npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@mediagato/crypto

v0.1.0

Published

End-to-end encryption primitives — AES-256-GCM with PBKDF2-derived keys. Web Crypto everywhere (browser, modern Node, Cloudflare Workers, Deno, Bun). Originally lifted from TabbJam's bookmark-sync crypto layer.

Downloads

48

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

nachomedianachomedia

Keywords

encryptionaesaes-gcmpbkdf2e2eend-to-end-encryptionweb-cryptomediagato

Readme

@mediagato/crypto

End-to-end encryption primitives for MEDiAGATO products. AES-256-GCM authenticated encryption with PBKDF2-derived keys (600k iterations, OWASP 2023+ recommendation).

Built on Web Crypto, runs identically in:

  • Browsers (extension popups, content scripts, web pages)
  • Modern Node (>=19, where globalThis.crypto.subtle is native)
  • Cloudflare Workers / Pages Functions
  • Deno, Bun

Why

Two MEDiAGATO products needed E2E encryption: TabbJam's bookmark sync (shipped to Chrome Web Store) and Mr. Mags's upcoming sync tier. Carving out the primitive once means both consume the same audited code, neither has to reinvent, and any future product gets a battle-tested base.

Install

npm i @mediagato/crypto

Use

import { encrypt, decrypt } from '@mediagato/crypto';

const blob = await encrypt(
  { hello: 'world' },
  'correct-horse-battery-staple'
);
// blob = { ciphertext, iv, salt, checksum }

const original = await decrypt(
  blob.ciphertext, blob.iv, blob.salt, blob.checksum,
  'correct-horse-battery-staple'
);
// original = { hello: 'world' }

The salt is derived once on first encrypt — pass it back as the third argument to subsequent encrypt() calls if you want the same derived key (so a server can de-duplicate or version blobs without seeing plaintext).

The IV is fresh every call — never reuse one with the same key. Encrypting the same plaintext twice with the same passphrase + salt produces different ciphertext but decrypts to the same value.

The checksum is a SHA-256 of the plaintext, verified post-decrypt. AES-GCM already authenticates, so a tampered ciphertext won't decrypt at all; the checksum is a belt-and-suspenders against bugs at the storage layer.

Browser global

For drop-in use inside MV3 extensions (where you might not want a bundler), the module also assigns globalThis.MediagatoCrypto = { encrypt, decrypt, deriveKey } — same surface as the named exports.

What it isn't

Not a library for arbitrary cryptographic protocols. Just symmetric encryption of JSON values with a user-held passphrase. If you need asymmetric key exchange, signatures, or anything beyond "encrypt this blob, decrypt it later," reach for libsodium-wrappers or tweetnacl instead.

License

MIT — see LICENSE.