Skip to content

chore(deps): bump the production-deps group across 1 directory with 3 updates#38

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-deps-8b1eace680
Open

chore(deps): bump the production-deps group across 1 directory with 3 updates#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-deps-8b1eace680

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the production-deps group with 3 updates in the / directory: @noble/curves, @noble/hashes and express.

Updates @noble/curves from 1.9.7 to 2.2.0

Release notes

Sourced from @​noble/curves's releases.

2.2.0

  • March 2026 self-audit (all files): no major issues found
    • Audited for spec compliance and security
    • ed25519: make zip215 verification logic match spec more strictly (spec vectors were not enough)
    • ed448: turn off zip215 mode by default, use stricter one
    • schnorr: reduce rand by mod N instead of throwing
    • math: hardening of sqrt
    • babyjubjub: use correct curve and curve params
    • der: improve parsing
    • bls: improve point decoding
    • bls, bn: Fix Fp6 / Fp12 order
    • hash-to-curve: empty dst / count now throws
    • Apply Object.freeze to most primitives
    • Other minor hardening
  • Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
    • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
    • This creates incompatibility of code between versions
    • Previously, it was hard to use and constantly emitted errors similar to TS2345
    • See typescript#62240 for more context
  • Implement FROST threshold signatures from RFC 9591
  • Fix compilation issues on TypeScript v6
  • Improve tree-shaking, reduce bundle sizes
  • Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-curves@2.0.1...2.2.0

2.0.1

  • Disable extension-less imports. If you've used /ed25519, switch to /ed25519.js now. See 2.0.0 for more details.
  • package.json: specify exported submodules to ensure typescript autocompletion
  • package.json: bump hashes to 2.0.1 with scrypt & pkg.json changes
  • ed25519: export map_to_curve_elligator2_curve25519 paulmillr/noble-curves#211
  • bls: try-catch pairingBatch in bls12_381.verify() by @​MegaManSec in paulmillr/noble-curves#212
  • fft: expose extra info in rootsOfUnity

New Contributors

GitHub Immutable Releases

This GH release does not include standalone noble-curves.js: use 2.0.0 for now, until we upgrade to newly added Immutable Releases

Full Changelog: paulmillr/noble-curves@2.0.0...2.0.1

2.0.0

High-level

v2 massively simplifies internals, improves security, reduces bundle size and lays path for the future. To simplify upgrading, upgrade first to curves 1.9.x. It would show deprecations in vscode-like text editor.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​noble/curves since your current version.


Updates @noble/hashes from 1.8.0 to 2.2.0

Release notes

Sourced from @​noble/hashes's releases.

2.2.0

  • March 2026 self-audit (all files): no major issues found
    • Audited for spec compliance and security
    • Fix: dkLen=0 handling in pbkdf2, blake2, turboshake, kt
    • Fix: parallelHash with blockLen=0
    • Fix: argon2 progress callback now reaches 100%
    • Improve: digestInto no longer returns a value (better performance)
    • Improve: argon2, blake2 support non-4-divisible dkLen
  • Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
    • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
    • This creates incompatibility of code between versions
    • Previously, it was hard to use and constantly emitted errors similar to TS2345
    • See typescript#62240 for more context
  • sha3: speed-up by up to 50%. Contributed by @​ChALkeR in paulmillr/noble-hashes#126
  • Fix compilation issues on TypeScript v6
  • Make package Big Endian friendly. All tests pass on s390x
  • Improve tree-shaking, reduce bundle sizes
  • Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-hashes@2.0.1...2.2.0

2.0.1

  • .js extension must be used for all modules
    • Old: @noble/hashes/sha3
    • New: @noble/hashes/sha3.js
    • This simplifies working in browsers natively without transpilers
    • This was planned for 2.0.0, but was accidentally left out
  • package.json: specify exported submodules to ensure typescript autocompletion
  • scrypt: Fix error message for maxmem check by @​ChALkeR in paulmillr/noble-hashes#121
  • scrypt: 4% speed-up by @​ChALkeR in paulmillr/noble-hashes#122

Full Changelog: paulmillr/noble-hashes@2.0.0...2.0.1

2.0.0

High-level

  • The package is now ESM-only. ESM can finally be loaded from common.js on node v20.19+
    • Node v20.19 is now the minimum required version
    • Package imports now work correctly in bundler-less environments, such as browsers
    • Reduces npm package size (traffic consumed): 152KB => 136KB
    • Reduces unpacked npm size (on-disk space): 1.1MB => 669KB
  • Make bundle sizes smaller, compared to v1.x
  • .js extension must be used for all modules
    • Old: @noble/hashes/sha3
    • New: @noble/hashes/sha3.js
    • This simplifies working in browsers natively without transpilers

Changes

... (truncated)

Commits
  • 81983c2 Release 2.2.0.
  • 8883d32 Minor syntax fixes
  • e5fedba Run prettier format on tests
  • 72e2083 Changes related to March 2026 audit (new tests)
  • fd9f580 Changes related to March 2026 audit (typed arrays)
  • 9a216b5 Changes related to March 2026 audit
  • 85e35d5 Clarify sha3.
  • cc8ea40 Merge pull request #126 from ChALkeR/chalker/unroll/sha3/0/chi
  • 46c3129 Bump typescript to 6.0.2
  • ca90465 Bump devdeps.
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​noble/hashes since your current version.


Updates express from 4.22.2 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • deps: body-parser@^2.2.1
  • A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0

... (truncated)

Commits

@dependabot @github

dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot
chore(deps): bump the production-deps group across 1 directory with 3…
ed7b75e 
… updates

Bumps the production-deps group with 3 updates in the / directory: [@noble/curves](https://github.com/paulmillr/noble-curves), [@noble/hashes](https://github.com/paulmillr/noble-hashes) and [express](https://github.com/expressjs/express).


Updates `@noble/curves` from 1.9.7 to 2.2.0
- [Release notes](https://github.com/paulmillr/noble-curves/releases)
- [Commits](paulmillr/noble-curves@1.9.7...2.2.0)

Updates `@noble/hashes` from 1.8.0 to 2.2.0
- [Release notes](https://github.com/paulmillr/noble-hashes/releases)
- [Commits](paulmillr/noble-hashes@1.8.0...2.2.0)

Updates `express` from 4.22.2 to 5.2.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@v4.22.2...v5.2.1)

---
updated-dependencies:
- dependency-name: "@noble/curves"
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-deps
- dependency-name: "@noble/hashes"
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-deps
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the production-deps group with 3 updates chore(deps): bump the production-deps group across 1 directory with 3 updates Jun 22, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-deps-8b1eace680 branch from dd20aec to ed7b75e Compare June 22, 2026 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants