quantum-audit — Is your project quantum-safe?
v0.2.2 — now on npm
Is your project<br>quantum-safe?
Shor's algorithm breaks ECDSA, RSA, and secp256k1 completely. Scan your npm dependencies and source code for quantum-vulnerable cryptography in seconds.
$ npx quantum-audit .
Quantum Audit — my-dapp
────────────────────────────────────────
Score: 60/100
Grade: C — Moderate Exposure
Findings:
[CRITICAL] ECDSA (secp256k1) — package.json
[MEDIUM] SHA-256 — src/utils/hash.js:14
Critical findings rely on RSA/ECDSA, broken by Shor's algorithm.
npx quantum-audit .
View on GitHub
What it detects
Top blockchain packages — all flagged
Every major Ethereum and Bitcoin npm package relies on ECDSA/secp256k1. None have a post-quantum migration path documented.
CRITICAL<br>ethers<br>ECDSA (secp256k1) signing
CRITICAL<br>web3<br>ECDSA (secp256k1) signing
CRITICAL<br>elliptic<br>ECDSA (secp256k1 / p256)
CRITICAL<br>bitcoinjs-lib<br>ECDSA (secp256k1)
CRITICAL<br>node-rsa<br>RSA — broken by Shor's algorithm
MEDIUM<br>crypto-js<br>AES-128 / SHA-256 — weakened by Grover's
SAFE<br>@noble/post-quantum<br>Kyber / Dilithium / SPHINCS+
How it works
Two scanning layers
Catches vulnerable crypto at the dependency level and in your source code directly.
LAYER 01
Dependency scan
Maps your package.json against a curated database of 20+ crypto libraries and their underlying algorithms. Instant results, no source required.
LAYER 02
AST source scan
Walks your JS/TS source via Babel AST to catch direct node:crypto calls — createSign('RSA-SHA256'), generateKeyPairSync('ec') — that dependency scanning misses.
CI READY
Exit codes for pipelines
Exits non-zero on critical findings. Drop npx quantum-audit . into any CI pipeline to gate on quantum exposure automatically.
Scoring
0–100 quantum readiness score
Critical findings (broken by Shor's algorithm) are weighted heavily. Medium findings (weakened by Grover's) reduce the score proportionally.
90–100
Quantum Ready
70–89
Low Exposure
40–69
Moderate Exposure
15–39
High Exposure
0–14
Critical Exposure
Scan your project now
Takes 10 seconds. No account required.
npx quantum-audit .
Read the writeup
Copied!