Intent to Remove: Tink for JavaScript/TypeScript

Question

Intent to Remove: Tink for JavaScript/TypeScript

tvdmerwe opened this issue a year ago · 0 comments

Contact emails
tink-users@googlegroups.com

Summary
We hereby express our intent to remove the Tink JavaScript/TypeScript library for external (non-google3) users. This will entail removing the JavaScript/Typescript directory from our current Github repository (master branch), and we will not release an individual JavaScript/Typescript repository as part of our effort to migrate Tink to https://github.com/tink-crypto. The JavaScript/TypeScript directory in the current release branch (v1.7.0) will no longer be actively supported. Internal Google users (google3 users) will not be affected.

Background and motivation
The Tink JavaScript/TypeScript (JS/TS) library is currently in an alpha state and users have been encouraged to use the library for testing purposes only. Google develops and uses Tink internally but it is also released as an open source library for external users. Tink currently makes use of Protocol Buffers, a Google-developed mechanism for serializing structured data. The main obstacle surrounding continued support of the external Tink JS/TS library is the divergence in the internal and external JS Protocol Buffer implementations. This makes maintaining the external library expensive, and the Tink team currently does not have the staffing to do this. We are working to remove the Protocol Buffer dependency as part of other Tink efforts and will revisit providing an updated Tink JS/TS library in the future. The effort to split Tink into multiple repositories facilitates dropping support for JS/TS at this time.

Timeline
We aim to remove the JS/TS directory from the current Tink Github repository (master branch) on June 22, 2023. We will also deprecate the Tink npm package on this date. We will not create a JS/TS repository at https://github.com/tink-crypto (but may do so when we are able). Complete removal of the JS/TS directory from the master branch facilitates a cleaner updating/release process for our current Tink monolithic repository.

Operational risks and alternatives for developers
Developers and projects will still have access to the Tink JS/TS library as part of the current stable release (v1.7.0) but we reiterate that this code is in an alpha state and should not be used for production purposes. The JS/TS directory in the current Github release branch (v1.7.0) will not be actively supported and updated and the Tink npm package will be deprecated. The WebCrypto API offers a JavaScript interface for performing basic cryptographic operations but we do not comment on its security. Developers that need to maintain interoperability with Tink using a different cryptographic library should adhere to the specified Tink wire format.

Usage information
The number of weekly npm package downloads peaked at 478 in May 2022. We encourage affected users to contact us.

Tracking information
This Github issue will be used for tracking.