Consider switching to a better-maintained library for Elliptic Curve Cryptography

[joseluisq]

Last year, you confirmed that node-jwk-to-pem is not working with elliptic signatures on #187 (comment).

However, since then, elliptic has received attention due to signature verification vulnerabilities and unfortunately, those issues still exist today. There is no progress in that regard (as of now) despite last year's efforts. See comments indutny/elliptic#321 (comment).
In addition to that, some of us are getting annoyed by tools such as snyk for packages that depend on node-jwk-to-pem (due to elliptic).

So I wonder if node-jwk-to-pem could evaluate switching to a better-maintained library for Elliptic Curve, like for example https://github.com/paulmillr/noble-curves.

I'm not a cryptographer, so I leave this here and wait for your thoughts are about.

[joseluisq]

Also, if possible make use of node:crypto if sufficient.

[EyalPazz]

This would be amazing!

[soatok]

I wrote a short-term fix here: https://github.com/soatok/elliptic-to-noble

However, you may wish to consider migrating to https://github.com/paulmillr/noble-curves in the long-term.

See indutny/elliptic#343 for more information.

[andyedwardsibm]

Note that indutny/elliptic#321 has recently been raised as https://nvd.nist.gov/vuln/detail/CVE-2025-14505

[dargmuesli]

I went ahead and created a PR that satisfies all existing tests. @omsmith please advise if the introduction of BigInt is fine and check if the change can be released as fix or as major change. Thx!

• fix: elliptic to noble #194