Back to Explore

panva/hkdf

GitHub
2 watchersOpen source

Last release:

Provides an implementation of the HKDF key derivation function (RFC 5869) in Node.js and multiple other JavaScript runtimes, using native crypto with no dependencies. Useful for deriving fixed-length cryptographic keys from input keying material (ikm) plus optional salt and info, based on a selectable digest algorithm. The project is marked as archived, with guidance to use the Web Cryptography API’s deriveBits instead.

Project status

  • Maintenance status: Upstream is marked as archived, and the most recent recorded updates in the provided history are from 2024-07-03 (v1.2.1). With today being 2026-06-09, this indicates the project is effectively in a quiet, maintenance mode rather than active development.
  • Update cadence: Sporadic releases, with a cluster in 2023 to 2024 (v1.1.x in 2023, v1.2.x in 2024) and then a long gap since v1.2.1. An upstream push is noted at 2025-06-18, but no corresponding recent update entries are shown here.

AI summary generated

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • v1.2.1

    Release v1.2.1 contains a small build/distribution packaging fix. It updates the ESM distribution package.json files to mark them as side-effect free for bundlers/tree-shaking.

  • v1.2.0

    Release v1.2.0 primarily adds new package.json export conditions so the library can be resolved for Bun, Deno, and Workerd. The documented runtime change is implemented via additional `exports` condition keys that point to the existing web build output.

    Features
  • v1.1.1

    Release v1.1.1 is a packaging-focused bug fix. It updates the npm package contents to exclude deno documentation/artifacts from the published tarball.

  • v1.1.0

    v1.1.0 release notes only call out an updated release process that publishes with provenance. The actual diff is dominated by CI and release workflow changes, along with devDependency and package-lock updates, and a small modification to the release-notes generation script.

    SecurityFeatures
  • v1.0.4

    Release v1.0.4 includes the documented addition of a worker export target, plus a build-related CI tweak to trigger tests. The code diff, however, shows substantial internal CI and test/tooling refactors (workflows, npm scripts, dev tooling, and tsconfig settings) that are not described in the release notes.

    Features
  • v1.0.2

    Release v1.0.2 primarily adds a TypeScript type export to support NodeNext module resolution. The diff also includes changes to CI workflow triggers and documentation, including README updates referencing Next.js Middleware and similar environments.

  • v1.0.1

    This v1.0.1 release adds validation to ensure the requested HKDF output length (keylen) does not exceed the maximum permitted by the selected digest size. The primary code change introduces a new keylen normalizer that throws when keylen is too large, and updates the generated dist builds and README to reflect the new constraint.

  • v1.0.0

    This release introduces a new universal HKDF implementation aligned with RFC 5869. It adds functionality for deriving cryptographic keys using the standard HKDF algorithm.

    Features