		{
		"name": "@noble/hashes",
		"version": "1.1.1",
		"version": "1.1.2",
		"description": "Audited & minimal 0-dependency JS implementation of SHA2, SHA3, RIPEMD, BLAKE2/3, HMAC, HKDF, PBKDF2, Scrypt",
		@@ -109,2 +109,7 @@ "files": [
		"./scrypt.d.ts": "scrypt.d.ts",
		"./sha1": {
		"import": "./esm/sha1.js",
		"default": "./sha1.js"
		},
		"./sha1.d.ts": "sha1.d.ts",
		"./sha3-addons": {
		@@ -111,0 +116,0 @@ "import": "./esm/sha3-addons.js",

README.md

		@@ -12,3 +12,3 @@ # noble-hashes ![Node CI](https://github.com/paulmillr/noble-hashes/workflows/Node%20CI/badge.svg) [![code style: prettier](https://img.shields.io/badge/code_style-prettier-ff69b4.svg?style=flat-square)](https://github.com/prettier/prettier)
		- 🧪 Differential fuzzing ensures even more correctness with [cryptofuzz](https://github.com/guidovranken/cryptofuzz)
		- 🐢 Scrypt supports `N: 222` with 4GB arrays, while other implementations crash on `221`
		- 🐢 Scrypt supports `N: 222`, while other implementations are limited to `220`
		- 🦘 SHA3 supports Keccak, TupleHash, KangarooTwelve and MarsupilamiFourteen
		@@ -74,2 +74,5 @@ - 🪶 Just 2.3k lines / 14KB gzipped. SHA256-only is 240 lines / 3KB gzipped

		// legacy, still relevant for HMAC
		const { sha1 } = require('@noble/hashes/sha1');

		// small utility method that converts bytes to hex
		@@ -122,2 +125,3 @@ const { bytesToHex as toHex } = require('@noble/hashes/utils');
		- [BLAKE3](#blake3)
		- [SHA1 (legacy)](#sha1-legacy)
		- [HMAC](#hmac)
		@@ -272,4 +276,15 @@ - [HKDF](#hkdf)

		See [Website](https://blake3.io).
		##### SHA1 (legacy)

		SHA1 was cryptographically broken, however, it was not broken for cases like HMAC.

		See [RFC4226 B.2](https://datatracker.ietf.org/doc/html/rfc4226#appendix-B.2).

		Don't use it for a new protocol.

		```typescript
		import { sha1 } from '@noble/hashes/sha1';
		const h12 = sha1('def');
		```

		##### HMAC
		@@ -399,3 +414,3 @@

		1. The library has been audited on Jan 5, 2022 by an independent security firm cure53: [PDF](https://cure53.de/pentest-report_hashing-libs.pdf). No vulnerabilities have been found. The audit has been funded by Ethereum Foundation with help of [Nomic Labs](https://nomiclabs.io). Modules `blake3` and `sha3-addons` have not been audited. See [changes since audit](https://github.com/paulmillr/noble-hashes/compare/1.0.0..main).
		1. The library has been audited on Jan 5, 2022 by an independent security firm cure53: [PDF](https://cure53.de/pentest-report_hashing-libs.pdf). No vulnerabilities have been found. The audit has been funded by Ethereum Foundation with help of [Nomic Labs](https://nomiclabs.io). Modules `blake3`, `sha3-addons` and `sha1` have not been audited. See [changes since audit](https://github.com/paulmillr/noble-hashes/compare/1.0.0..main).
		2. The library has been fuzzed by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz). You can run the fuzzer by yourself to check it.
		@@ -402,0 +417,0 @@ 3. [Timing attack](https://en.wikipedia.org/wiki/Timing_attack) considerations: _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to achieve in a scripting language. Which means _any other JS library can't have constant-timeness_. Even statically typed Rust, a language without GC, [makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security) for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.

@noble/hashes - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics