I scanned 8 popular npm projects for quantum-vulnerable cryptography. Here's what I found.

This week Google published a paper that changed the post-quantum timeline. Breaking ECDSA-256 — the signature scheme protecting Bitcoin, Ethereum, and most of the web — now requires roughly 1,200 logical qubits and under 500,000 physical qubits. That's a 20x reduction from previous estimates. I wanted to answer a simple question: how exposed are the projects we all depend on? So I built pqaudit, an open-source CLI that scans source code and npm dependencies for quantum-vulnerable cryptography — algorithms broken by Shor's algorithm (RSA, ECDSA, Ed25519, ECDH, Diffie-Hellman) and weakened by Grover's algorithm (AES-128) — and flags the NIST-approved replacement for each one. Then I pointed it at 8 popular projects. The results Project Files Critical High PQC Ready Express 142 0 0 Yes Fastify 295 1 0 No Next.js 22,478 17 1 No Prisma 3,291 0 0 Yes jsonwebtoken 65 21 0 No Solana web3.js 104 17 0 No Ethereum web3.js 1,194 12 3 No Signal Desktop 2,854 12 0 No 30,423 files scanned. 6 of 8 are