Quantum Safety Check for Popular GitHub Repos

Quantum Safety Analysis of Major GitHub Repositories

Analysis Date: October 13, 2025 Analyst: Claude (Anthropic AI)

Executive Summary

Based on current post-quantum cryptography (PQC) standards from NIST (FIPS 203, 204, 205) released in August 2024 and HQC selected in March 2025, this analysis evaluates the quantum safety posture of eight major open-source repositories.

Current PQC Standards:

  • ML-KEM (CRYSTALS-Kyber) - Key encapsulation for general encryption
  • ML-DSA (CRYSTALS-Dilithium) - Digital signatures
  • SLH-DSA (SPHINCS+) - Hash-based signatures
  • HQC - Backup encryption algorithm (standard expected 2027)

Quantum Threat Timeline:

  • 2030-2035: Expected arrival of cryptographically relevant quantum computers (CRQCs)
  • Current Risk: "Harvest now, decrypt later" attacks already occurring
  • Government Mandates: U.S. requires transition by 2035; UK by 2035

Repository Analysis

1. freeCodeCamp/freeCodeCamp

Primary Function: Educational platform for learning web development

Quantum Safety Assessment: ⚠️ MODERATE RISK - Indirect Dependency

Analysis:

  • Direct Cryptography: Minimal. Primarily educational content delivery
  • Infrastructure Dependencies: Relies on Node.js, MongoDB, Express
  • Transport Security: Depends on HTTPS/TLS provided by hosting infrastructure
  • Authentication: Uses Passport.js and OAuth2 (quantum-vulnerable)

Vulnerabilities:

  • OAuth2 and JWT authentication use RSA/ECDSA signatures (quantum-vulnerable)
  • Session management may use traditional cryptography
  • Third-party authentication providers (GitHub, Google) not yet quantum-safe

Recommendation:

  • Monitor dependencies for PQC updates
  • Plan hybrid authentication approach
  • Ensure hosting provider (likely Cloudflare) implements ML-KEM
  • Timeline: Begin assessment 2026-2027

2. EbookFoundation/free-programming-books

Primary Function: Curated list of free programming resources

Quantum Safety Assessment:MINIMAL RISK

Analysis:

  • Direct Cryptography: None - static content repository
  • Infrastructure: GitHub Pages or similar static hosting
  • Transport Security: HTTPS/TLS from hosting provider

Vulnerabilities:

  • Relies entirely on GitHub's infrastructure security
  • No direct cryptographic implementations

Recommendation:

  • No action required for repository itself
  • Depends on GitHub transitioning to PQC (which they are)
  • Timeline: No immediate action needed

3. public-apis/public-apis

Primary Function: Directory of public APIs

Quantum Safety Assessment: ⚠️ MODERATE RISK - Indirect

Analysis:

  • Direct Cryptography: None in repository itself
  • Listed APIs: Many listed APIs use traditional cryptography
  • Documentation Impact: Should document API quantum safety status

Vulnerabilities:

  • Documented APIs may use quantum-vulnerable authentication
  • OAuth, API keys, JWT tokens commonly used (RSA/ECDSA based)

Recommendation:

  • Add quantum safety indicators to API listings
  • Educate users about PQC requirements
  • Create filtering for quantum-safe APIs
  • Timeline: Begin documentation updates 2025-2026

4. facebook/react

Primary Function: JavaScript library for building user interfaces

Quantum Safety Assessment: ⚠️ SIGNIFICANT DEPENDENCY CONCERNS

Analysis:

  • Direct Cryptography: React itself doesn't implement cryptography
  • Ecosystem Impact: Massive - billions of users via Meta applications
  • Meta's Status: Actively implementing PQC (ML-KEM/Kyber in TLS via Fizz library)
  • Community Libraries: Many React crypto libraries use quantum-vulnerable algorithms

Vulnerabilities:

  • React Native and React web apps often implement authentication/encryption
  • Common libraries: crypto-js, node-forge, jsencrypt (all quantum-vulnerable)
  • Web Crypto API uses RSA, ECDH, ECDSA (quantum-vulnerable)

Meta's PQC Readiness:

  • Fizz (TLS library) supports ML-KEM (Kyber) hybrid mode
  • Using liboqs for PQC implementation
  • Active contribution to NIST standardization
  • Internal infrastructure migrating to PQC

Recommendation:

  • React community needs PQC-ready cryptography guidance
  • Develop React hooks/libraries for liboqs-js
  • Update documentation with PQC best practices
  • Meta should provide reference implementations
  • Timeline: Critical - begin immediately (2025-2026)

5. tensorflow/tensorflow

Primary Function: Machine learning framework

Quantum Safety Assessment: ⚠️ HIGH RISK - Critical Infrastructure

Analysis:

  • Direct Cryptography: Encryption of models, federated learning, secure communication
  • TensorFlow Quantum: Ironically includes quantum computing capabilities
  • Model Security: Encrypted model weights use traditional cryptography
  • Deployment: Cloud services (GCP, AWS, Azure) control transport security

Vulnerabilities:

  • Model encryption uses AES (quantum-resistant but needs larger keys)
  • Model signing uses RSA/ECDSA (quantum-vulnerable)
  • Federated learning protocols use traditional key exchange
  • gRPC/TLS connections use quantum-vulnerable algorithms
  • TensorFlow Serving authentication uses traditional PKI

Quantum-Related Components:

  • TensorFlow Quantum (TFQ) exists but for quantum ML, not security
  • Does not address PQC implementation

Recommendation:

  • CRITICAL: Implement ML-DSA for model signing
  • Use ML-KEM for model encryption key exchange
  • Update TensorFlow Privacy with PQC
  • Provide PQC examples in documentation
  • Work with cloud providers on PQC deployment
  • Timeline: High priority - 2025-2027

Model Poisoning Risk:

  • Adversarial attacks combined with future quantum decryption of training data
  • Need quantum-safe federated learning protocols

6. twbs/bootstrap

Primary Function: CSS framework for responsive web design

Quantum Safety Assessment:MINIMAL RISK

Analysis:

  • Direct Cryptography: None - pure CSS/JavaScript framework
  • Infrastructure: Standard web hosting
  • Supply Chain: npm/CDN delivery

Vulnerabilities:

  • CDN delivery signatures use traditional algorithms
  • npm package signing quantum-vulnerable
  • No direct cryptographic code

Recommendation:

  • Monitor npm/CDN providers for PQC adoption
  • Ensure code signing transitions to ML-DSA
  • Timeline: Low priority - follow ecosystem (2027-2030)

7. donnemartin/system-design-primer

Primary Function: Educational resource for system design interviews

Quantum Safety Assessment: ⚠️ EDUCATIONAL GAP

Analysis:

  • Direct Cryptography: None - educational documentation
  • Content Impact: Should include PQC in system design considerations
  • Influence: High - widely used for interview preparation

Vulnerabilities:

  • Current content doesn't address quantum threats
  • Security sections discuss traditional cryptography
  • No mention of PQC migration strategies

Recommendation:

  • ADD CONTENT: Post-quantum cryptography section
  • Update security best practices
  • Include PQC in distributed systems design
  • Add quantum threat timeline to scalability discussions
  • Timeline: Medium priority - 2025-2026

Suggested Topics to Add:

  • Quantum threat modeling in system design
  • PQC algorithm selection criteria
  • Hybrid cryptographic approaches
  • Migration strategies for existing systems
  • Performance implications of PQC

8. jwasham/coding-interview-university

Primary Function: Study guide for coding interviews

Quantum Safety Assessment: ⚠️ EDUCATIONAL GAP

Analysis:

  • Direct Cryptography: None - educational resource
  • Content Coverage: Includes cryptography basics but no PQC
  • Audience Impact: Developers preparing for tech interviews

Vulnerabilities:

  • Cryptography section outdated regarding quantum threats
  • No coverage of lattice-based cryptography
  • Missing modern security considerations

Recommendation:

  • Add post-quantum cryptography to curriculum
  • Update cryptography fundamentals
  • Include lattice-based cryptography basics
  • Reference NIST standards
  • Timeline: Medium priority - 2025-2026

Suggested Additions:

  • Overview of quantum computing threats
  • Introduction to lattice problems
  • PQC algorithm families (lattice, hash, code-based)
  • Real-world PQC implementation examples

Cross-Repository Concerns

1. Dependency Chain Vulnerabilities

All repositories depend on:

  • TLS/HTTPS: Hosting providers must implement ML-KEM
  • Package Managers: npm, pip, cargo need ML-DSA for signing
  • Git/GitHub: Commit signing uses GPG (RSA/ECDSA) - quantum-vulnerable
  • CI/CD: GitHub Actions, containers use traditional PKI

2. Authentication & Authorization

Common quantum-vulnerable patterns:

  • OAuth 2.0 with RSA/ECDSA tokens
  • JWT with RSA signatures
  • API keys with HMAC-SHA256 (quantum-resistant but needs larger keys)
  • SSH keys (RSA/ECDSA) for git operations

3. Code Signing & Integrity

  • npm packages signed with traditional algorithms
  • Docker images use traditional signatures
  • Release artifacts need PQC signatures

General Recommendations

Immediate Actions (2025-2026)

  1. Inventory cryptographic usage in all dependencies
  2. Monitor NIST standards and adopt ML-KEM, ML-DSA, SLH-DSA
  3. Educate developers about quantum threats
  4. Update documentation with PQC considerations
  5. Test hybrid implementations (classical + PQC)

Medium-term (2026-2028)

  1. Migrate to PQC-ready libraries (liboqs, Bouncy Castle PQC)
  2. Implement hybrid cryptography for backward compatibility
  3. Update CI/CD to use ML-DSA for artifact signing
  4. Transition authentication to quantum-safe methods
  5. Train development teams on PQC implementation

Long-term (2028-2035)

  1. Full PQC adoption across all systems
  2. Deprecate classical algorithms per NIST guidelines
  3. Achieve cryptographic agility for future transitions
  4. Compliance with government mandates (U.S. 2035, UK 2035)

Risk Matrix

Repository Direct Crypto Risk Dependency Risk User Impact Priority Timeline
freeCodeCamp LOW MODERATE HIGH MEDIUM 2026-2027
free-programming-books NONE LOW LOW LOW 2028+
public-apis LOW MODERATE MODERATE MEDIUM 2025-2026
react LOW HIGH CRITICAL HIGH 2025-2026
tensorflow HIGH HIGH CRITICAL CRITICAL 2025-2027
bootstrap NONE LOW LOW LOW 2027-2030
system-design-primer NONE NONE MODERATE MEDIUM 2025-2026
coding-interview-university NONE NONE MODERATE MEDIUM 2025-2026

Technical Implementation Guidance

Recommended PQC Libraries

  • liboqs (Open Quantum Safe) - C library with Python/JavaScript bindings
  • Bouncy Castle - Java/C# cryptography with PQC support
  • PQClean - Clean, portable PQC implementations
  • liboqs-python, liboqs-go, liboqs-java - Language-specific bindings

Migration Strategy

  1. Hybrid Mode First: Combine traditional + PQC (e.g., X25519 + ML-KEM)
  2. Test Thoroughly: PQC algorithms have different performance characteristics
  3. Monitor Standards: NIST continues evaluating algorithms
  4. Plan for Agility: Design systems to easily swap algorithms

Performance Considerations

  • ML-KEM: Larger public keys (800-1,568 bytes vs 32 bytes for X25519)
  • ML-DSA: Larger signatures (2,420-4,595 bytes vs 64 bytes for Ed25519)
  • SLH-DSA: Very large signatures (7,856-49,856 bytes) but stateless
  • Network Impact: 5-32% increase in handshake time depending on conditions

Conclusion

Overall Assessment: The examined repositories have varying levels of quantum vulnerability, primarily through their dependencies rather than direct cryptographic implementations. The most critical are TensorFlow (due to model security) and React (due to ecosystem reach).

Key Finding: None of the repositories currently implement post-quantum cryptography directly, but the infrastructure they depend on (hosting, package managers, authentication services) is gradually transitioning.

Critical Timeline: Organizations must begin PQC migration planning now (2025) to meet 2035 government deadlines and protect against "harvest now, decrypt later" attacks.

Positive Note: NIST standards are finalized, major cloud providers (AWS, GCP, Azure, Cloudflare) are implementing PQC, and the cryptographic community is actively transitioning. These repositories can follow industry best practices as they emerge.

Resources

Standards

  • NIST FIPS 203 (ML-KEM): https://csrc.nist.gov/pubs/fips/203/final
  • NIST FIPS 204 (ML-DSA): https://csrc.nist.gov/pubs/fips/204/final
  • NIST FIPS 205 (SLH-DSA): https://csrc.nist.gov/pubs/fips/205/final
  • NIST IR 8547 (Migration Timeline): https://csrc.nist.gov/publications/detail/nistir/8547/draft

Libraries & Tools

  • Open Quantum Safe (liboqs): https://openquantumsafe.org/
  • Bouncy Castle PQC: https://www.bouncycastle.org/
  • Meta Fizz (TLS with PQC): https://github.com/facebookincubator/fizz

Industry Leaders

  • Cloudflare: Already deploying ML-KEM in production
  • Google: PQC in Chrome and BoringSSL
  • AWS: ML-KEM support in KMS
  • Meta: Fizz library with Kyber support
  • IBM: Quantum-safe roadmap for Z systems

Report Prepared By: Claude (Anthropic AI)
Methodology: Analysis based on public documentation, NIST standards, industry announcements, and cryptographic best practices

Limitations: This analysis is based on publicly available information as of October 2025 and represents current understanding of quantum threats and PQC standards