I scanned popular open source projects for quantum-vulnerable crypto. Here's what I found.

NIST is deprecating RSA, ECC, and other classical cryptographic algorithms by 2030 and disallowing them entirely by 2035. The reason: quantum computers will eventually break them. I wanted to know how exposed my own projects were. So I built PostQuant ( https://github.com/postquantdev/postquant ), a CLI that scans TLS endpoints and source code for quantum-vulnerable cryptography and gives you a letter grade. Then I pointed it at some popular open source projects. The results were interesting. The Scan Results Frameworks Project Language Grade Critical Findings What It Found Django Python D+ 2 MD5 in auth hashers, SHA-1 in file uploads Spring Boot Java D+ — RSA in OAuth2 Node.js JS D+ — Various classical crypto in core Go stdlib Go F 161 Classical crypto throughout standard library FastAPI Python A 0 Clean Express JS A 0 Clean Gin Go A 0 Clean npm Packages Package Grade Raw Findings After Context Analysis uuid A 4 critical 4 low express-session A 2 critical 2 low node-forge C+ 4 critica