Skip to content

chore(deps): bump @noble/curves from 1.8.1 to 2.2.0 in /frontend#7

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/frontend/noble/curves-2.2.0
Open

chore(deps): bump @noble/curves from 1.8.1 to 2.2.0 in /frontend#7
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/frontend/noble/curves-2.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps @noble/curves from 1.8.1 to 2.2.0.

Release notes

Sourced from @​noble/curves's releases.

2.2.0

  • March 2026 self-audit (all files): no major issues found
    • Audited for spec compliance and security
    • ed25519: make zip215 verification logic match spec more strictly (spec vectors were not enough)
    • ed448: turn off zip215 mode by default, use stricter one
    • schnorr: reduce rand by mod N instead of throwing
    • math: hardening of sqrt
    • babyjubjub: use correct curve and curve params
    • der: improve parsing
    • bls: improve point decoding
    • bls, bn: Fix Fp6 / Fp12 order
    • hash-to-curve: empty dst / count now throws
    • Apply Object.freeze to most primitives
    • Other minor hardening
  • Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
    • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
    • This creates incompatibility of code between versions
    • Previously, it was hard to use and constantly emitted errors similar to TS2345
    • See typescript#62240 for more context
  • Implement FROST threshold signatures from RFC 9591
  • Fix compilation issues on TypeScript v6
  • Improve tree-shaking, reduce bundle sizes
  • Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-curves@2.0.1...2.2.0

2.0.1

  • Disable extension-less imports. If you've used /ed25519, switch to /ed25519.js now. See 2.0.0 for more details.
  • package.json: specify exported submodules to ensure typescript autocompletion
  • package.json: bump hashes to 2.0.1 with scrypt & pkg.json changes
  • ed25519: export map_to_curve_elligator2_curve25519 paulmillr/noble-curves#211
  • bls: try-catch pairingBatch in bls12_381.verify() by @​MegaManSec in paulmillr/noble-curves#212
  • fft: expose extra info in rootsOfUnity

New Contributors

GitHub Immutable Releases

This GH release does not include standalone noble-curves.js: use 2.0.0 for now, until we upgrade to newly added Immutable Releases

Full Changelog: paulmillr/noble-curves@2.0.0...2.0.1

2.0.0

High-level

v2 massively simplifies internals, improves security, reduces bundle size and lays path for the future. To simplify upgrading, upgrade first to curves 1.9.x. It would show deprecations in vscode-like text editor.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​noble/curves since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@noble/curves](https://github.com/paulmillr/noble-curves) from 1.8.1 to 2.2.0.
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](paulmillr/noble-curves@1.8.1...2.2.0)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: frontend. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 30, 2026
@github-actions github-actions Bot added the dependabot-needs-review Dependabot PR needs human review before merge label Jun 30, 2026
@github-actions

Copy link
Copy Markdown

⚠️ Dependabot PR needs human review

This is a human-approved gate. Nothing is merged automatically. Resolve the items below, or merge deliberately after reviewing them.

Check Result
Scope (frontend deps only) ✅ frontend/package.json + lockfile only
Protect-the-gate (no CI/test edits) ✅ untouched
Supply-chain: 0 new packages ✅ 0 added
CI Frontend (sandbox guard + build) ⚠️ failure
dependency-type direct:production (version-update:semver-major)

Why it needs review

  • dependency-type is direct:production (not a pure dev-dependency) - weigh runtime / money-path impact.
  • CI Frontend (sandbox guard + build) is failure (need success).
Supply-chain delta (npm_and_yarn @ /frontend)

Version-changed (2):

  • @noble/curves/node_modules/@noble/hashes: 1.7.1 -> 2.2.0
  • @noble/curves: 1.8.1 -> 2.2.0

Removed (0):
none

Added (0):
none

⚠️ Residual blind spot (pre-existing, applies to every merge): no gate runs the rolldown-minified in-app money-path bundle (dist/assets/*.js). The byte-parity gate covers the cold-recovery tool + source, not the shipped minified bytes. Low risk for a minor bump; weigh it for any runtime-dependency change.

Posted by .github/workflows/dependabot-verify.yml. Verdict is advisory; you are the merge gate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependabot-needs-review Dependabot PR needs human review before merge dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants