I scanned 8 popular npm projects for quantum-vulnerable cryptography. Here's what I found.

This week Google published a paper that changed the post-quantum timeline. Breaking ECDSA-256 — the signature scheme protecting Bitcoin, Ethereum, and most of the web — now requires roughly 1,200 logical qubits and under 500,000 physical qubits . That's a 20x reduction from previous estimates. I wanted to answer a simple question: how exposed are the projects we all depend on? So I built pqaudit , an open-source CLI that scans source code and npm dependencies for quantum-vulnerable cryptography — algorithms broken by Shor's algorithm (RSA, ECDSA, Ed25519, ECDH, Diffie-Hellman) and weakened by Grover's algorithm (AES-128) — and flags the NIST-approved replacement for each one. Then I pointed it at 8 popular projects. The results Project Files Critical High PQC Ready Express 142 0 0 Yes Fastify 295 1 0 No Next.js 22,478 17 1 No Prisma 3,291 0 0 Yes jsonwebtoken 65 21 0 No Solana web3.js 104 17 0 No Ethereum web3.js 1,194 12 3 No Signal Desktop 2,854 12 0 No 30,423 files scanned. 6 of 8 a

I scanned 8 popular npm projects for quantum-vulnerable cryptography. Here's what I found.

Related Articles

Official White House app developer also a UFO conspiracy theorist

The Artemis Moon base project is legally dubious

The HP OmniBook 5 Is a MacBook Neo Killer, and It's Only $500

Trump defunding of NPR and PBS blocked by judge, but damage is already done

Everything is iPhone now

Related Articles

News
Official White House app developer also a UFO conspiracy theorist
Ars Technica • 28m ago

News
The Artemis Moon base project is legally dubious
The Verge • 55m ago

News
The HP OmniBook 5 Is a MacBook Neo Killer, and It's Only $500
Wired • 1h ago

News
Trump defunding of NPR and PBS blocked by judge, but damage is already done
Ars Technica • 1h ago

News
Everything is iPhone now
The Verge • 1h ago