crypto-browserify
implementation of crypto for the browser
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
dcousensljharbcwmmaindutnyjprichardson
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Low-value signals reflect early npm era conventions (circa 2012), not spam or malice. Package is real, established, and from a trusted publisher. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Version 0.0.0 is the legitimate first release of a well-established package by a trusted author (dominictarr), published over 5000 days ago. Not a throwaway. | ai | |
| source-diff | obfuscated-file:c.js | AI (source-diff): c.js is a standard browserify bundle (recognizable wrapper pattern); long lines are from bundled deps, not malicious obfuscation. Expected artifact for a browser crypto polyfill. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely explained by the addition of a pre-built browserify bundle (c.js) packaging all crypto dependencies for browser use — a normal pattern for this package. | ai | |
| source-diff | encoded-string-file:test/sign.js | AI (source-diff): Long hex strings in test/sign.js are RSA key material used as test fixtures — standard practice for a crypto library. Not a malicious payload. | ai | |
| source-diff | encoded-string-file:test/public-encrypt.js | AI (source-diff): Long hex strings in test/public-encrypt.js are RSA key material used as test fixtures — standard practice for a crypto library. Not a malicious payload. | ai | |
| dependencies | unvetted-dep:create-ecdh | AI (dependencies): Established crypto dependency; fits package purpose and version constraint is pinned. | ai | |
| dependencies | unvetted-dep:diffie-hellman | AI (dependencies): Legitimate crypto utility for Diffie-Hellman key exchange; appropriate for this package's scope. | ai | |
| dependencies | unvetted-dep:browserify-cipher | AI (dependencies): browserify-cipher is a standard browserify ecosystem crypto primitive; expected dependency for this package. | ai | |
| dependencies | unvetted-dep:create-hash | AI (dependencies): create-hash is a standard browserify ecosystem crypto primitive; expected dependency for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in rng.js is a documented fallback pattern for loading Node.js crypto in non-browser environments; legitimate for browserify shims. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition occurred in 2015; well-established and legitimate for this mature package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions reflect legitimate ecosystem contributors; transition occurred years ago and is stable. | ai | |
| source-diff | obfuscated-file:test/public-encrypt.js | AI (source-diff): Test file contains hex-encoded RSA test vectors for cryptographic testing, not malicious obfuscation. Legitimate pattern in crypto test suites. | ai | |
| source-diff | obfuscated-file:test/sign.js | AI (source-diff): Test file contains hex-encoded RSA test vectors for cryptographic testing, not malicious obfuscation. Legitimate pattern in crypto test suites. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are established browserify crypto components (create-hash, create-hmac, pbkdf2, etc.), representing legitimate modularization of crypto functionality, not suspicious injection. | ai | |
| dependencies | unvetted-dep:pbkdf2-compat | AI (dependencies): pbkdf2-compat is a narrow-purpose PBKDF2 implementation appropriate for crypto-browserify; pinned to 2.0.1. | ai | |
| phantom-deps | phantom-dep:inherits | AI (phantom-deps): inherits is a declared runtime dep for browser bundler compatibility; not directly imported in source but legitimately listed. Stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Trusted publisher (ljharb) with long track record; lack of provenance attestation is not a meaningful risk signal here. | ai | |
| phantom-deps | phantom-dep:hash-base | AI (phantom-deps): hash-base is a declared runtime dep for browser bundler compatibility; not directly imported in source but legitimately listed. Stable false positive for this package. | ai |
Versions (showing 51 of 76)
| Version | Deps | Published |
|---|---|---|
| 3.12.1 | 12 / 9 | |
| 3.12.0 | 11 / 6 | |
| 3.11.1 | 10 / 5 | |
| 3.11.0 | 10 / 5 | |
| 3.10.0 | 10 / 3 | |
| 3.9.14 | 10 / 2 | |
| 3.9.13 | 10 / 2 | |
| 3.9.12 | 10 / 2 | |
| 3.9.11 | 10 / 2 | |
| 3.9.10 | 10 / 2 | |
| 3.9.9 | 10 / 2 | |
| 3.9.8 | 10 / 2 | |
| 3.9.7 | 9 / 2 | |
| 3.9.6 | 9 / 2 | |
| 3.9.4 | 8 / 2 | |
| 3.9.3 | 8 / 2 | |
| 3.9.2 | 8 / 2 | |
| 3.9.1 | 8 / 2 | |
| 3.9.0 | 8 / 2 | |
| 3.8.3 | 8 / 2 | |
| 3.8.1 | 8 / 2 | |
| 3.8.0 | 8 / 2 | |
| 3.7.2 | 8 / 2 | |
| 3.7.1 | 8 / 2 | |
| 3.7.0 | 8 / 2 | |
| 3.6.0 | 7 / 2 | |
| 3.5.1 | 6 / 2 | |
| 3.5.0 | 6 / 2 | |
| 3.4.3 | 6 / 2 | |
| 3.4.1 | 6 / 2 | |
| 3.4.0 | 5 / 2 | |
| 3.3.0 | 4 / 2 | |
| 3.2.8 | 3 / 2 | |
| 3.2.7 | 3 / 2 | |
| 3.2.6 | 3 / 2 | |
| 3.2.5 | 3 / 2 | |
| 3.2.4 | 3 / 2 | |
| 3.2.2 | 3 / 2 | |
| 3.2.1 | 3 / 2 | |
| 3.2.0 | 2 / 2 | |
| 3.1.0 | 2 / 2 | |
| 3.0.2 | 2 / 2 | |
| 3.0.1 | 2 / 2 | |
| 3.0.0 | 2 / 2 | |
| 2.1.10 | 2 / 2 | |
| 2.1.8 | 2 / 2 | |
| 2.1.7 | 2 / 2 | |
| 2.1.6 | 1 / 1 | |
| 2.1.5 | 1 / 1 | |
| 2.1.4 | 1 / 1 | |
| 2.1.3 | 1 / 1 |
v3.2.5
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.