The first stable release of fips-crypto — a high-performance post-quantum cryptography library for JavaScript and TypeScript, powered by Rust and WebAssembly. Implements all three NIST post-quantum standards: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). This release marks a public API commitment under semantic versioning.
This package implements the algorithm specifications in FIPS 203, FIPS 204, and FIPS 205. It is not a FIPS 140-2 or FIPS 140-3 validated cryptographic module.
What's New
- Runtime WASM integrity check: SHA-256 hash of the WASM binary is embedded in the Node.js loader at build time and verified before
WebAssembly.Moduleinstantiation, blocking tampered binaries from executing - OIDC trusted publishing: Publish workflow migrated from long-lived
NPM_TOKENto GitHub OIDC, eliminating stored secrets - Minimal API surface: Removed unused error codes (
DECAPSULATION_FAILED,VERIFICATION_FAILED,NOT_IMPLEMENTED) for a clean 1.0.0 contract - Quantum-safe wallet example: New
examples/quantum-safe-wallet.mjsdemonstrating ML-DSA signature replacement with address-to-key binding validation - Socket.dev warning mitigated: WASM binary verified against embedded hash before instantiation, resolving filesystem-access flag
Fixed
picomatchdev dependency updated to fix high-severity ReDoS vulnerability (CVE in transitive dep; not in published package)
Breaking Changes
- Error codes
DECAPSULATION_FAILED,VERIFICATION_FAILED, andNOT_IMPLEMENTEDhave been removed fromErrorCodes. These were never thrown by any function — any code referencing them was already dead. TypeScript consumers will get a compile-time error if they reference the removed codes.
Full Changelog: v0.7.0...v1.0.0