What is your policy with regards to browser versions? I notice you support Safari 13. The browser is used by 0.38%+0.77% of users globally, as per caniuse.

v13 was last updated with 13.1.2 on July 15, 2020 - around 3 years ago. Safari 13 has following vulnerabilities:

• Fixed in Safari 14: CVE-2020-9993, CVE-2020-9987 (address bar spoofing), CVE-2020-9948, CVE-2020-9947, CVE-2020-9950, CVE-2020-9951 (RCE), CVE-2020-9952 (XSS), CVE-2020-9983 (RCE)
• Fixed in Safari 14.0.1: CVE-2020-9945 (address bar spoofing), CVE-2020-27918 (RCE)
• Fixed in Safari 14.0.2: CVE-2020-15969 (RCE)
• Fixed in Safari 14.0.3: CVE-2021-1788 (RCE), CVE-2021-1789 (RCE), CVE-2021-1799 (access restricted ports), CVE-2021-1844 (RCE)
• Fixed in Safari 14.1: CVE-2021-1825 (XSS), CVE-2021-30661 (RCE), CVE-2020-7463 (corrupt kernel memory), actively exploited CVE-2021-30665 (RCE), CVE-2021-30663 (RCE)
• Fixed in Safari 14.1.1: CVE-2021-30749 / CVE-2021-30734 (RCE), CVE-2021-30744 (XSS), CVE-2021-30720 (port access), CVE-2021-30682 (sensitive information leak), CVE-2021-21779 (RCE), CVE-2021-30689 (XSS), CVE-2021-30663 (RCE), CVE-2021-23841 / CVE-2021-30698 (DoS)
• Fixed in Safari 14.1.2: CVE-2021-30758 (RCE), CVE-2021-30795 (RCE), CVE-2021-30797 (RCE)
• Fixed in Safari 15: CVE-2021-30836 (revealing RAM content), CVE-2021-30861 (bypass Gatekeeper), CVE-2021-30818 (RCE), CVE-2021-30823 (bypass HSTS), CVE-2021-30809 (RCE), CVE-2021-30846 (RCE), CVE-2021-30848 (RCE), CVE-2021-30849 (RCE), CVE-2021-30851 (RCE), CVE-2021-30930 (IP leak)
• Fixed in Safari 15.1: CVE-2021-31008 (RCE), CVE-2021-30887 (bypass CSP), CVE-2021-30888 (leak via redirect), CVE-2021-30889 (RCE), CVE-2021-30890 (XSS)
• Fixed in Safari 15.2: CVE-2021-30934 (RCE), CVE-2021-30936 / CVE-2021-30951 (RCE), CVE-2021-30952 (RCE), CVE-2021-30984 (RCE), CVE-2021-30953 (RCE), CVE-2021-30954 (RCE)
• Fixed in Safari 15.3: CVE-2022-22590 (RCE), CVE-2022-22592 (CSP bypass), CVE-2022-22589 (RCE), CVE-2022-22594 (leaking info), actively exploited CVE-2022-22620 (RCE)
• Fixed in Safari 15.4: CVE-2022-22654 (address bar spoofing), CVE-2022-22610 (RCE), CVE-2022-22624 / CVE-2022-22628 (RCE), CVE-2022-22629 (RCE), CVE-2022-22637 (XSS)
• Fixed in Safari 15.5: CVE-2022-26700 (RCE), CVE-2022-26709 / CVE-2022-26717 (RCE), CVE-2022-26716 / CVE-2022-26719 (RCE)
• Fixed in Safari 15.6: CVE-2022-32784 (data leak), CVE-2022-32885 (RCE), CVE-2022-32861 (IP leak), CVE-2022-32863 (RCE), CVE-2022-32792 (RCE), CVE-2022-2294 (RCE)
• Fixed in Safari 15.6.1: actively exploited CVE-2022-32893 (RCE)
• A bunch of Safari 16 RCEs, including actively exploited CVE-2022-42856, CVE-2023-28205

Also, the bn.js shim has likely not been audited and fuzzed properly.

Hey @paulmillr , we've confirmed with internal stats that around 1% of our end users are on Safari 13 (desktop or mobile), and that's too large a chunk for us to drop support, considering that BigInt cannot be polyfilled. Hopefully the usage goes down enough in the next year and we can require BigInt in OpenPGP.js v7.

As for bn.js, it's a library that OpenPGP.js has used for a while, both directly and as part of elliptic.js, and while this is certainly no guarantee of security, we are positive about its stability. Unlike previous versions of OpenPGP.js, once we switch to noble-curves, bn.js will only be used as fallback for legacy browsers and the Brainpool curves. Plus, thanks to the design of the BigInteger interface, if we find a better fallback library it'll be easy to switch out bn.js for that.

Understood. Thanks for clarification.