Skip to content

Bump @noble/curves from 1.9.7 to 2.2.0#905

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/noble/curves-2.2.0
Closed

Bump @noble/curves from 1.9.7 to 2.2.0#905
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/noble/curves-2.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps @noble/curves from 1.9.7 to 2.2.0.

Release notes

Sourced from @​noble/curves's releases.

2.2.0

  • March 2026 self-audit (all files): no major issues found
    • Audited for spec compliance and security
    • ed25519: make zip215 verification logic match spec more strictly (spec vectors were not enough)
    • ed448: turn off zip215 mode by default, use stricter one
    • schnorr: reduce rand by mod N instead of throwing
    • math: hardening of sqrt
    • babyjubjub: use correct curve and curve params
    • der: improve parsing
    • bls: improve point decoding
    • bls, bn: Fix Fp6 / Fp12 order
    • hash-to-curve: empty dst / count now throws
    • Apply Object.freeze to most primitives
    • Other minor hardening
  • Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
    • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
    • This creates incompatibility of code between versions
    • Previously, it was hard to use and constantly emitted errors similar to TS2345
    • See typescript#62240 for more context
  • Implement FROST threshold signatures from RFC 9591
  • Fix compilation issues on TypeScript v6
  • Improve tree-shaking, reduce bundle sizes
  • Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-curves@2.0.1...2.2.0

2.0.1

  • Disable extension-less imports. If you've used /ed25519, switch to /ed25519.js now. See 2.0.0 for more details.
  • package.json: specify exported submodules to ensure typescript autocompletion
  • package.json: bump hashes to 2.0.1 with scrypt & pkg.json changes
  • ed25519: export map_to_curve_elligator2_curve25519 paulmillr/noble-curves#211
  • bls: try-catch pairingBatch in bls12_381.verify() by @​MegaManSec in paulmillr/noble-curves#212
  • fft: expose extra info in rootsOfUnity

New Contributors

GitHub Immutable Releases

This GH release does not include standalone noble-curves.js: use 2.0.0 for now, until we upgrade to newly added Immutable Releases

Full Changelog: paulmillr/noble-curves@2.0.0...2.0.1

2.0.0

High-level

v2 massively simplifies internals, improves security, reduces bundle size and lays path for the future. To simplify upgrading, upgrade first to curves 1.9.x. It would show deprecations in vscode-like text editor.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​noble/curves since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 1, 2026
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
eciesjs Error Error Jul 12, 2026 11:40am

@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​noble/​curves@​2.2.010010010085100

View full report

Bumps [@noble/curves](https://github.com/paulmillr/noble-curves) from 1.9.7 to 2.2.0.
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](paulmillr/noble-curves@1.9.7...2.2.0)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/noble/curves-2.2.0 branch from f5d0a6d to 057ac38 Compare July 12, 2026 11:40
@kigawas kigawas closed this Jul 14, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/noble/curves-2.2.0 branch July 14, 2026 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant