index.js depends on an archived dependency

[kdenhartog]

the npm package @trust/webcrypto was archived recently which is used as a dependency in index.js. Is there another dependency that this can be moved to?

[kevlened]

https://github.com/PeculiarVentures/node-webcrypto-ossl is the only still-supported one I've seen, but it's a native module. Native modules can cause some issues for those using Electron, so I'm hesitant to move, but I also realize there's potential security risk in using an archived project.

Ideally this is solved as a minimal shim over the node crypto apis, but I personally won't be able to address the issue soon. I'd review and accept PRs if you'd like.

[kdenhartog]

Sounds like a plan. I'm working on some investigation for a separate project, so I can identify if that dependency causes issues with an electron app and provide details here when I know more.

I think building on the node-crypto APIs is also a good backup option. To also support ED25519/X25519 as well in here we can build on elliptic similar to what @trust/webcrypto is doing.

[kevlened]

Just discovered PeculiarVentures's similar, js-only polyfill (@peculiar/webcrypto). isomorphic-webcrypto uses @peculiar/webcrypto in v2.

[kevlened]

Closing for now.