Third-party crypto libs pinned to audited versions

CWE-1357 (reliance on insufficiently trustworthy component) applies directly to floating version constraints on cryptographic libraries: crypto-js@^4.1.0 will silently upgrade to a version containing vulnerabilities or breaking changes during a routine npm install. PCI-DSS 4.0 Req-6.3 requires that security vulnerabilities in all system components be identified and protected — floating deps undermine this by allowing unvetted code into the cryptographic layer without a code review or security audit. SLSA L2 and SSDF PW.4 both require pinned, audited dependencies for supply chain integrity. A compromised crypto library release — even for 24 hours before detection — can backdoor encryption for all data processed during that window.

Pin all cryptographic library versions to exact semver in package.json and run npm audit as part of CI:

{
  "dependencies": {
    "jose": "5.2.4",
    "bcrypt": "5.1.1",
    "argon2": "0.31.2"
  }
}

Add a CI step that fails on moderate+ vulnerabilities:

# .github/workflows/security.yml
- name: Audit crypto dependencies
  run: npm audit --audit-level=moderate --production

Document each pinned version in docs/crypto-lib-audit.md with the audit date and the reviewer — this is the audit trail PCI-DSS Req-6.3 requires:

| Library  | Version | Audited    | By          | Notes                    |
|----------|---------|------------|-------------|---------------------------|
| jose     | 5.2.4   | 2026-03-15 | J. Smith    | No CVEs, maintained      |
| argon2   | 0.31.2  | 2026-03-15 | J. Smith    | Native binding, verified |

• ID: crypto-lib-pinned-versions
• Severity: info
• What to look for: Count all cryptographic library dependencies in package.json. For each, classify the version constraint as pinned (exact) or floating (^, ~, *). Quote the actual version strings found. Count all security audit records for crypto libraries.
• Pass criteria: At least 90% of crypto library dependencies use exact version pinning (no ^, ~, or * prefixes), AND at least 1 security audit record exists. Count all crypto deps — report the ratio even on pass (e.g., "3 of 3 crypto libs pinned: crypto-js@4.1.0, jose@4.13.1, bcrypt@5.1.0 — audit record dated 2025-11-01").
• Fail criteria: Any crypto library uses floating version constraint, or 0 audit records exist for pinned versions.
• Skip (N/A) when: Using only standard library crypto (node:crypto) with no external crypto dependencies — cite the actual crypto imports found.
• Detail on fail: "2 of 3 crypto libs floating: crypto-js@^4.1.0, jose@~4.13.0 — not pinned" or "3 libs pinned but 0 security audit records documented"
• Remediation:
  • Pin crypto library versions:

    // package.json
    {
      "dependencies": {
        "crypto-js": "4.1.0",
        "tweetnacl": "1.0.3",
        "jose": "4.13.1"
      }
    }
    

  • Document audits:

    # Cryptographic Library Audit Trail
    - crypto-js 4.1.0: Audited 2024-06-15, no critical issues
    - tweetnacl 1.0.3: Part of Node.js trusted libs, maintained by auth0
    - jose 4.13.1: Audited 2024-08-20, maintained by panva
    - Update schedule: Monthly review of security advisories
    

  • Or use npm audit to track vulnerabilities:

    npm audit  # Check for known vulnerabilities
    npm audit fix --audit-level=moderate  # Auto-fix moderate+ issues