Skip to content

docs: add deprecation notice recommending @vekexasia/bigint-buffer2#62

Open
vekexasia wants to merge 1 commit intono2chem:masterfrom
vekexasia:deprecation-notice-bigint-buffer2
Open

docs: add deprecation notice recommending @vekexasia/bigint-buffer2#62
vekexasia wants to merge 1 commit intono2chem:masterfrom
vekexasia:deprecation-notice-bigint-buffer2

Conversation

@vekexasia
Copy link
Copy Markdown

@vekexasia vekexasia commented Jan 19, 2026
edited
Loading

Summary

This PR adds a deprecation notice to the README and package.json, recommending users migrate to @vekexasia/bigint-buffer2.

Why deprecate bigint-buffer?

1. Security Vulnerability (CVE-2025-3194)

This package contains a known buffer overflow vulnerability (SNYK-JS-BIGINTBUFFER-3364597) that can crash applications when null is passed to toBigIntLE() or toBigIntBE(). This has been open since March 2023 with no fix.

2. Multiple Unresolved Issues

Several critical issues remain unaddressed:

3. Outdated Build System

The package uses deprecated N-API bindings with node-gyp, which:

  • Requires Python and a C++ compiler on user machines
  • Often fails to build on newer Node.js versions
  • Has compatibility issues across platforms

4. No Maintenance Activity

The last commit was over 4 years ago, and there are 11 open issues with no response.

Why @vekexasia/bigint-buffer2?

It's a modern, drop-in replacement that:

  • Fixes all known vulnerabilities - Comprehensive test coverage for CVE-2025-3194 and all reported issues
  • Modern Rust bindings - Uses napi-rs instead of node-gyp, no build-time compilation needed
  • Browser support - Automatic JS fallback, works everywhere
  • TypeScript native - Full type definitions included
  • API compatible - Same function signatures, just change the import
  • Additional features - Signed integer support, zero-allocation toBufferBEInto/toBufferLEInto

Suggested npm deprecation

If you agree with this deprecation, please also run:

npm deprecate bigint-buffer "This package is deprecated. Please use @vekexasia/bigint-buffer2 instead - it fixes security vulnerabilities and is actively maintained."

This will show a warning to users when they install the package.

Changes

  • Added deprecation notice to README with migration instructions
  • Updated package.json description to indicate deprecation

@vekexasia
docs: add deprecation notice recommending @vekexasia/bigint-buffer2
dcc11ae 
This package has known security vulnerabilities and is no longer maintained.
Recommend migration to @vekexasia/bigint-buffer2 which provides:
- Security fixes (CVE-2025-3194, issues no2chem#40, no2chem#59, no2chem#12, no2chem#22)
- Modern Rust bindings via napi-rs
- Full browser support with JS fallback
- ESM/CJS bundles
- TypeScript support
- API-compatible drop-in replacement
@nflaig nflaig mentioned this pull request Jan 21, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vekexasia