fido2-lib - npm Package Compare versions

Comparing version 2.6.7 to 2.6.8

lib/certUtils.js

@@ -5,5 +5,20 @@ "use strict";
 const pkijs = require("pkijs");
-const { Crypto } = require("node-webcrypto-ossl");
-const webcrypto = new Crypto();
 
+const envUnified = (typeof window !== "undefined") ? window.env : process.env;
+
+let webcrypto;
+if(envUnified.FIDO2LIB_USENATIVECRYPTO) {
+	// Opt-in to use native crypto, as it depends on the environment and is difficult to test
+	// NodeJS crypto API is currently in experimental state
+	console.warn("[FIDO2-LIB] Native crypto is enabled");
+	if ((typeof self !== "undefined") && "crypto" in self) {
+		webcrypto = self.crypto;
+	} else {
+		webcrypto = require("crypto").webcrypto;
+	}
+} else {
+	const { Crypto } = require("@peculiar/webcrypto");
+	webcrypto = new Crypto();
+}
+
 const {
@@ -10,0 +25,0 @@ CryptoEngine,

package.json

 {
 	"name": "fido2-lib",
-	"version": "2.6.7",
+	"version": "2.6.8",
 	"description": "A library for performing FIDO 2.0 / WebAuthn functionality",
@@ -52,2 +52,3 @@ "main": "index.js",
 	"dependencies": {
+		"@peculiar/webcrypto": "^1.2.0",
 		"asn1js": "^2.0.18",
@@ -58,3 +59,2 @@ "cbor": "^4.0.0",
 		"node-jose": "^2.0.0",
-		"node-webcrypto-ossl": "^2.1.3",
 		"pkijs": "=2.1.58",
@@ -61,0 +61,0 @@ "psl": "^1.1.24",

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

429238

increased by0.11%

Lines of code

9657

increased by0.13%

Worsened metrics

Number of low supply chain risk alerts

5

increased by25%

Dependency changes

• + Added@peculiar/webcrypto@^1.2.0

• + Added@peculiar/webcrypto@1.5.0(transitive)

• - Removednode-webcrypto-ossl@^2.1.3

• - Removedmkdirp@1.0.4(transitive)

• - Removednan@2.22.0(transitive)

• - Removednode-webcrypto-ossl@2.1.3(transitive)