{"id":17262,"library":"http-request-signature","title":"HTTP Request Signature","description":"This library provides tools for parsing and generating HTTP signatures in compliance with the 'Signing HTTP Messages' Internet Draft (draft-cavage-http-signatures-07.txt). Currently at version 0.0.5, it appears to be an unmaintained project, with its last update occurring approximately seven years ago. A significant limitation is its exclusive support for the `ed25519` cryptographic algorithm, restricting its use cases to environments that specifically require or permit this algorithm. Due to its status as an early-stage, potentially abandoned library based on a draft specification, users should exercise caution regarding security, long-term stability, and compatibility with evolving standards. The project does not indicate a clear release cadence, reflecting its dormant state.","status":"abandoned","version":"0.0.5","language":"javascript","source_language":"en","source_url":null,"tags":["javascript"],"install":[{"cmd":"npm install http-request-signature","lang":"bash","label":"npm"},{"cmd":"yarn add http-request-signature","lang":"bash","label":"yarn"},{"cmd":"pnpm add http-request-signature","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This library primarily supports CommonJS modules as it targets Node.js versions predating widespread ESM adoption.","wrong":"import { sign } from 'http-request-signature';","symbol":"sign","correct":"const { sign } = require('http-request-signature');"},{"note":"This library primarily supports CommonJS modules; ESM usage is not officially supported or documented.","wrong":"import { verify } from 'http-request-signature';","symbol":"verify","correct":"const { verify } = require('http-request-signature');"}],"quickstart":{"code":"const { sign, verify } = require('http-request-signature');\n\n// Example: Signing an HTTP message\nconst secretKey = '96aa9ec42242a9a62196281045705196a64e12b15e9160bbb630e38385b82700e7876fd5cc3a228dad634816f4ec4b80a258b2a552467e5d26f30003211bc45d';\nconst publicKey = 'e7876fd5cc3a228dad634816f4ec4b80a258b2a552467e5d26f30003211bc45d'; // In a real scenario, this would be derived from a different key pair\n\nconst requestToSign = {\n  headers: {\n    '(request-target)': 'post /foo',\n    date: '2017-09-01T15:04:17.555Z',\n    digest: 'SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE='\n  },\n  keyId: 'primary',\n  secretKey: secretKey\n};\n\nconst signature = sign(requestToSign, { algorithm: 'ed25519' });\nconsole.log('Generated Signature:', signature);\n\n// Example: Verifying an HTTP message\nconst signedRequestHeaders = {\n  '(request-target)': 'post /foo',\n  date: '2017-09-01T15:04:17.555Z',\n  digest: 'SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=',\n  signature: signature // Use the generated signature\n};\n\nconst verificationResult = verify({\n  headers: signedRequestHeaders,\n  publicKey: publicKey\n}, { algorithm: 'ed25519' });\n\nconsole.log('Verification Result:', verificationResult);","lang":"javascript","description":"Demonstrates how to generate an HTTP request signature using a secret key and then verify the integrity and authenticity of the signed request using the corresponding public key, adhering to the ed25519 algorithm."},"warnings":[{"fix":"Consider using actively maintained libraries that adhere to finalized or stable versions of cryptographic standards for HTTP message signing. Review the current state of the 'Signing HTTP Messages' specification.","message":"The library implements an 'Internet Draft' of the 'Signing HTTP Messages' specification. This draft is subject to change, meaning future revisions of the specification could introduce breaking changes that this unmaintained library will not address, leading to non-compliance.","severity":"breaking","affected_versions":">=0.0.1"},{"fix":"Ensure your application environment and cryptographic requirements are compatible with the `ed25519` algorithm before integrating this library. If other algorithms are needed, seek an alternative library.","message":"This package exclusively supports the `ed25519` cryptographic algorithm. Attempts to use other algorithms will result in an error, limiting its applicability to systems that can specifically accommodate `ed25519` for signing and verification.","severity":"gotcha","affected_versions":">=0.0.1"},{"fix":"It is strongly recommended to migrate to a well-maintained, actively developed library for HTTP message signing that adheres to current security best practices and specifications. If continued use is unavoidable, perform a thorough security audit and be prepared to fork and maintain the library yourself.","message":"The `http-request-signature` package is effectively abandoned, with its last update occurring approximately seven years ago and the latest version being 0.0.5. Using an unmaintained library introduces significant security risks, including unpatched vulnerabilities, lack of compatibility with newer Node.js versions, and potential supply chain attack vectors.","severity":"breaking","affected_versions":">=0.0.1"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Use the CommonJS `require` syntax: `const { sign } = require('http-request-signature');`","cause":"Attempting to use ES module `import` syntax in a CommonJS module or an environment not configured for ESM, while the library primarily exports CommonJS modules.","error":"TypeError: (0 , _httpRequestSignature.sign) is not a function"},{"fix":"Ensure that `algorithm: 'ed25519'` is explicitly passed in the options object when calling `sign` or `verify`, as this is the only supported algorithm.","cause":"The library was called with an `algorithm` parameter other than `ed25519` during `sign` or `verify` operations.","error":"Error: Unsupported algorithm: [algorithm_name]"},{"fix":"Verify that the `signature` header string is correctly formatted according to the HTTP Signatures specification, including `keyId`, `algorithm`, `headers`, and `signature` components, and that it was generated correctly.","cause":"The `signature` string provided to the `verify` function does not conform to the expected format of the HTTP Signatures specification (e.g., missing components, incorrect encoding).","error":"Error: Malformed signature string"}],"ecosystem":"npm","meta_description":null}