docs: enhance security documentation and optimize package

NeaByteLab · NeaByteLab · commit 4c8e013716a9 · 2025-09-06T14:53:21.000+07:00
- Remove CHANGELOG.md from npm bundle for leaner package
- Enhance SECURITY.md with comprehensive security features
- Add proper markdown separators for better readability
- Expand npm keywords for better discoverability
- Remove version info from SECURITY.md to reduce maintenance
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [1.4.4] - 2025-09-06
+
+### Changed
+- **Package optimization**: Removed CHANGELOG.md from npm bundle for leaner package size
+- **Documentation**: Enhanced SECURITY.md with comprehensive security features documentation
+- **Keywords**: Expanded npm keywords for better discoverability and searchability
+
+### Documentation
+- **SECURITY.md**: Added detailed security validations and tamper protection features
+- **SECURITY.md**: Added proper markdown separators for better readability
+- **SECURITY.md**: Removed version info to reduce maintenance overhead
+- **package.json**: Added 15+ relevant keywords for better npm search visibility
+
+---
+
 ## [1.4.3] - 2025-09-06
 
 ### Fixed
diff --git a/SECURITY.md b/SECURITY.md
@@ -19,16 +19,26 @@ We release patches for security vulnerabilities in the following versions:
 
 ### Security Validations
 - **Secret Key Length**: 8-255 characters minimum
+- **Secret Key Characters**: Only printable ASCII characters (32-126) allowed
 - **Expiration Limits**: Maximum 1 year token lifetime
 - **Cache Limits**: Maximum 10,000 tokens to prevent memory exhaustion
 - **Payload Size**: Maximum 8KB to prevent DoS attacks
 - **Version Validation**: Prevents downgrade attacks
+- **Key Derivation**: PBKDF2 with 50K iterations for secure key generation
+- **Token Format**: Strict base64 validation with length and padding checks
+- **IV Format**: Hexadecimal validation for initialization vectors
+- **Auth Tag Format**: 32-character hex validation for authentication tags
 
 ### Tamper Protection
 - **Authentication Tags**: Cryptographic verification of data integrity
 - **Version-based AAD**: Additional authenticated data prevents version manipulation
 - **Timestamp Validation**: Encrypted timestamps prevent expiration manipulation
 - **Algorithm Detection**: Automatic algorithm detection prevents cross-algorithm attacks
+- **Token Structure Validation**: Comprehensive validation of all token components
+- **Timestamp Consistency**: Payload and token timestamps must match exactly
+- **Data Type Validation**: Strict validation of all input data types
+
+---
 
 ## Reporting a Vulnerability
 
@@ -57,6 +67,8 @@ Include the following information:
 - We will credit you in our security advisories (unless you prefer to remain anonymous)
 - We will coordinate the public disclosure timeline with you
 
+---
+
 ## Security Best Practices
 
 ### For Developers
@@ -73,6 +85,8 @@ Include the following information:
 - **Monitoring**: Monitor for unusual token patterns
 - **Updates**: Keep the library updated to the latest version
 
+---
+
 ## Security Audit
 
 This library has been tested against common attack vectors:
@@ -85,21 +99,20 @@ This library has been tested against common attack vectors:
 - ✅ **Secret Key Attacks**: Strong encryption prevents weak key exploitation
 - ✅ **Expiration Manipulation**: Encrypted timestamps prevent manipulation
 
+---
+
 ## Security Updates
 
 Security updates are released as:
 - **Patch versions** (1.3.1, 1.3.2, etc.) for critical security fixes
 - **Minor versions** (1.4.0, 1.5.0, etc.) for security improvements
 - **Major versions** (2.0.0, 3.0.0, etc.) for breaking security changes
 
+---
+
 ## Contact
 
 For security-related questions or concerns:
 - **Email**: me@neabyte.com
 - **Response Time**: Within 7 days
 - **Encryption**: PGP key available upon request
-
----
-
-**Last Updated**: September 6, 2025
-**Version**: 1.4.3
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@neabyte/secure-jwt",
   "description": "Secure JWT with AES-256-GCM & ChaCha20-Poly1305 encryption, built-in caching, tamper detection, and TypeScript support",
-  "version": "1.4.3",
+  "version": "1.4.4",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -15,24 +15,37 @@
   "files": [
     "dist/**/*",
     "README.md",
-    "LICENSE",
-    "CHANGELOG.md"
+    "LICENSE"
   ],
   "keywords": [
     "jwt",
+    "json-web-token",
     "secure",
     "encryption",
     "aes-256-gcm",
+    "chacha20-poly1305",
     "authentication",
+    "authorization",
     "token",
     "security",
+    "crypto",
+    "cryptography",
     "caching",
     "performance",
     "lru-cache",
     "typescript",
     "esm",
     "commonjs",
-    "node"
+    "node",
+    "zero-dependencies",
+    "tamper-proof",
+    "authenticated-encryption",
+    "pbkdf2",
+    "key-derivation",
+    "jwt-library",
+    "secure-jwt",
+    "fast-jwt",
+    "high-performance"
   ],
   "engines": {
     "node": ">=v18.0.0"
