pbkdf2
This library provides the functionality of PBKDF2 with the ability to use any supported hashing algorithm returned from crypto.getHashes()
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:sha.js | AI (dependencies): sha.js is a standard browserify crypto ecosystem dependency expected for PBKDF2 browser compatibility; stable for this package. | ai | |
| dependencies | unvetted-dep:ripemd160 | AI (dependencies): ripemd160 is a standard browserify crypto ecosystem dependency expected for PBKDF2 browser compatibility; stable for this package. | ai | |
| dependencies | unvetted-dep:to-buffer | AI (dependencies): to-buffer is a standard utility dependency in the browserify ecosystem; stable for this package. | ai | |
| dependencies | unvetted-dep:create-hash | AI (dependencies): create-hash is a standard browserify crypto ecosystem dependency expected for PBKDF2 browser compatibility; stable for this package. | ai | |
| dependencies | unvetted-dep:create-hmac | AI (dependencies): create-hmac is a standard browserify crypto ecosystem dependency expected for PBKDF2 browser compatibility; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates widespread provenance adoption; published by trusted maintainer ljharb with strong track record. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 3.1.6 | 6 / 15 | |
| 3.1.5 | 6 / 11 | |
| 3.1.4 | 6 / 11 | |
| 3.1.3 | 6 / 11 |
v3.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.