@hyperfrontend/cryptography
Advanced tools
Production-grade cryptographic primitives with isomorphic APIs for browser and Node.js environments.
@hyperfrontend/cryptography provides a comprehensive suite of cryptographic utilities designed for secure data handling in full-stack JavaScript applications. The library implements industry-standard encryption (AES-GCM), key derivation (PBKDF2), and hashing (SHA-256) with identical APIs across browser and Node.js environments, eliminating platform-specific code branching.
The library features three modular entry points: platform-specific implementations (/browser, /node) for optimized runtime performance, and a shared entry point (/common) for platform-agnostic utilities. Core capabilities include secure password-based encryption/decryption, cryptographic vault storage with single-use modes, time-based password generation for rotating credentials, and cryptographically-secure random value generation.
/browser, /node, /common)Built on functional composition with dependency injection, allowing complete mocking in tests without module patching. All cryptographic operations use platform-native APIs (Web Crypto API in browsers, Node.js crypto module) wrapped in consistent interfaces. Encryption operations automatically generate unique salt and initialization vectors per operation, eliminating key reuse vulnerabilities.
Full-stack applications typically require separate cryptography implementations for browser and server environments, leading to code duplication and testing complexity. This library provides identical APIs powered by platform-optimized implementations, allowing shared business logic for encryption workflows across your entire stack. Import from /browser or /node based on your runtime - the function signatures remain identical.
Implementing secure encryption requires careful selection of algorithms, key derivation parameters, and IV/salt generation strategies. This library encapsulates cryptographic best practices (PBKDF2 with 100,000 iterations, unique salt/IV per operation, AES-GCM authenticated encryption) in simple encrypt(message, password) and decrypt(encrypted, password) functions. No configuration decisions, no security footguns - just production-grade encryption out of the box.
APIs requiring short-lived credentials (temporary links, time-boxed access tokens) need synchronized password generation across systems. The getTimeBasedPasswords() function generates cryptographically-secure passwords based on UTC time windows, enabling coordinated credential rotation without database round-trips. Generate passwords for current/previous/next windows to handle clock drift gracefully.
Processing sensitive data (credit cards, API keys, personal information) in memory creates exposure risks during debugging and logging. The createVault() API provides encrypted storage with password protection - data is encrypted at rest in memory and requires the vault password for retrieval. Single-use mode automatically closes the vault after first read, preventing accidental data leakage in long-lived processes.
Third-party cryptography libraries introduce supply chain risks and dependency bloat. This package uses only platform-native crypto APIs (Web Crypto API, Node.js crypto module) plus lightweight internal utilities, eliminating external dependencies. Smaller dependency trees mean fewer audit requirements and reduced attack surface for security-critical applications.
npm install @hyperfrontend/cryptography
Note: The
/nodeentry point useswebcrypto.subtlewhich was experimental in Node.js 18.x. For production use with the Node.js entry point, Node.js 19+ is recommended for stable crypto APIs.
import { encrypt, decrypt, createVault, createHash } from '@hyperfrontend/cryptography/browser'
// Encrypt/decrypt data with password
const message = 'Sensitive data'
const password = 'secure-password'
const encrypted = await encrypt(message, password)
const decrypted = await decrypt(encrypted, password)
// Create encrypted in-memory storage
const vault = createVault()
await vault.write('api-key', 'sk-1234567890')
const password = vault.getPassword() // Share password securely
const value = await vault.read('api-key', password) // Returns 'sk-1234567890'
// Generate SHA-256 hash
const hash = await createHash('data-to-hash') // Returns hex string
import { encrypt, decrypt, createVault, getTimeBasedPasswords } from '@hyperfrontend/cryptography/node'
// Same encryption API as browser
const encrypted = await encrypt('Sensitive data', 'secure-password')
const decrypted = await decrypt(encrypted, 'secure-password')
// Time-based rotating passwords (5-minute windows)
const generators = getTimeBasedPasswords(new Date(), 300_000)
const currentPassword = await generators.current()
const previousPassword = await generators.previous() // Handle clock drift
import { isSHA256Hash } from '@hyperfrontend/cryptography/common'
// Validate hash format (works in browser and Node.js)
isSHA256Hash('abc123') // false - too short
isSHA256Hash('e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855') // true
encrypt(message: string, password: string): Promise<Uint8Array> - Encrypt message with password-derived AES-GCM keydecrypt(encrypted: Uint8Array, password: string): Promise<string> - Decrypt message with passwordcreateVault(singleUse?: boolean): Vault - Create encrypted in-memory storage
vault.write(label: string, value: string): Promise<void> - Store encrypted valuevault.read(label: string, password: string): Promise<string | null> - Retrieve decrypted valuevault.getPassword(): string - Get vault passwordvault.close(): void - Close vault permanentlycreateHash(data: string, algorithm?: 'SHA-256' | 'SHA-384' | 'SHA-512'): Promise<string> - Generate cryptographic hash (hex string)isSHA256Hash(hash: unknown): boolean - Validate SHA-256 hash formatgetTimeBasedPassword(currentUtcTime: Date, baseTimeWindow: number, windowOffset?: -1 | 0 | 1): Promise<string> - Generate password for specific time windowgetTimeBasedPasswords(currentUtcTime: Date, baseTimeWindow: number): TimeBasedPasswordGenerators - Create generators for current/previous/next windowsgenerateKey(password: string, salt: Uint8Array): Promise<CryptoKey> - Derive encryption key using PBKDF2getRandomValues(byteLength: number): Uint8Array - Generate cryptographically-secure random bytes| Platform | Support |
|---|---|
| Browser | ✅ |
| Node.js | ✅ |
| Web Workers | ✅ |
| Deno, Bun, Cloudflare Workers | ✅ |
| Format | File | Tree-Shakeable |
|---|---|---|
| ESM | index.esm.js | ✅ |
| CJS | index.cjs.js | ❌ |
| IIFE | bundle/index.iife.min.js | ❌ |
| UMD | bundle/index.umd.min.js | ❌ |
Bundle size: 3 KB (minified, self-contained)
<!-- unpkg -->
<script src="https://unpkg.com/@hyperfrontend/cryptography"></script>
<!-- jsDelivr -->
<script src="https://cdn.jsdelivr.net/npm/@hyperfrontend/cryptography"></script>
<script>
const { createHash, encrypt, decrypt } = HyperfrontendCryptography
</script>
Global variable: HyperfrontendCryptography
This library is part of the hyperfrontend monorepo.
MIT
FAQs
Cryptography utilities for browser and Node.js environments.
The npm package @hyperfrontend/cryptography receives a total of 152 weekly downloads. As such, @hyperfrontend/cryptography popularity was classified as not popular.
We found that @hyperfrontend/cryptography demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Mini Shai-Hulud expands into the Go ecosystem after hitting LeoPlatform npm packages and targeting GitHub Actions workflows.
Security News
The Fable shutdown shows how quickly model access can become a business continuity risk for AI-dependent engineering teams.
Security News
AI agents are pulling packages into environments no scanner is watching, creating exposure before security teams can see it.