feat(security): Phase 3 audit — TS-boundary validation + WebCrypto hardening (#985)

Author: boorad

.github/workflows/deploy-docs.yml

@@ -17,12 +17,17 @@ concurrency:
   group: 'pages'
   cancel-in-progress: true
 
+env:
+  # Opt actions still on Node 20 into the runner's Node 24 instead.
+  # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Bun
         uses: ./.github/actions/setup-bun

.github/workflows/e2e-android-test.yml

@@ -25,6 +25,10 @@ on:
 
 env:
   EMULATOR_API_LEVEL: 34
+  # Opt actions still on Node 20 (setup-java, upload/download-artifact, setup-android, etc.)
+  # into the runner's Node 24 instead. Silences deprecation warnings until each action ships a v5.
+  # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
 
 jobs:
   # ============================================================================
@@ -51,7 +55,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v5
         with:
-          node-version: '20'
+          node-version: '24'
 
       - name: Install Bun
         uses: ./.github/actions/setup-bun
@@ -87,7 +91,7 @@ jobs:
             packages/react-native-quick-crypto/android/build
             node_modules/.bun/react-native-nitro-modules*/node_modules/react-native-nitro-modules/android/.cxx
             node_modules/.bun/react-native-nitro-modules*/node_modules/react-native-nitro-modules/android/build
-          key: ${{ runner.os }}-gradle-${{ github.run_id }}
+          key: ${{ runner.os }}-gradle-${{ hashFiles('example/android/**/*.gradle*', 'example/android/gradle.properties', 'example/android/gradle/wrapper/gradle-wrapper.properties', 'packages/react-native-quick-crypto/android/build.gradle', 'packages/react-native-quick-crypto/android/gradle.properties', 'bun.lock') }}
           restore-keys: |
             ${{ runner.os }}-gradle-
 
@@ -141,7 +145,7 @@ jobs:
             packages/react-native-quick-crypto/android/build
             node_modules/.bun/react-native-nitro-modules*/node_modules/react-native-nitro-modules/android/.cxx
             node_modules/.bun/react-native-nitro-modules*/node_modules/react-native-nitro-modules/android/build
-          key: ${{ runner.os }}-gradle-${{ github.run_id }}
+          key: ${{ runner.os }}-gradle-${{ hashFiles('example/android/**/*.gradle*', 'example/android/gradle.properties', 'example/android/gradle/wrapper/gradle-wrapper.properties', 'packages/react-native-quick-crypto/android/build.gradle', 'packages/react-native-quick-crypto/android/gradle.properties', 'bun.lock') }}
 
   # ============================================================================
   # AVD Job - Create and cache emulator snapshot (runs in parallel with build)
@@ -167,9 +171,7 @@ jobs:
           path: |
             ~/.android/avd/*
             ~/.android/adb*
-          key: avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-${{ github.run_id }}
-          restore-keys: |
-            avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-
+          key: avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-x86_64-v1
 
       - name: Create AVD and Generate Snapshot for Caching
         if: steps.avd-cache.outputs.cache-hit != 'true'
@@ -190,7 +192,7 @@ jobs:
           path: |
             ~/.android/avd/*
             ~/.android/adb*
-          key: avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-${{ github.run_id }}
+          key: avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-x86_64-v1
 
   # ============================================================================
   # Test Job - Run E2E tests (needs both build and AVD)
@@ -209,7 +211,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v5
         with:
-          node-version: '20'
+          node-version: '24'
 
       - name: Install Bun
         uses: ./.github/actions/setup-bun
@@ -226,7 +228,7 @@ jobs:
         uses: actions/cache/restore@v5
         with:
           path: node_modules
-          key: ${{ runner.os }}-node-modules-${{ github.run_id }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('bun.lock') }}
           restore-keys: |
             ${{ runner.os }}-node-modules-
 
@@ -237,7 +239,7 @@ jobs:
         uses: actions/cache/save@v5
         with:
           path: node_modules
-          key: ${{ runner.os }}-node-modules-${{ github.run_id }}
+          key: ${{ runner.os }}-node-modules-${{ hashFiles('bun.lock') }}
 
       - name: Download APK
         uses: actions/download-artifact@v4
@@ -263,9 +265,7 @@ jobs:
           path: |
             ~/.android/avd/*
             ~/.android/adb*
-          key: avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-${{ github.run_id }}
-          restore-keys: |
-            avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-
+          key: avd-pixel7pro-${{ env.EMULATOR_API_LEVEL }}-x86_64-v1
 
       - name: Run E2E Tests
         uses: reactivecircus/android-emulator-runner@v2

.github/workflows/e2e-ios-test.yml

@@ -23,6 +23,12 @@ on:
       - 'packages/react-native-quick-crypto/src/**'
       - 'packages/react-native-quick-crypto/ios/**'
 
+env:
+  # Opt actions still on Node 20 (upload-artifact, McCzarny/upload-image, peter-evans/*, etc.)
+  # into the runner's Node 24 instead. Silences deprecation warnings until each action ships a v5.
+  # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
 jobs:
   e2e-tests-ios:
     runs-on: macOS-26
@@ -34,7 +40,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Select Xcode 26.2
         run: |

.github/workflows/release.yml

@@ -12,6 +12,11 @@ on:
         type: boolean
         default: false
 
+env:
+  # Opt actions still on Node 20 into the runner's Node 24 instead.
+  # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
 jobs:
   release:
     runs-on: macos-latest
@@ -20,7 +25,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -29,7 +34,7 @@ jobs:
         uses: ./.github/actions/setup-bun
 
       - name: Setup Node.js (for npm publish with OIDC)
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'

.github/workflows/update-lockfiles.yml

@@ -15,13 +15,18 @@ on:
 permissions:
   contents: write
 
+env:
+  # Opt actions still on Node 20 into the runner's Node 24 instead.
+  # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
 jobs:
   update-lockfiles:
     name: 'Update lockfiles (Podfile.lock)'
     if: github.actor == 'dependabot[bot]'
     runs-on: macOS-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}

.github/workflows/validate-cpp.yml

@@ -16,12 +16,18 @@ on:
       - 'packages/react-native-quick-crypto/cpp/**'
       - 'packages/react-native-quick-crypto/nitrogen/generated/shared/**'
 
+env:
+  # Opt actions still on Node 20 (e.g. reviewdog/action-cpplint) into the runner's Node 24.
+  # Silences deprecation warnings until each action ships a v5.
+  # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
 jobs:
   validate_cpp:
     name: C++ Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Set up clang-format
         run: sudo apt-get install -y clang-format
       - name: Run clang-format check

.github/workflows/validate-js.yml

@@ -30,12 +30,18 @@ on:
       - 'example/*.*sx'
       - 'example/bun.lock'
 
+env:
+  # Opt actions still on Node 20 (e.g. reviewdog/action-setup) into the runner's Node 24.
+  # Silences deprecation warnings until each action ships a v5.
+  # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
 jobs:
   compile_js:
     name: Compile JS (tsc)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: ./.github/actions/setup-bun
 
@@ -63,7 +69,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Bun
         uses: ./.github/actions/setup-bun

example/src/tests/argon2/argon2_tests.ts

@@ -137,11 +137,13 @@ test(SUITE, 'argon2Sync: deterministic with same inputs', () => {
   );
 });
 
-// --- Numeric parameter validation (Phase 1.1: validateUInt) ---
+// --- Numeric parameter validation (Phase 1.1: validateUInt + Phase 3.2 RFC 9106) ---
 //
 // `static_cast<uint32_t>(NaN | +/-Infinity | -1)` is undefined behavior in
-// C++. The C++ layer used to do these casts naked; the validateUInt helper
-// now rejects them with a descriptive error before the cast.
+// C++. The C++ layer's validateUInt helper used to be the first line of
+// defense; Phase 3.2 added a TS-side RFC 9106 §3.1 check that fires
+// earlier and produces a clearer message. The regex below matches the
+// new RFC 9106 wording.
 
 const baseParams = {
   message: Buffer.from('password'),
@@ -173,20 +175,20 @@ test(SUITE, 'argon2Sync: rejects -Infinity passes', () => {
 test(SUITE, 'argon2Sync: rejects negative tagLength', () => {
   assert.throws(() => {
     argon2Sync('argon2id', { ...baseParams, tagLength: -1 });
-  }, /tagLength.*non-negative/i);
+  }, /Invalid Argon2 tagLength: -1/);
 });
 
 test(SUITE, 'argon2Sync: rejects fractional passes', () => {
   assert.throws(() => {
     argon2Sync('argon2id', { ...baseParams, passes: 3.5 });
-  }, /passes.*integer/i);
+  }, /Invalid Argon2 passes: 3\.5/);
 });
 
 test(SUITE, 'argon2Sync: rejects out-of-range memory', () => {
   // memory is uint32_t — anything beyond UINT32_MAX must be rejected.
   assert.throws(() => {
     argon2Sync('argon2id', { ...baseParams, memory: 2 ** 32 });
-  }, /memory.*out of range/i);
+  }, /Invalid Argon2 memory: 4294967296/);
 });
 
 test(SUITE, 'argon2: async path also rejects NaN parallelism', () => {
@@ -202,3 +204,49 @@ test(SUITE, 'argon2: async path also rejects NaN parallelism', () => {
     });
   });
 });
+
+// --- RFC 9106 §3.1 minimum-bound validation (Phase 3.2) ---
+
+test(SUITE, 'argon2Sync: rejects parallelism = 0 (RFC 9106 mins)', () => {
+  assert.throws(() => {
+    argon2Sync('argon2id', { ...baseParams, parallelism: 0 });
+  }, /parallelism: 0/);
+});
+
+test(SUITE, 'argon2Sync: rejects tagLength < 4 (RFC 9106 mins)', () => {
+  assert.throws(() => {
+    argon2Sync('argon2id', { ...baseParams, tagLength: 3 });
+  }, /tagLength: 3/);
+});
+
+test(SUITE, 'argon2Sync: rejects passes = 0 (RFC 9106 mins)', () => {
+  assert.throws(() => {
+    argon2Sync('argon2id', { ...baseParams, passes: 0 });
+  }, /passes: 0/);
+});
+
+test(SUITE, 'argon2Sync: rejects memory < 8 * parallelism (RFC 9106)', () => {
+  // p=4 ⇒ memory must be ≥ 32 KiB; 16 KiB must be rejected.
+  assert.throws(() => {
+    argon2Sync('argon2id', {
+      ...baseParams,
+      parallelism: 4,
+      memory: 16,
+    });
+  }, /memory: 16/);
+});
+
+test(SUITE, 'argon2Sync: rejects nonce shorter than 8 bytes (RFC 9106)', () => {
+  assert.throws(() => {
+    argon2Sync('argon2id', {
+      ...baseParams,
+      nonce: Buffer.from('1234567'), // 7 bytes
+    });
+  }, /nonce length: 7/);
+});
+
+test(SUITE, 'argon2Sync: rejects unsupported version', () => {
+  assert.throws(() => {
+    argon2Sync('argon2id', { ...baseParams, version: 0x42 });
+  }, /Invalid Argon2 version/);
+});