Gathering detailed insights and metrics for @peculiar/webcrypto
Gathering detailed insights and metrics for @peculiar/webcrypto
Installations
npm install @peculiar/webcryptoReleases
Unable to fetch releases
Developer
PeculiarVentures
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
>=10.12.0
Typescript Support
Yes
Node Version
20.13.1
NPM Version
10.5.2
Statistics
185 Stars
234 Commits
23 Forks
10 Watching
2 Branches
6 Contributors
Updated on 14 Nov 2024
Languages
TypeScript (99.43%)
JavaScript (0.57%)
Total Downloads
Cumulative downloads
Total Downloads
305,033,845
Last day
-2.8%
594,383
Compared to previous day
Last week
2.7%
3,069,432
Compared to previous week
Last month
0.9%
12,988,257
Compared to previous month
Last year
36.4%
156,049,280
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
@peculiar/webcrypto
We wanted to be able to write Javascript that used crypto on both the client and the server but we did not want to rely on Javascript implementations of crypto. The only native cryptography available in browser is Web Crypto, this resulted in us creating a @peculiar/webcrypto.
Table Of Contents
WARNING
At this time this solution should be considered suitable for research and experimentation, further code and security review is needed before utilization in a production application.
Module is based on NodeJS v10 Crypto API. It would work only with Node v10 and higher.
Installing
npm install @peculiar/webcrypto
Supported algorithms
| Algorithm name | generateKey | digest | export/import | sign/verify | encrypt/decrypt | wrapKey/unwrapKey | derive |
|---|---|---|---|---|---|---|---|
| SHA-1 | X | ||||||
| SHA-256 | X | ||||||
| SHA-384 | X | ||||||
| SHA-512 | X | ||||||
| HMAC | X | X | X | ||||
| RSASSA-PKCS1-v1_5 | X | X | X | ||||
| RSAES-PKCS1-v1_52 | X | X | X | X | |||
| RSA-PSS | X | X | X | ||||
| RSA-OAEP | X | X | X | X | |||
| AES-CMAC | X | X | X | ||||
| AES-CBC | X | X | X | X | |||
| AES-CTR | X | X | X | X | |||
| AES-ECB | X | X | X | X | |||
| AES-GCM | X | X | X | X | |||
| AES-KW | X | X | X | ||||
| ECDSA1 | X | X | X | ||||
| ECDH1 | X | X | X | ||||
| EdDSA2,3 | X | X | X | ||||
| ECDH-ES2,4 | X | X | X | ||||
| HKDF | X | X | |||||
| PBKDF2 | X | X | |||||
| DES-CBC2 | X | X | X | X | |||
| DES-EDE3-CBC2 | X | X | X | X | |||
| shake1282 | X | ||||||
| shake2562 | X |
1 Mechanism supports extended list of named curves P-256, P-384, P-521, K-256,
brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, and brainpoolP512t1
2 Mechanism is not defined by the WebCrypto specifications. Use of mechanism in a safe way is hard, it was added for the purpose of enabling interoperability with an existing system. We recommend against its use unless needed for interoperability.
3 Mechanism supports extended list of named curves Ed25519, and Ed448
4 Mechanism supports extended list of named curves X25519, and X448
Using
1const { Crypto } = require("@peculiar/webcrypto"); 2 3const crypto = new Crypto();
Examples
See WebCrypto Docs for examples
Bug Reporting
Please report bugs either as pull requests or as issues in the issue tracker. @peculiar/webcrypto has a full disclosure vulnerability policy. Please do NOT attempt to report any security vulnerability in this code privately to anybody.
Related
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish.yml:14
Reason
4 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
Reason
Found 3/12 approved changesets -- score normalized to 2
Reason
0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/publish.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/test.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/PeculiarVentures/webcrypto/test.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/publish.yml:56
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:43
- Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 2 third-party GitHubAction dependencies pinned
- Info: 0 out of 2 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 25 are checked with a SAST tool
Score
3.6
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More