mail client for Vivaldi Browser. And as you point out, there are more users out there.

Dependency emailjs/emailjs-tcp-socket is using node-forge. It's used in an uncommon configuration, I haven't tried it myself not sure if anyone is still using the package that way.

I'll look into upgrading node-forge.

[jonny64]

npm audit --json  | jq '.advisories[].url'
"https://github.com/advisories/GHSA-8fr3-hfg3-gpgp"
"https://github.com/advisories/GHSA-5rrq-pxf6-6jx5"
"https://github.com/advisories/GHSA-wxgw-qj99-44c2"
"https://github.com/advisories/GHSA-92xj-mqp7-vmcj"
"https://github.com/advisories/GHSA-2r2c-g63r-vccr"
"https://github.com/advisories/GHSA-x4jg-mjrx-434g"
"https://github.com/advisories/GHSA-cfm4-qjh2-4765"
"https://github.com/advisories/GHSA-gf8q-jrpm-jvxq"

its too much, how about splitting this "rare" functionality in separate npm package?
the way jest did it jestjs/jest#6266

[cfe84]

Built version in "dist" also doesn't contain subscribeMailbox.