Open wiz opened 5 years ago
demurgos
commented
5 years ago Thanks for info, it's frightening.
For other people checking this repo: scrypt is now part of Node core. You should prefer the builtin crypto lib and avoid this repo (it is no longer maintained).
fiws
commented
5 years ago I was surprised to find straight forward dedicated scrypt methods in node core: https://nodejs.org/api/crypto.html#crypto_crypto_scrypt_password_salt_keylen_options_callback
I was expecting to use 5 different methods in a stream just to get a hash. Not the case – can recommend.
This repo should be marked as deprecated imo.
chrisveness
commented
5 years ago scrypt-kdf provides a wrapper around the native Node.js OpenSSL scrypt implementation, with a similar interface to this repo.
The Node.js native implementation is just the low-level part of scrypt – for password storage & validation, it is necessary to include a salt and an HMAC hash of the scrypt-derived key, and to provide a verify function, which scrypt-kdf does (as this repo used to).
FYI the same person who injected malicious code into the
event-streammodule also tried to do the same to this module:https://web.archive.org/web/20181126192134/https://github.com/right9ctrl/node-scrypt
Original issue here: https://github.com/dominictarr/event-stream/issues/116
It's clear this module is also used in crypto-currency wallet implementations - please be careful not to accept any PRs or grant permissions to untrusted third parties.