Filip Skokan

Software's conformance to standards and its certification is not the pinnacle to shoot for. It is the absolute lowest bar.

yay or nay?

When it comes to JWTs issued for "yourself" the JWE format is far superior to JWS. Just let go of the HMAC JWS algorithms and use JWE direct encryption instead. You get confidentiality and it forces use of correct-length keys. await new jose.EncryptJWT > await new jose.SignJWT

Time to catch up with wicg.github.io/webcrypto-mode… @bunjavascript @deno_land @Cloudflare WPTs are available. Browsers started going through their implementations. These algorithms power HPKE implementations (github.com/panva/hpke)

@colinhacks A _button_? It gives so much more cli.github.com/manual/gh_work…

pro tip: always include `workflow_dispatch` in your workflow triggers this gives you a button inthe GitHub UI to manually trigger fresh runs (when your CI inevitably fails)

HPKE vector validation in *your* browser (and the implementation project's github actions pipeline) panva.github.io/hpke/

Let's get some ⭐⭐⭐ going 🙏 github.com/panva/hpke Hybrid Public Key Encryption (HPKE) for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes. Fully tree-shakeable. Fully typed. Extensible.

my new project's build script, tsc is then only used to emit declarations and a source map, the published files are index.(js, ts, d.ts(.map))

Only two more Hybrid PQ/T instances to go. Fully tree-shakeable. Fully typed. All crypto through WebCryptoAPI. All official vectors passing.

I've been hammering on a new, 0 dependency, runtime-native-only crypto, module that runs everywhere*. Hard to Predict, Keeps everything Encrypted.

@feross is there a list of detected typosquatted malicious packages?

@matteocollina @CVEnew Had GitHub staff from the Secure Open Source Fund who are on the CVE board look into it weeks ago. The resolution as disputed is final as per the "process" and cannot change to rejected. Despite it being factually incorrect. No appeal.

@_panva @CVEnew All of that happened to me last week. The only safe way for an OSS project is to be its own CNA or affiliate to a friendly CNA somehow.

3 private vulnerability disclosures this week. All AI assisted slop that at first glance seems plausable but when challenged quotes non-existent language from RFCs. Time being wasted. Disclosures invalid.

@CVEnew --

Now i get private vulnerability disclosures about CVEs that should've never been assigned, that I rejected, and that are invalid for which i can provide proof.

💬 It's partly because of @balazsorban44's projects' needs and the poor state of Vercel Edge Runtime Node compat at the time that we now have jose, openid-client, and oauth4webapi with no dependencies entirely built on top of Web Platform APIs such as Fetch and Web Cryptography.

@kettanaito @npmjs I did. Years ago.

@_panva @npmjs You have a far bigger chance of reaching out to the authors of those packages and asking for the name.

The @npmjs name dispute process does not work anymore. It used to but no longer does. I have 3 npm pkg name claim disputes open for package names that see no downloads or activity since more than a decade ago. Tickets open for over a year with no response.