Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency @noble/secp256k1 to v2 #5968

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 11, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@noble/secp256k1 (source) ^1.7.1 -> ^2.1.0 age adoption passing confidence

Release Notes

paulmillr/noble-secp256k1 (@​noble/secp256k1)

v2.1.0

Compare Source

This release comes one year after v2.0.0, following rare update schedule for easy auditability.

  • Point.fromAffine: convert ZERO points properly
  • au8: improve Uint8Array check to work in extension context
  • Signature: add normalizeS method
  • Signature: addRecoveryBit should return more precise type, SignatureWithRecovery
  • randomPrivateKey: fetch 48 bytes from CSPRNG instead of 40, to reduce bias

New Contributors

Full Changelog: paulmillr/noble-secp256k1@2.0.0...2.1.0

v2.0.0

Compare Source

noble-secp256k1 v2 features improved security and smaller attack surface.
The goal of v2 is to provide minimum possible JS library which is safe and fast.

That means the library was reduced 4x, to just over 400 lines. Library size is now just 4KB gzipped.
In order to achieve the goal, some features were moved to noble-curves, which is
even safer and faster drop-in replacement library with same API.
Switch to curves if you intend to keep using these features:

  • DER encoding: toDERHex, toDERRawBytes, signing / verification of DER sigs
  • Schnorr signatures
  • Using utils.precompute() for non-base point
  • Support for environments which don't support bigint literals
  • Common.js support
  • Support for node.js 18 and older without shim

Other changes for upgrading from @​noble/secp256k1 1.7 to 2.0:

  • getPublicKey
    • now produce 33-byte compressed signatures by default
    • to use old behavior, which produced 65-byte uncompressed keys, set
      argument isCompressed to false: getPublicKey(priv, false)
  • sign
    • is now sync; use signAsync for async version
    • now returns Signature instance with { r, s, recovery } properties
    • canonical option was renamed to lowS
    • recovered option has been removed because recovery bit is always returned now
    • der option has been removed. There are 2 options:
      1. Use compact encoding: fromCompact, toCompactRawBytes, toCompactHex.
        Compact encoding is simply a concatenation of 32-byte r and 32-byte s.
      2. If you must use DER encoding, switch to noble-curves (see above).
  • verify
    • strict option was renamed to lowS
  • getSharedSecret
    • now produce 33-byte compressed signatures by default
    • to use old behavior, which produced 65-byte uncompressed keys, set
      argument isCompressed to false: getSharedSecret(a, b, false)
  • recoverPublicKey(msg, sig, rec) was changed to sig.recoverPublicKey(msg)
  • number type for private keys have been removed: use bigint instead
  • Point (2d xy) has been changed to ProjectivePoint (3d xyz)
  • utils were split into utils (same api as in noble-curves) and
    etc (hmacSha256Sync and others)

Pull request: https://github.com/paulmillr/noble-secp256k1/pull/92

Full Changelog: paulmillr/noble-secp256k1@1.7.1...2.0.0


Configuration

📅 Schedule: Branch creation - "after 5pm,every weekend" in timezone America/Los_Angeles, Automerge - "after 5pm,every weekend" in timezone America/Los_Angeles.

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/noble-secp256k1-2.x branch 6 times, most recently from c63a574 to 8c5ed10 Compare September 11, 2024 10:57
@renovate renovate bot changed the title chore(deps): update dependency @noble/secp256k1 to v2 chore(deps): update dependency @noble/secp256k1 to v2 - autoclosed Sep 11, 2024
@renovate renovate bot closed this Sep 11, 2024
auto-merge was automatically disabled September 11, 2024 12:29

Pull request was closed

@renovate renovate bot deleted the renovate/noble-secp256k1-2.x branch September 11, 2024 12:29
@renovate renovate bot restored the renovate/noble-secp256k1-2.x branch September 11, 2024 12:48
@renovate renovate bot changed the title chore(deps): update dependency @noble/secp256k1 to v2 - autoclosed chore(deps): update dependency @noble/secp256k1 to v2 Sep 11, 2024
@renovate renovate bot reopened this Sep 11, 2024
@renovate renovate bot enabled auto-merge September 11, 2024 12:49
@renovate renovate bot force-pushed the renovate/noble-secp256k1-2.x branch 6 times, most recently from 8e9d05d to e00defa Compare September 12, 2024 07:59
@renovate renovate bot force-pushed the renovate/noble-secp256k1-2.x branch from e00defa to 96811aa Compare September 12, 2024 08:22
@jeanregisser
Copy link
Member

This new version is apparently ESM only, skip until we can switch to ESM too.
See react-native-community/cli#2167

auto-merge was automatically disabled September 12, 2024 10:47

Pull request was closed

@jeanregisser jeanregisser deleted the renovate/noble-secp256k1-2.x branch September 12, 2024 10:47
Copy link
Contributor Author

renovate bot commented Sep 12, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x releases. But if you manually upgrade to 2.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant