Software's conformance to standards and its certification is not the pinnacle to shoot for. It is the absolute lowest bar.

Time to catch up with https://t.co/90OBYqUsrh @bunjavascript @deno_land @Cloudflare WPTs are available. Browsers started going through their implementations. These algorithms power HPKE implementations ( https://t.co/obXVVZupQN)

HPKE vector validation in *your* browser (and the implementation project's github actions pipeline) https://t.co/KUal2Urjlo

Let's get some ⭐⭐⭐ going 🙏 https://t.co/obXVVZtS1f Hybrid Public Key Encryption (HPKE) for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes. Fully tree-shakeable. Fully typed. Extensible.

my new project's build script, tsc is then only used to emit declarations and a source map, the published files are index.(js, ts, d.ts(.map))

Only two more Hybrid PQ/T instances to go. Fully tree-shakeable. Fully typed. All crypto through WebCryptoAPI. All official vectors passing.

I've been hammering on a new, 0 dependency, runtime-native-only crypto, module that runs everywhere*. Hard to Predict, Keeps everything Encrypted.

@CVEnew --

Now i get private vulnerability disclosures about CVEs that should've never been assigned, that I rejected, and that are invalid for which i can provide proof.

I mean how can a CNA make an assignment without actually ever contacting the software maintainer or seeing the discussion that happened in a private disclosure. It's a one-sided system. It has happened to me and 7 other JOSE libraries in different languages.

And then you as maintainer spend more time triaging issues where security slop tooling users get concerned. It's a bad system that punishes the open source maintainers.

What's worse is that even when you reject these the reporter can turn to a CNA and have their slop assigned as CVE number that you have then no possible way to reject. It'll stay there, disputed, forever. And the sec tooling slop that's out there will ingest this nonsense.

3 private vulnerability disclosures this week. All AI assisted slop that at first glance seems plausable but when challenged quotes non-existent language from RFCs. Time being wasted. Disclosures invalid.

💬 It's partly because of @balazsorban44's projects' needs and the poor state of Vercel Edge Runtime Node compat at the time that we now have jose, openid-client, and oauth4webapi with no dependencies entirely built on top of Web Platform APIs such as Fetch and Web Cryptography.

The @npmjs name dispute process does not work anymore. It used to but no longer does. I have 3 npm pkg name claim disputes open for package names that see no downloads or activity since more than a decade ago. Tickets open for over a year with no response.

Node.js v24.7.0 is out 💚 Featuring: - Post-Quantum Cryptography in node:crypto - Modern Algorithms in Web Cryptography API - Node.js execution argument support in single executable applications And more details in our blog:

I was lucky to be part of the second cohort of @GitHub Secure Open Source Fund program and I enjoyed every bit of it. The program is jam-packed with content that you don't want to miss. So if you have an impactful Open Source project, you should apply! https://t.co/jg13FK45Ya

A number of JWT libraries are being flagged by low quality CVEs, mine included. I've promptly responded to their author 4 months ago and haven't heard back since. Now there are poor quality CVEs on MITRE that are getting synced across all security tools. What a shame, and PITA.

I'm going to be doing a pass over @nodejs Web Cryptography module as soon as Web Incubator CG (WICG) adopts the Web Cryptography Modern Algorithms proposal...

I've verified that oidc-provider (built using Koa) will run on CF Workers. Great job @yagiznizipli. No runtime can thrive without node compat and CF's approach to it is just 🧑‍🍳🤌

OpenSSL 3.5 upgrade in Node.js underway and so is planning for all the goodness that comes with having 3.5 at hand - ML-DSA, ML-KEM, HPKE