Gathering detailed insights and metrics for crypto-js
Gathering detailed insights and metrics for crypto-js
JavaScript library of crypto standards.
Installations
npm install crypto-jsDeveloper Guide
BETA
Typescript
No
Module System
CommonJS, UMD
Node Version
18.18.0
NPM Version
10.2.1
Score
100
Supply Chain
100
Quality
75.9
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Languages
2
JavaScript
HTML
JavaScript (93.77%)
HTML (6.23%)
Developer
brix
Download Statistics
Total Downloads
1,432,734,714
Last Day
479,467
Last Week
8,289,391
Last Month
35,908,410
Last Year
385,636,496
GitHub Statistics
NOASSERTION License
16,091 Stars
184 Commits
2,430 Forks
260 Watchers
5 Branches
24 Contributors
Updated on May 04, 2025
Bundle Size
62.58 kB
Minified
23.29 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
4.2.0
Package Id
crypto-js@4.2.0
Unpacked Size
475.53 kB
Size
85.24 kB
File Count
56
NPM Version
10.2.1
Node Version
18.18.0
Published on
Oct 24, 2023
Total Downloads
Cumulative downloads
Total Downloads
1,432,734,714
crypto-js
JavaScript library of crypto standards.
Discontinued
Active development of CryptoJS has been discontinued. This library is no longer maintained.
Nowadays, NodeJS and modern browsers have a native Crypto module. The latest version of CryptoJS already uses the native Crypto module for random number generation, since Math.random() is not crypto-safe. Further development of CryptoJS would result in it only being a wrapper of native Crypto. Therefore, development and maintenance has been discontinued, it is time to go for the native crypto module.
Node.js (Install)
Requirements:
- Node.js
- npm (Node.js package manager)
1npm install crypto-js
Usage
ES6 import for typical API call signing use case:
1import sha256 from 'crypto-js/sha256'; 2import hmacSHA512 from 'crypto-js/hmac-sha512'; 3import Base64 from 'crypto-js/enc-base64'; 4 5const message, nonce, path, privateKey; // ... 6const hashDigest = sha256(nonce + message); 7const hmacDigest = Base64.stringify(hmacSHA512(path + hashDigest, privateKey));
Modular include:
1var AES = require("crypto-js/aes"); 2var SHA256 = require("crypto-js/sha256"); 3... 4console.log(SHA256("Message"));
Including all libraries, for access to extra methods:
1var CryptoJS = require("crypto-js"); 2console.log(CryptoJS.HmacSHA1("Message", "Key"));
Client (browser)
Requirements:
- Node.js
- Bower (package manager for frontend)
1bower install crypto-js
Usage
Modular include:
1require.config({ 2 packages: [ 3 { 4 name: 'crypto-js', 5 location: 'path-to/bower_components/crypto-js', 6 main: 'index' 7 } 8 ] 9}); 10 11require(["crypto-js/aes", "crypto-js/sha256"], function (AES, SHA256) { 12 console.log(SHA256("Message")); 13});
Including all libraries, for access to extra methods:
1// Above-mentioned will work or use this simple form 2require.config({ 3 paths: { 4 'crypto-js': 'path-to/bower_components/crypto-js/crypto-js' 5 } 6}); 7 8require(["crypto-js"], function (CryptoJS) { 9 console.log(CryptoJS.HmacSHA1("Message", "Key")); 10});
Usage without RequireJS
1<script type="text/javascript" src="path-to/bower_components/crypto-js/crypto-js.js"></script> 2<script type="text/javascript"> 3 var encrypted = CryptoJS.AES(...); 4 var encrypted = CryptoJS.SHA256(...); 5</script>
API
See: https://cryptojs.gitbook.io/docs/
AES Encryption
Plain text encryption
1var CryptoJS = require("crypto-js"); 2 3// Encrypt 4var ciphertext = CryptoJS.AES.encrypt('my message', 'secret key 123').toString(); 5 6// Decrypt 7var bytes = CryptoJS.AES.decrypt(ciphertext, 'secret key 123'); 8var originalText = bytes.toString(CryptoJS.enc.Utf8); 9 10console.log(originalText); // 'my message'
Object encryption
1var CryptoJS = require("crypto-js"); 2 3var data = [{id: 1}, {id: 2}] 4 5// Encrypt 6var ciphertext = CryptoJS.AES.encrypt(JSON.stringify(data), 'secret key 123').toString(); 7 8// Decrypt 9var bytes = CryptoJS.AES.decrypt(ciphertext, 'secret key 123'); 10var decryptedData = JSON.parse(bytes.toString(CryptoJS.enc.Utf8)); 11 12console.log(decryptedData); // [{id: 1}, {id: 2}]
List of modules
crypto-js/corecrypto-js/x64-corecrypto-js/lib-typedarrays
crypto-js/md5crypto-js/sha1crypto-js/sha256crypto-js/sha224crypto-js/sha512crypto-js/sha384crypto-js/sha3crypto-js/ripemd160
crypto-js/hmac-md5crypto-js/hmac-sha1crypto-js/hmac-sha256crypto-js/hmac-sha224crypto-js/hmac-sha512crypto-js/hmac-sha384crypto-js/hmac-sha3crypto-js/hmac-ripemd160
crypto-js/pbkdf2
crypto-js/aescrypto-js/tripledescrypto-js/rc4crypto-js/rabbitcrypto-js/rabbit-legacycrypto-js/evpkdf
crypto-js/format-opensslcrypto-js/format-hex
crypto-js/enc-latin1crypto-js/enc-utf8crypto-js/enc-hexcrypto-js/enc-utf16crypto-js/enc-base64
crypto-js/mode-cfbcrypto-js/mode-ctrcrypto-js/mode-ctr-gladmancrypto-js/mode-ofbcrypto-js/mode-ecb
crypto-js/pad-pkcs7crypto-js/pad-ansix923crypto-js/pad-iso10126crypto-js/pad-iso97971crypto-js/pad-zeropaddingcrypto-js/pad-nopadding
Release notes
4.2.0
Change default hash algorithm and iteration's for PBKDF2 to prevent weak security by using the default configuration.
Custom KDF Hasher
Blowfish support
4.1.1
Fix module order in bundled release.
Include the browser field in the released package.json.
4.1.0
Added url safe variant of base64 encoding. 357
Avoid webpack to add crypto-browser package. 364
4.0.0
This is an update including breaking changes for some environments.
In this version Math.random() has been replaced by the random methods of the native crypto module.
For this reason CryptoJS might not run in some JavaScript environments without native crypto module. Such as IE 10 or before or React Native.
3.3.0
Rollback, 3.3.0 is the same as 3.1.9-1.
The move of using native secure crypto module will be shifted to a new 4.x.x version. As it is a breaking change the impact is too big for a minor release.
3.2.1
The usage of the native crypto module has been fixed. The import and access of the native crypto module has been improved.
3.2.0
In this version Math.random() has been replaced by the random methods of the native crypto module.
For this reason CryptoJS might does not run in some JavaScript environments without native crypto module. Such as IE 10 or before.
If it's absolute required to run CryptoJS in such an environment, stay with 3.1.x version. Encrypting and decrypting stays compatible. But keep in mind 3.1.x versions still use Math.random() which is cryptographically not secure, as it's not random enough.
This version came along with CRITICAL BUG.
DO NOT USE THIS VERSION! Please, go for a newer version!
3.1.x
The 3.1.x are based on the original CryptoJS, wrapped in CommonJS modules.
Critical
9.1/10
Summary
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
Affected Versions
< 4.2.0
Patched Versions
4.2.0
Moderate
5.3/10
Summary
crypto-js uses insecure random numbers
Affected Versions
< 3.2.1
Patched Versions
3.2.1
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
Found 6/24 approved changesets -- score normalized to 2
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'develop'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 12 are checked with a SAST tool
Score
3.3
/10
Last Scanned on 2025-04-28
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More