Add warning or deprecate library

[intellix]

Since gravatar is a very simple system where the hashes represent an email that has gone through an MD5 hashing function, it's very easy to decrypt a gravatar and get back the original email that created the hash.

Graphics cards in 2008 were able to encrypt 160mil hashes a second and it's not difficult to run through the alphabet to create a list of all hashes to emails. Alongside that, Gravatar had a leak in 2021 that exposed 167 million profiles and you can use free online tools for converting hashes to emails.

This means that any application that uses gravatar images are basically exposing the emails of those users as well just by using it.

I think this repository should be deprecated and a warning added when installing via NPM to warn people to not use gravatar.

[marcjlyoung]

Yep this is a major security risk

[intellix]

Looked around and this looks like a great alternative as it allows you to pass in any seed you wish (a simple numeric userId for example): https://www.dicebear.com/playground/ and pick from various styles. But the point is you aren't using an MD5 of an email

[JaneSmith]

Gravatar supports using SHA256 hashes, and recommends that on their website. This package should be updated to use SHA256 instead of MD5.