readme

Author: paulmillr

README.md

@@ -12,7 +12,7 @@ Audited & minimal JS implementation of [BIP39 mnemonic phrases](https://github.c
 Check out [scure-bip32](https://github.com/paulmillr/scure-bip32) if you need
 hierarchical deterministic wallets ("HD Wallets").
 
-### This library belongs to *scure*
+### This library belongs to _scure_
 
 > **scure** — audited micro-libraries.
 
@@ -32,7 +32,7 @@ hierarchical deterministic wallets ("HD Wallets").
 
 > `deno add jsr:@scure/bip39`
 
-> `deno doc jsr:@scure/bip39`  # command-line documentation
+> `deno doc jsr:@scure/bip39` # command-line documentation
 
 We don't provide source maps.
 Wordlists are large, including source maps would double package size.
@@ -46,7 +46,7 @@ const mn = bip39.generateMnemonic(wordlist);
 console.log(mn);
 
 // Reversible: Converts mnemonic string to raw entropy in form of byte array.
-const ent = bip39.mnemonicToEntropy(mn, wordlist)
+const ent = bip39.mnemonicToEntropy(mn, wordlist);
 
 // Reversible: Converts raw entropy in form of byte array to mnemonic string.
 bip39.entropyToMnemonic(ent, wordlist);
@@ -101,6 +101,29 @@ At commit [ae00e6d7](https://github.com/ethereum/js-ethereum-cryptography/commit
 it was extracted to a separate package called `micro-bip39`.
 After the audit we've decided to use `@scure` NPM namespace for security.
 
+### Supply chain security
+
+- **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
+- **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
+- **Rare releasing** is followed to ensure less re-audit need for end-users
+- **Dependencies** are minimized and locked-down: any dependency could get hacked and users will be downloading malware with every install.
+  - We make sure to use as few dependencies as possible
+  - Automatic dep updates are prevented by locking-down version ranges; diffs are checked with `npm-diff`
+- **Dev Dependencies** are disabled for end-users; they are only used to develop / build the source code
+
+For this package, there are 2 dependencies; and a few dev dependencies:
+
+- [noble-hashes](https://github.com/paulmillr/noble-hashes) provides cryptographic hashing functionality
+- [scure-base](https://github.com/paulmillr/scure-base) provides low-level wordlist utilities
+- micro-bmark, micro-should and jsbt are used for benchmarking / testing / build tooling and developed by the same author
+- prettier, fast-check and typescript are used for code quality / test generation / ts compilation. It's hard to audit their source code thoroughly and fully because of their size
+
+## Contributing & testing
+
+- `npm install && npm run build && npm test` will build the code and run tests.
+- `npm run lint` / `npm run format` will run linter / fix linter issues.
+- `npm run build:release` will build single file
+
 ## License
 
 [MIT License](./LICENSE)