These Varmints Have Us Cornered!
Well folks, the digital Wild West’s a real mess in many ways - outlaws, bandits, two-bit no good tricksters and all manner of unholy abominations roam the plains lookin’ to unleash all manner of mayhem on poor unsuspectin’ folks just tryin’ to earn an honest livin’. You really can never be too careful - if yer a farmer, you got to be on the lookout fer coyotes on the prowl fer an easy meal. If yer a prospector, you may come up on some highwaymen lookin’ to relieve you of yer property. Let’s just say that it ain’t fer the faint of heart, and even the bravest and burliest of hombres have met their untimely end tryin’ to face down these threats.
Now it’s all well and good bein’ courageous, but any savvy gunslinger knows there’s a thin line between bravery and stupidity. You only really want to go toe to toe with varmints if you really have to - no siree, no point in lookin’ fer a fight, because then yer just straight-up stupid. An ignoramus. Lackin’ in mental acuity and sound judgment!
But I digress…now ol’ Buckley’s been in some tricky situations with some of the most unsavory and downright despicable characters that ever had the misfortune of breathin’ air, and he’s had to learn some hard lessons fer bein’ headstrong and foolhardy. Like any good apothecary of old, Buckley knows full-well that prevention is better than cure. In order to protect the inhabitants of New Buckland and The Bearmint Minin’ Company, Buckley has taken numerous cautionary measures to deter would-be troublemakers and charlatans from ever gettin’ their foot in the door, so to speak.
We don’t invite trouble in, and we don’t go lookin’ fer it. Where we can avoid unnecessary conflict (and we consider all of its unnecessary), we do everythin’ in our power to do so. Buckley and the Bearmint Gang have more than a few tricks up our sleeves, and in fact, some are pretty simple. And of course, we’re happy to share them with you so you can help keep your own operation safe and out of harm’s way!
Sneakin’ Up On Ya!
The modern JavaScript Ecosystem is vast with the majority of projects pulling their dependencies from centralized sources such as NPM (which is the defacto source of modules that package managers like npm, yarn and pnpm use to download dependencies).
The main issue with a centralized source like NPM is that it’s very easy for anyone to push their code, which, needless to say, isn’t always published in good faith - there’s malware, authors targeting corporations and people trying to make political statements, and the list goes on. Now, obviously, all of these have the potential to cause serious harm to your application and infrastructure.
The temptation to pull in a dependency for every minor bit of functionality is immense for the very simple reason that taking 2 minutes to install and set up a package is far more appealing than spending 20 minutes coming up with and implementing your own solution.
The downside of this is that you’re basically pulling in hundreds of dependencies that in and of themselves pull in dozens (or even hundreds) of dependencies, and so on. The end result is that you could pull in thousands of dependencies for the sake of some very rudimentary functionality.
We here at Bearmint consider circumventing infrastructure attacks like rogue NPM modules extremely important - this is why it's crucial to minimize the number of third-party dependencies and native bindings. For example, if your app uses 100 dependencies, any one of those dependencies could get hacked, and you'll be downloading malware every time you invoke npm install.
Our goal is therefore to minimize or even negate this attack vector by using as few dependencies as possible - this necessitates handpicking each and every dependency we use to ensure it meets our standards and possesses the lowest dependency footprint possible.
Hashes
Hashing is the most common cryptographic operation in Bearmint, and we make use of paulmillr/noble-hashes for this. It is an audited, zero dependencies, minimal JS implementation of SHA2, SHA3, RIPEMD, BLAKE2/3, HMAC, HKDF, PBKDF2 and Scrypt.
Encoding
Encoding values is the second most common cryptographic operation in Bearmint, and we make use of paulmillr/scure-base for this. It is an audited, zero dependencies, minimal JS implementation of bech32, base64, base58, base32 and base16.
BIP39
A mnemonic is a user-friendly value that can be used in place of a private key, and Bearmint makes use of paulmillr/scure-bip39 for this. It is an audited, zero dependencies, minimal JS implementation of BIP39 mnemonic phrases.
BLS12-381
BLS12-381 is a digital signature scheme that uses public-key cryptography, and Bearmint offers an implementation that uses paulmillr/noble-bls12-381 for this. It is an audited, zero dependencies, minimal JS implementation of BLS12-381.
ed25519
ed25519 is a digital signature scheme that uses public-key cryptography, and Bearmint offers an implementation that uses paulmillr/noble-ed25519 for this. It is an audited, zero dependencies, minimal JS implementation of ed25519.
secp256k1
secp256k1 is a digital signature scheme that uses public-key cryptography, and Bearmint offers an implementation that uses paulmillr/noble-secp256k1 for this. It is an audited, zero dependencies, minimal JS implementation of secp256k1.
And What About Performance, Amigo?
What you may have noticed is that all of these packages are pure JavaScript implementations without any native bindings in C or Rust (like, for example, bcoin-org/bcrypto), and you’re probably thinking that the performance will be problematic - well, kind of…
In reality, the @noble/* and @scure/* packages are still capable of performing thousands of operations per second, which means you’re more likely to run into a bottleneck elsewhere in your application. If you do happen to run into any performance-related issues, you can apply techniques like memoization with timeouts to address them.
This (for the foreseeable future, theoretical) sacrifice in performance comes with the major benefit of giving us peace of mind when it comes to the dependencies of our most critical functionalities - very simply, we don’t have to worry that they’re going to pull in dozens or even hundreds of dependencies.
If we discover that something is broken, we can be entirely confident that the problem exists in the code, so we won’t have to resort to a solution where we need to pull in old versions or are at the mercy of an inactive maintainer that takes weeks (or possibly months) to release a fix and updated version.
If you’re hitting the limits of what Bearmint offers out of the box, you can easily implement your own versions that employ more performant dependencies. This is the inherent beauty of everything in Bearmint being modular - you’re free to make use of what we offer or implement your own solutions if you prefer!