Is this project still maintained?

## Is this project still maintained?

This is not meant as a complaint but as a genuine request for clarity. The `elliptic` package has ~15 million weekly downloads, 3,000+ dependents on npm, and is a critical part of the JavaScript cryptography ecosystem (via `crypto-browserify`, `browserify-sign`, `create-ecdh`, etc.). Many organizations depend on it transitively without even knowing it.

There are currently signs that suggest the project may no longer be actively maintained:

### Unresolved security vulnerabilities

- **CVE-2025-14505** ([GHSA-848j-6mx2-7j84](https://github.com/advisories/GHSA-848j-6mx2-7j84)) — incorrect ECDSA signature generation when the nonce `k` has leading zeros, with potential for private key recovery. Reported in the original [#321](https://github.com/indutny/elliptic/issues/321) by Daniel Bleichenbacher in **October 2024** — over 8 months ago.
- **GHSA-vjh7-7g9h-fjfh** — private key extraction upon signing malformed input.
- Additional side-channel issues identified by [Soatok](https://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/) in `fixedNafMul` (November 2025).

### A ready fix with no response

[PR #345](https://github.com/indutny/elliptic/pull/345) has been open since **January 16, 2026** with a 1-line fix for CVE-2025-14505. It has:
- 4 approvals from external reviewers
- 10 participants in the discussion
- Multiple requests for review directed at @indutny (March, April 2026)
- Zero response from the maintainer

There's also [a suggested improvement](https://github.com/drzippie/elliptic/pull/1/files) by @CezaryDanielNowak addressing potential edge cases in the fix.

### General inactivity

- Last npm release: `6.6.1`, **over 2 years ago**
- 122 open issues, 31 open PRs
- No response to any security-related issue or PR in 2025 or 2026
- The Trail of Bits team published [Wycheproof-based findings](https://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/) in November 2025 — no acknowledgment

### Impact on the ecosystem

Because there's no patched version, downstream consumers have limited options:
- `@soatok/elliptic-to-noble` exists as a shim to `noble-curves`, but has [known compatibility issues](https://github.com/soatok/elliptic-to-noble/issues/5) and is not production-ready
- No maintained fork with the CVE fix has been published on npm
- Projects like Hyperledger Fabric, webpack ecosystem, georaster, and many others are blocked on security compliance

---

### What would help

If @indutny is still active on this project, even a brief response would be enough — we just need to know what direction to take. Specifically:

1. **Can PR #345 be reviewed and merged?** The fix is minimal and has been validated by multiple reviewers.
2. **If you don't have bandwidth**, would you consider adding a co-maintainer with npm publish rights?
3. **If the project is no longer maintained**, would you consider:
   - Adding a deprecation notice to the README pointing users to [`noble-curves`](https://github.com/paulmillr/noble-curves) as the recommended alternative
   - Archiving the repository
   - Transferring npm publish rights to a trusted party (e.g., via [npm's package transfer process](https://docs.npmjs.com/policies/disputes))

We ask this with respect for the massive contribution `elliptic` has made to the ecosystem. No one is owed free maintenance — but the community needs clarity so it can plan accordingly.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is this project still maintained? #347