Skip to content

chore(deps): bump @noble/curves from 1.9.7 to 2.2.0#1152

Merged
danditomaso merged 2 commits into
mainfrom
dependabot/npm_and_yarn/noble/curves-2.2.0
Jun 17, 2026
Merged

chore(deps): bump @noble/curves from 1.9.7 to 2.2.0#1152
danditomaso merged 2 commits into
mainfrom
dependabot/npm_and_yarn/noble/curves-2.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps @noble/curves from 1.9.7 to 2.2.0.

Release notes

Sourced from @​noble/curves's releases.

2.2.0

  • March 2026 self-audit (all files): no major issues found
    • Audited for spec compliance and security
    • ed25519: make zip215 verification logic match spec more strictly (spec vectors were not enough)
    • ed448: turn off zip215 mode by default, use stricter one
    • schnorr: reduce rand by mod N instead of throwing
    • math: hardening of sqrt
    • babyjubjub: use correct curve and curve params
    • der: improve parsing
    • bls: improve point decoding
    • bls, bn: Fix Fp6 / Fp12 order
    • hash-to-curve: empty dst / count now throws
    • Apply Object.freeze to most primitives
    • Other minor hardening
  • Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
    • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
    • This creates incompatibility of code between versions
    • Previously, it was hard to use and constantly emitted errors similar to TS2345
    • See typescript#62240 for more context
  • Implement FROST threshold signatures from RFC 9591
  • Fix compilation issues on TypeScript v6
  • Improve tree-shaking, reduce bundle sizes
  • Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-curves@2.0.1...2.2.0

2.0.1

  • Disable extension-less imports. If you've used /ed25519, switch to /ed25519.js now. See 2.0.0 for more details.
  • package.json: specify exported submodules to ensure typescript autocompletion
  • package.json: bump hashes to 2.0.1 with scrypt & pkg.json changes
  • ed25519: export map_to_curve_elligator2_curve25519 paulmillr/noble-curves#211
  • bls: try-catch pairingBatch in bls12_381.verify() by @​MegaManSec in paulmillr/noble-curves#212
  • fft: expose extra info in rootsOfUnity

New Contributors

GitHub Immutable Releases

This GH release does not include standalone noble-curves.js: use 2.0.0 for now, until we upgrade to newly added Immutable Releases

Full Changelog: paulmillr/noble-curves@2.0.0...2.0.1

2.0.0

High-level

v2 massively simplifies internals, improves security, reduces bundle size and lays path for the future. To simplify upgrading, upgrade first to curves 1.9.x. It would show deprecations in vscode-like text editor.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​noble/curves since your current version.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 16, 2026
@vercel

vercel Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web-test Ready Ready Preview, Comment Jun 17, 2026 1:21am

Request Review

@vidplace7 vidplace7 requested a review from danditomaso June 16, 2026 18:16
@vidplace7

vidplace7 commented Jun 16, 2026

Copy link
Copy Markdown
Member

@dependabot recreate

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/noble/curves-2.2.0 branch from 7059328 to 241607d Compare June 16, 2026 18:23
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/noble/curves-2.2.0 branch from 241607d to 9e4a875 Compare June 16, 2026 19:03
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/noble/curves-2.2.0 branch from 9e4a875 to 21ba93a Compare June 16, 2026 19:07
@dependabot
chore(deps): bump @noble/curves from 1.9.7 to 2.2.0
4949563 
Bumps [@noble/curves](https://github.com/paulmillr/noble-curves) from 1.9.7 to 2.2.0.
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](paulmillr/noble-curves@1.9.7...2.2.0)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/noble/curves-2.2.0 branch from 21ba93a to 4949563 Compare June 17, 2026 00:32
@danditomaso
refactor(web): migrate @noble/curves imports to v2 paths
8144768 
- Move numberToHexUnpadded import from @noble/curves/abstract/utils to
  @noble/curves/utils.js (abstract/utils subpath removed in v2).
- Update @noble/curves/ed25519 to @noble/curves/ed25519.js to match
  required sub-import file extensions.
- Rename x25519.utils.randomPrivateKey() to randomSecretKey() (v2 API).
@danditomaso danditomaso merged commit 251c073 into main Jun 17, 2026
4 checks passed
@danditomaso danditomaso deleted the dependabot/npm_and_yarn/noble/curves-2.2.0 branch June 17, 2026 02:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danditomaso danditomaso danditomaso approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vidplace7 @danditomaso