Based on https://github.com/bjeavons/zxcvbn-php/pull/32 (seems a mismatch with the dropbox js version as detailed in https://github.com/bjeavons/zxcvbn-php/issues/15 ) the upstream might not be very active, and it has actually been forked... https://github.com/mkopinsky/zxcvbn-php and https://packagist.org/packages/mkopinsky/zxcvbn-php
Although the discussion there gives the impression that the bjeavons version actually does a better job. And the last commit to the Dropbox repo was over a year ago and the last functional change two years ago, so it's not like there is a constant flood if upstream improvements the library would be expected to keep up with.
The mismatch is a problem if we intend to run zxcvbn on the client side as well, but per T32574#2836570 we probably don't.
zxcvbn-php had a stable 1.0 release recently (diff with 0.4, release notes) which included some fairly major changes to make it match the behavior of the original (JS) zxcvbn library (before it was more of a reimplementation of the idea than a proper PHP version of the same library - see bjeavons/zxcvbn-php#15 for more background).
It would be nice to use the 1.0 version, both because of the JS consistency (we probably won't use the JS library, but nice to have that option open), because the algorithm is probably superior, and because it is more modern (e.g. supports same PHP versions as MW master). Does that require a re-review?
Hi @Tgr - it does appear to need a re-review. We are putting in our backlog and unassigning until someone can pick it up. We're doing our best but have limited resource hours right now, so please let us know if you have any questions or concerns and we'll be in touch as we move forward. Thanks!
The Security team is updating their readiness review SOP to reflect a new change that any request that has aged 90 days without being in a reviewable state will be declined. We do this to help keep our work area current, accurate and reflective of actual work. If the status of your project changes please re-tag us and we will get this work scheduled.