The memzero() function provides best-effort memory clearing in JavaScript/TypeScript, but cannot guarantee that sensitive data is fully erased from memory.
Why this limitation exists:
JavaScript/TypeScript lacks volatile memory writes (unlike the Rust reference implementation which uses std::ptr::write_volatile())
JavaScript engines and JIT compilers may optimize away zeroing operations
The garbage collector may have made copies of sensitive data
Swapped pages or memory dumps may contain copies
What memzero() does:
✅ Overwrites memory with zeros to reduce exposure time
✅ Makes a verification check to prevent some optimizations
❌ Cannot guarantee complete erasure from physical memory
Best practices for sensitive operations:
Use Web Crypto API when possible: For truly sensitive cryptographic operations, use crypto.subtle with non-extractable keys
Minimize exposure time: Call memzero() immediately after sensitive operations
Understand the limitations: This is defense-in-depth, not a security guarantee
Consider your threat model: Evaluate if JavaScript is appropriate for your security requirements
Example:
import { memzero } from'@bcts/crypto';
constsensitiveKey = newUint8Array(32); // ... use the key ...
// Clear from memory (best effort) memzero(sensitiveKey);