Is the repo actively maintaned?

[hakan-77]

This is a genuine question with zero sarcasm.

I am actively investigating to retire simple jwt and implement our own JWT generation/validation code since I am not sure if this repo is actively maintained.

If someone can clarify and confirm, I would not take any offense, thank you for the amazing work you have done so far, and just accelerate the migration.

If, on the other hand, this is a temporary hold, it would be great to know so we could plan accordingly.

[Andrew-Chen-Wang]

No, I do not actively maintain SimpleJWT anymore. Contributors normally ping me to look at PRs, and if they're urgent, I'll merge them and release since I'm still release manager. I'm pretty on top of releasing once there's a certain amount of PRs merged, though, and still look at PRs if it's a good feature.

But no, I do not actively commit and improve and rely on contributors for adding new source code. I just give the final stamp.

Would much rather see you become a maintainer rather than have you make something yourself to help everyone in the community; hope that answers the question!

[aalmazan]

Also curious about this question -- and I don't intend to sound demanding/entitled in any way. I am genuinely thankful for the existence of this package and the work all the contributors have given.

I do wonder though what are the conditions for this package to ever get a new release? There are 48 open PRs going back to 2019 which even contain one or more security updates. There's also the impending release of the next Django LTS which, based on some of the issue titles, might have issues with the current release.

What can we do to improve the situation? Or should we, as the OP puts it, "plan accordingly" sooner rather than later?

[hakan-77]

Fair enough, and thank you @Andrew-Chen-Wang. Is there any chance to have a back-up release manager? I understand your interests have shifted, happens to all of us.

This is a fantastic project, and I think being in "maintenance mode" would be enough to save it. Parallel to @aalmazan's suggestion, if we could merge PR's that mostly fixes bugs, especially ones related to security, support newer Django versions etc. we could have more confidence on the future of the project.

[Andrew-Chen-Wang]

I think if you have some stake in this project, the best avenue is to become a maintainer and merge PRs; you'll automatically have PR merging privileges which shouldn't be taken lightly.

as for immediate tasks, I'm not sure what's in demand. If it's updating the supported Django version, I can check. If a PR for that doesn't exist, we can make a PR. I made a small cron job to check in cookiecutter-django, so we can reuse possibly. Again, review what you need but ping me:)

[Andrew-Chen-Wang]

To anyone looking to become a maintainer, it's simple. Head to https://jazzband.co/ to get started, then head to https://jazzband.co/projects/djangorestframework-simplejwt to join the project

[aalmazan]

Perfect. Thanks for the response @Andrew-Chen-Wang. As someone who doesn't regularly check out popular package repos and issues, hitting dead-ends with future support is frustrating. Knowing now how we can move forward, I'll try to set aside some time to help out here if I can.

[monkut]

@aalmazan @Andrew-Chen-Wang

Noticed this Vulnerability, any known actions on this?
https://osv.dev/vulnerability/GHSA-5vcc-86wm-547q

[Andrew-Chen-Wang]

@monkut #779 (comment)

Actions Id like to take: clarify the vulnerability, add clarifying docs to the purpose and use cases of the experimental class, and potentially close it

[Andrew-Chen-Wang]

Hi all, I'm seeing a lot more active contribution and PR reviewers. If you have merge capabilities as a Jazzband member, please take into context/consideration PRs prior to merging or ping me! I am noticing some PRs getting accepted reviews simply to unblock issues, but we must consider the context and find long term solutions. Thanks everyone!