{"id":45579189,"url":"https://github.com/usrz/js-key-derivation","last_synced_at":"2026-02-23T11:31:52.729Z","repository":{"id":29903928,"uuid":"33449631","full_name":"usrz/js-key-derivation","owner":"usrz","description":null,"archived":false,"fork":false,"pushed_at":"2015-04-22T12:33:53.000Z","size":128,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-08-10T02:52:46.694Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/usrz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-04-05T17:55:18.000Z","updated_at":"2015-04-22T12:33:53.000Z","dependencies_parsed_at":"2022-09-09T23:52:50.515Z","dependency_job_id":null,"html_url":"https://github.com/usrz/js-key-derivation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/usrz/js-key-derivation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usrz%2Fjs-key-derivation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usrz%2Fjs-key-derivation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usrz%2Fjs-key-derivation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usrz%2Fjs-key-derivation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/usrz","download_url":"https://codeload.github.com/usrz/js-key-derivation/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usrz%2Fjs-key-derivation/sbom","scorecard":{"id":912832,"data":{"date":"2025-08-11","repo":{"name":"github.com/usrz/js-key-derivation","commit":"b05ea424a826df77512301bbd8b9750e4c91d1dd"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.6,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/10 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-24T19:53:02.423Z","repository_id":29903928,"created_at":"2025-08-24T19:53:02.423Z","updated_at":"2025-08-24T19:53:02.423Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29741587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-23T07:44:07.782Z","status":"ssl_error","status_checked_at":"2026-02-23T07:44:07.432Z","response_time":90,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-23T11:31:51.938Z","updated_at":"2026-02-23T11:31:52.719Z","avatar_url":"https://github.com/usrz.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"Key Derivation Functions\n========================\n\nThis package is a wrapper around different key derivation functions (password\nhashing functions, for the unintiated) presenting a single and consistent API\naround different ways to \"hash\" secrets.\n\n* [Install and use](#install-and-use)\n* [API Description](#api-description)\n  * [Key derivation with callbacks](#key-derivation-with-callbacks)\n  * [Key derivation with promises](#key-derivation-with-promises)\n  * [Other properties an methods](#other-properties-and-methods)\n  * [String encoding](string-encoding)\n  * [Result structure](result-structure)\n* [Algorithms and KDF specs](#algorithms-and-kdf-specs)\n  * [Bcrypt](#bcrypt)\n  * [PBKDF2](#pbkdf2)\n  * [Scrypt](#scrypt)\n* [License (MIT)](#license-mit-)\n\n\n\nInstall and use\n---------------\n\nInstall as usual with _NPM_:\n\n```bash\nnpm install --save key-derivation\n```\n\nYou can use it with callbacks...\n\n```javascript\nvar KDF = require('key-derivation');\n\n// Create a KDF and derive a key\nnew KDF(spec).deriveKey(secret, salt, callback(err, result) {\n  // Look, ma! We hashed the secret\n});\n```\n\n... or with a `Promise`:\n\n```javascript\nvar KDF = require('key-derivation');\n\n// Create a KDF and derive a key\nnew KDF(spec).promiseKey(secret, salt).then(function(result) {\n  // Look, ma! We hashed the secret\n  })\n});\n```\n\n\nAPI Description\n---------------\n\nA `KDF` can be constructed in three ways:\n\n* Using defaults, by just calling `new KDF()`\n* Using an algorithm identifier (one of\n  [`BCRYPT`](http://en.wikipedia.org/wiki/Bcrypt)\n  [`PBKDF2`](http://tools.ietf.org/html/rfc2898) or\n  [`SCRYPT`](http://www.tarsnap.com/scrypt.html) case insensitive).\n* Using a [_KDF spec_](#kdf-spec) enclosing the algorithm and its parameters.\n\n\n#### Key derivation with callbacks\n\n```javascript\nkdf.deriveKey(secret, salt, function callback(error, result) {\n  ...\n})\n```\n\nThe `deriveKey(...)` function takes three arguments:\n\n* `secret`: a `string` or `Buffer` containing the data to be hashed.\n* `salt`: the **optional** salt for the computation; if unspecified a _random_\n  one will be generated (again a `string` or `Buffer`).\n* `callback`: a callback function invoked with the two usual `error` and\n  `result` arguments.\n\n\n#### Key derivation with promises\n\n```javascript\nkdf.promiseKey(secret, salt)\n  .then(function(result) { ... })\n  .catch(function(error) { ... })\n```\n\nThe `deriveKey(...)` function takes two arguments:\n\n* `secret`: a `string` or `Buffer` containing the data to be hashed.\n* `salt`: the **optional** salt for the computation; if unspecified a _random_\n  one will be generated (again a `string` or `Buffer`).\n\n\n#### Other properties and methods\n\n```javascript\nvar KDF = require('key-derivation');\nKDF.defaultSpec;\n```\n\nThe **static** immutable `defaultSpec` property of the `KDF` class contains\nthe base _KDF spec_ that will be used when invoking the constructor without\n(or only partial) arguments.\n\n```javascript\nvar kdf = new KDF(spec);\nconsole.log(kdf.kdfSpec);\n```\n\nThe `kdfSpec` _immutable_ property of each `KDF` **instance** will contain the\nfull _KDF spec_ used by the `deriveKey(...)` and `promiseKey(...)` functions.\n\n```javascript\nvar kdf = new KDF(spec).withSecureRandom();\n```\n\n`KDF` instances are constructed by default with a non-failing pseudo random\nnumber generation (as secure random number generations might generate errors).\n\nThe `withSecureRandom()` function invked without parameters will instruct the\n`KDF` instance to use a (potentially failing) cryptographically secure random\nnumber generator.\n\nThe optional boolean parameter to this method allows specific enabling or\ndisabling of this feature.\n\nSee the documentation for Node's `crypto` module, and the difference between\nits `randomBytes(...)` and `pseudoRandomBytes(...)` for the difference.\n\n\nThis function always returns the same `KDF` instance it was called on.\n\n\n#### String encoding\n\nBoth the `secret` and `salt` can be specified as `Buffer` or `string`.\n\nWhen using a `string`, its value will be converted internally into a `Buffer`\nusing the **UTF8** encoding.\n\n\n#### Result structure\n\nThe `result` produced by the key derivation operations described above will\nbe an object containing the following keys:\n\n* `derived_key`: the `Buffer` containing the bytes of the derived key\n* `salt`: the `Buffer` containing the bytes of the salt, either the specified\n   one or the randomly generated one.\n* `kdf_spec`: a complete _KDF spec_ describing the key derivation computation.\n\nFor example:\n\n```javascript\n{\n  'derived_key': Buffer([ ... ]),\n  'salt': Buffer([ ... ]),\n  'kdf_spec': {\n    'algorithm': 'SCRYPT',\n    'hash': 'SHA256',\n    'cpu_memory_cost': 32768,\n    'block_size': 8,\n    'parallelization': 1,\n    'derived_key_length': 32\n  }\n}\n```\n\n\nAlgorithms and KDF specs\n------------------------\n\n\n#### Bcrypt\n\n\u003e **PLEASE NOTE** that due to the current limitations of Node's\n\u003e [`bcrypt`](https://www.npmjs.com/package/bcrypt) library we are\n\u003e currently unable to support _reliable_ pre-hashing of secrets,\n\u003e henceforth the input will _always_ be limited to 72 characters.\n\u003e\n\u003e Furthermore _extreme care_ should be used when using this method, as\n\u003e internally the extensive use of `string` does not allow processing\n\u003e of non-UTF8 sequence of bytes.\n\nDefaults:\n\n```json\n{\n  \"algorithm\": \"BCRYPT\",\n  \"rounds\": 10\n}\n```\n\nThe `BCRYPT` algorithm _KDF spec_ contains two keys:\n\n* `algorithm`: always `BCRYPT`\n* `rounds`: the usual Blowfish `log2(iterations)` (between 4 and 31)\n\nThe `BCRYPT` requirements dictate a `salt` of precisely 16 bytes, and the\n`derived_key` will always be precisely 23 bytes. Any secret whose length\n(the number of bytes, take this into consideration with UTF8 strings) is\ngreater than 72 characters will be truncated.\n\n\n#### PBKDF2\n\nDefaults:\n\n```json\n{\n  \"algorithm\": \"PBKDF2\",\n  \"hash\": \"SHA256\",\n  \"iterations\": 65536,\n  \"derived_key_length\": 32\n}\n```\n\nThe `PBKDF2` algorithm _KDF spec_ contains four keys:\n\n* `algorithm`: always `PBKDF2`\n* `hash`: the hasing function to use for deriving the key\n* `iterations`: the number of iterations\n* `derived_key_length`: the desired number of bytes in the output key (defaults\n  to the number of bytes produced by the hasing function).\n\nWhen unspecified, the number of bytes randomly generated for the `salt` will\nbe equal to the number of bytes produced by the hashing function.\n\nSee [`RFC 2898`](http://tools.ietf.org/html/rfc2898) for more information.\n\n\n#### Scrypt\n\n\u003e **PLEASE NOTE** that due to the current limitations of Node's\n\u003e [`scrypt`](https://www.npmjs.com/package/scrypt) library we are\n\u003e currently only able to support `SHA256` as a hashing function.\n\nDefaults:\n\n```json\n{\n  \"algorithm\": \"SCRYPT\",\n  \"hash\": \"SHA256\",\n  \"cpu_memory_cost\": 32768,\n  \"parallelization\": 1,\n  \"block_size\": 8,\n  \"derived_key_length\": 32\n}\n```\n\nThe `PBKDF2` algorithm _KDF spec_ contains four keys:\n\n* `algorithm`: always `SCRYPT`\n* `hash`: the hasing function to use for deriving the key\n* `cpu_memory_cost`: the CPU/memory cost parameter `N`\n* `parallelization`: the parallelization factor `p`\n* `block_size`: the block size parameter `b`\n* `derived_key_length`: the desired number of bytes in the output key (defaults\n  to the number of bytes produced by the hasing function).\n\nWhen unspecified, the number of bytes randomly generated for the `salt` will\nbe equal to the number of bytes produced by the hashing function.\n\nSee [`TarSnap`](http://www.tarsnap.com/scrypt.html) for more information.\n\nLicense (MIT)\n-------------\n\nCopyright (c) 2015 USRZ.com and Pier Paolo Fumagalli\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fusrz%2Fjs-key-derivation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fusrz%2Fjs-key-derivation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fusrz%2Fjs-key-derivation/lists"}