Replacing the Abandoned zxcvbn Library — Why We Migrated to @zxcvbn-ts/core
Replacing the Abandoned zxcvbn Library
Release: v1.0.391 · Control: DEP-10 (No Abandoned Dependencies)
Background
Password-strength estimation is a small but important part of this platform's security posture. When a user sets a password, we score its strength using the zxcvbn algorithm — originally developed by Dropbox — to give real-time feedback on how resistant the password is to brute-force and dictionary attacks.
Until v1.0.391, we used the zxcvbn npm package (4.4.2), which is the canonical JavaScript port of that algorithm. However, this package was last published to npm in 2017 and the upstream repository (dropbox/zxcvbn on GitHub) has been effectively abandoned, with no releases or active maintenance activity in approximately seven years.
The Problem with Abandoned Dependencies
A dependency that receives no updates carries compounding risk over time:
| Risk | Detail |
|---|---|
| Unpatched security vulnerabilities | No maintainer to respond to CVEs or security disclosures. |
| Environment incompatibility | No updates for newer Node.js, bundler, or TypeScript versions. |
| Stale threat model | Password-cracking techniques evolve; the library won't keep pace. |
| Type safety gap | Types had to be maintained separately via @types/zxcvbn — a community-maintained package with its own staleness risk. |
Our DEP-10 control requires that no abandoned dependencies remain in the production dependency tree. zxcvbn@4.4.2 failed this control.
The Replacement: @zxcvbn-ts/core
@zxcvbn-ts/core is a TypeScript-native, full rewrite of the original Dropbox zxcvbn algorithm. It is actively maintained, produces scores compatible with the original algorithm, and ships its own type definitions — removing the need for a separate @types/ devDependency.
Key differences
zxcvbn (old) | @zxcvbn-ts/core (new) | |
|---|---|---|
| Last published | 2017 | Actively maintained |
| TypeScript types | Via @types/zxcvbn (separate) | Built-in |
| Language data | Bundled | Modular (@zxcvbn-ts/language-common) |
| Tree-shaking | No | Yes (ESM-native) |
| Security updates | None | Active |
What Changed in This Release
Removed packages:
zxcvbn@4.4.2@types/zxcvbn(devDependency — no longer needed)
Added packages:
@zxcvbn-ts/core— the algorithm itself@zxcvbn-ts/language-common— common dictionary and adjacency graph data
The password-strength scoring behaviour visible to users is unchanged. This is a like-for-like algorithm replacement under the hood.
Developer Notes
If you maintain a fork or extend the platform locally and import zxcvbn directly, update your code as follows:
Old usage
import zxcvbn from 'zxcvbn';
const result = zxcvbn(password);
console.log(result.score); // 0–4
New usage
import { zxcvbn, ZxcvbnOptions } from '@zxcvbn-ts/core';
import { adjacencyGraphs, dictionary } from '@zxcvbn-ts/language-common';
// Configure options once at application startup
ZxcvbnOptions.setOptions({ graphs: adjacencyGraphs, dictionary });
const result = zxcvbn(password);
console.log(result.score); // 0–4 — same scale as before
Re-running the migration
npm remove zxcvbn @types/zxcvbn && npm install @zxcvbn-ts/core @zxcvbn-ts/language-common
Summary
This change keeps the platform's dependency tree current and compliant with our DEP-10 control, eliminates a long-standing stale package, reduces type-definition maintenance overhead, and ensures our password-strength estimation library will continue to receive security updates and improvements going forward.