Beware of malicious code injections to this repo

[wiz]

FYI the same person who injected malicious code into the event-stream module also tried to do the same to this module:

https://web.archive.org/web/20181126192134/https://github.com/right9ctrl/node-scrypt

Original issue here:
dominictarr/event-stream#116

It's clear this module is also used in crypto-currency wallet implementations - please be careful not to accept any PRs or grant permissions to untrusted third parties.

[demurgos]

Thanks for info, it's frightening.

For other people checking this repo: scrypt is now part of Node core. You should prefer the builtin crypto lib and avoid this repo (it is no longer maintained).

[fiws]

I was surprised to find straight forward dedicated scrypt methods in node core: https://nodejs.org/api/crypto.html#crypto_crypto_scrypt_password_salt_keylen_options_callback

I was expecting to use 5 different methods in a stream just to get a hash. Not the case – can recommend.

This repo should be marked as deprecated imo.

[chrisveness]

scrypt-kdf provides a wrapper around the native Node.js OpenSSL scrypt implementation, with a similar interface to this repo.

The Node.js native implementation is just the low-level part of scrypt – for password storage & validation, it is necessary to include a salt and an HMAC hash of the scrypt-derived key, and to provide a verify function, which scrypt-kdf does (as this repo used to).