npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

quantumscan

v1.9.0

Published

Post-quantum cryptography scanner — find quantum-vulnerable algorithms in your codebase, Solidity contracts, and Substrate/Polkadot pallets

Readme

QuantumScan — scanner-core

Find quantum-vulnerable cryptography in your codebase — before it becomes a compliance problem.

Live Stats Website License

QuantumScan detects classical cryptographic algorithms (RSA, ECDSA, AES-128, SHA-1…) that are vulnerable to quantum computers and maps them to their post-quantum replacements from NIST FIPS 203/204/205.

Quick Start

# Scan any public GitHub repo — free, no login required
curl -X POST https://quantumscan.io/api/scan \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","repoUrl":"https://github.com/owner/repo"}'

Or use the web UI at quantumscan.io — paste a repo URL and get a full risk report in seconds.

What gets detected

| Severity | Examples | |---|---| | CRITICAL | MD5, SHA-1, DES, SSLv3/TLS<1.2 | | HIGH | RSA, ECDSA, ECDH, DSA (all quantum-broken) | | MEDIUM | AES-128 (needs upgrade to AES-256) | | LOW | HMAC-SHA1, hardcoded key literals |

Most recently detected in the wild: ECDSA — appearing in 515 scans.

→ See STATS.md for live numbers updated every 24h.

Why post-quantum now?

NIST finalized ML-KEM (key encapsulation) and ML-DSA (signatures) in August 2024. DORA, NIS2, and ISO 27001:2022 compliance frameworks are already referencing PQC readiness. The migration window is 3–7 years — planning starts today.

PQC replacements

| Classical | Quantum replacement | |---|---| | RSA / ECDSA | ML-DSA (FIPS 204) | | ECDH / DH | ML-KEM (FIPS 203) | | SHA-1 | SHA-3 / SHA-256+ | | AES-128 | AES-256 |

Substrate / Polkadot

Use --substrate to enable 19 Substrate-specific PQC patterns covering BABE/GRANDPA consensus keys, custom pallet crypto, XCM signing, and ink! smart contracts.

npx quantumscan ./my-parachain --substrate

What gets detected with --substrate:

| Pattern group | Covered APIs | |---|---| | BABE/GRANDPA keys | BabeId, GrandpaId, sr25519::Pair, ed25519::Pair, impl_opaque_keys!, LocalKeystore::open, KeystorePtr | | Pallet crypto | sp_runtime::traits::Verify, MultiSignature, sp_core::sr25519/ed25519, sp_io::crypto::* | | XCM signing | OriginKind::SovereignAccount, xcm::prelude::*, Junction::AccountId32, xcm_executor::XcmExecutor | | ink! contracts | ink::env::ecdsa_recover, ink::env::sr25519_verify, self.env().caller() | | Rust crates | schnorrkel, ed25519-dalek, x25519-dalek, libp2p-noise |

Example output:

QuantumScan v1.9.0  Substrate/Polkadot PQC Analysis
──────────────────────────────────────────────────────────
Workspace  Substrate/Polkadot detected
Pallets    3 found (pallets/staking, pallets/identity, pallets/session)
ink!       2 contract(s) found
Crates     frame-support, sp-core, sp-runtime, schnorrkel… +4
Patterns   19 Substrate-specific PQC patterns active

🟠 HIGH     12 findings
  pallets/staking/src/lib.rs:42    BABE Authority Key (sr25519)      `BabeId`
  pallets/staking/src/lib.rs:89    Substrate Session Keys            `impl_opaque_keys! {`
  contracts/token/src/lib.rs:31    ink! ECDSA Recovery (secp256k1)   `self.env().ecdsa_recover`
  ...

Risk Score  85/100  High Risk

Migration paths:

| Algorithm | PQC replacement | |---|---| | sr25519 / BABE | ML-DSA (CRYSTALS-Dilithium) — await sp-core PQC RFC | | ed25519 / GRANDPA | ML-DSA or SLH-DSA — await Substrate PQC pallets | | x25519 / libp2p-noise | ML-KEM (CRYSTALS-Kyber) — await libp2p PQC KEX | | ink! ECDSA | ML-DSA when ink! adds PQC host functions |

Running tests:

npm test
# → 60 tests pass, 6 groups, 0 failures
# Node.js built-in test runner — no extra dependencies

Docker:

docker run --rm -v $(pwd):/target quantumscan/scanner /target --substrate

Contributing

Open issues for new patterns you'd like detected. PRs welcome — see CONTRIBUTING.md if it exists, or just open a PR with:

  1. The regex pattern
  2. Which algorithm it targets
  3. Severity (critical/high/medium/low)
  4. A PQC alternative

The inbound-pr-agent reviews PRs daily and will respond within 24h.


Stats auto-updated: 2026-06-23 17:03 UTC | quantumscan.io