nostr-tools Unlicense 21 versions

nostr-tools

npm Repository Homepage

Tools for making a Nostr client.

21

Versions

Unlicense

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

fiatjaf

Keywords

decentralizationsocialcensorship-resistanceclientnostr

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps are nostr-wasm and @noble/ciphers — both legitimate, well-known packages in the Nostr/cryptography ecosystem, consistent with this package's purpose.	ai	2026/04/23
source-diff	source-size-tripled	AI (source-diff): Size increase explained by bundled WASM binary from nostr-wasm and additional cipher implementations from @noble/ciphers in dual ESM/CJS build output.	ai	2026/04/23
source-diff	large-new-source-files	AI (source-diff): nostr-tools ships compiled ESM+CJS+types output; adding nostr-wasm (WASM binary) and @noble/ciphers naturally multiplies file count. No malicious indicators.	ai	2026/04/23
phantom-deps	phantom-dep:mitata	AI (phantom-deps): mitata is a dev/benchmark tool declared in dependencies but not imported; this is a packaging hygiene issue, not a security concern.	ai	2026/04/23
dependencies	unvetted-dep:mitata	AI (dependencies): mitata is a benchmarking library accidentally placed in dependencies instead of devDependencies; it is not imported at runtime (confirmed by phantom-dep finding) and poses no security risk.	ai	2026/04/23
dependencies	unvetted-dep:nostr-wasm	AI (dependencies): nostr-wasm is a WASM binding for Nostr secp256k1 operations, directly relevant to nostr-tools' purpose and maintained by the same ecosystem.	ai	2026/04/21
dependencies	unvetted-dep:@noble/ciphers	AI (dependencies): @noble/ciphers is from Paul Miller's well-audited @noble cryptography suite, consistent with the other @noble deps already accepted in this package.	ai	2026/04/21
publish-pattern	dormant-publish	AI (publish-pattern): The dormancy is an artifact of comparing v2.23.3 against the old v1.13.1 baseline. This is a major version rewrite by the original author, not an account takeover.	ai	2026/04/21
dependencies	unvetted-dep:@noble/curves	AI (dependencies): @noble/curves is a reputable cryptographic library by Paul Miller, expected for a Nostr client that uses secp256k1. Stable dependency for this package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): nostr-tools is an established, well-known Nostr protocol library; lack of Sigstore provenance is common and not a risk signal for this package.	ai	2026/04/21

Versions (showing 21 of 121)

Version	Deps	Published
1.7.0	6 / 15	2023-02-26
1.6.3	6 / 15	2023-02-26
1.6.2	6 / 15	2023-02-26
1.6.1	6 / 15	2023-02-26
1.6.0	6 / 15	2023-02-21
1.5.0	6 / 15	2023-02-17
1.4.2	6 / 15	2023-02-16
1.4.1	6 / 15	2023-02-14
1.4.0	6 / 15	2023-02-14
1.3.2	5 / 15	2023-02-09
1.3.1	5 / 15	2023-02-09
1.3.0	5 / 15	2023-02-08
1.2.4	5 / 15	2023-02-08
1.2.3	5 / 15	2023-02-08
1.2.1	5 / 15	2023-01-28
1.2.0	5 / 15	2023-01-22
1.1.2	5 / 15	2023-01-18
1.1.1	5 / 15	2023-01-04
1.1.0	5 / 15	2022-12-27
1.0.1	6 / 15	2022-12-25
1.0.0	6 / 15	2022-12-23

v1.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.