chore(deps): bump @noble/secp256k1 from 2.3.0 to 3.1.0

[dependabot]

Bumps @noble/secp256k1 from 2.3.0 to 3.1.0.

Release notes

Sourced from @​noble/secp256k1's releases.

3.1.0

• March 2026 self-audit (all files): no major issues found
  • Audited for spec compliance and security
  • General hardening was completed
• Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
  • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
  • This creates incompatibility of code between versions
  • Previously, it was hard to use and constantly emitted errors similar to TS2345
  • See typescript#62240 for more context
• Fix compilation issues on TypeScript v6
• Improve tree-shaking, reduce bundle sizes
• Add massive amounts of documentation everywhere

New Contributors

• @​Zosoled made their first contribution in paulmillr/noble-secp256k1#140

Full Changelog: paulmillr/noble-secp256k1@3.0.0...3.1.0

3.0.0

v3 brings the package closer to noble-curves v2

• Add Schnorr signatures
• Most methods now expect Uint8Array, string hex inputs are prohibited
• Add keygen method
• sign, verify: Switch to prehashed messages. Instead of messageHash, the methods now expect unhashed message. To bring back old behavior, use option {prehash: false}
• sign, verify: Switch to Uint8Array signatures (format: 'compact') by default.
• verify: recovered format must be explicitly specified in {format: 'recovered'}. This reduces malleability
• verify: prohibit Signature-instance signature. User must now always do signature.toBytes()
• Node v20.19 is now the minimum required version
• Various small changes for types and Point class
• etc: hashes are now set in hashes object. Also sha256 needs to be set now for prehash: true:

// before
// etc.hmacSha256Sync = (key, ...messages) => hmac(sha256, key, etc.concatBytes(...messages));
// etc.hmacSha256Async = (key, ...messages) => Promise.resolve(etc.hmacSha256Sync(key, ...messages));
// after
hashes.hmacSha256 = (key, msg) => hmac(sha256, key, msg);
hashes.sha256 = sha256;
hashes.hmacSha256Async = async (key, msg) => hmac(sha256, key, msg);
hashes.sha256Async = async (msg) => sha256(msg);

Full Changelog: paulmillr/noble-secp256k1@2.3.0...3.0.0

Commits

• f61f685 Release 3.1.0.
• 30841b9 Minor fixes
• 943f916 Implement changes as per Mar 2026 audit.
• f982d7d Bump typescript to 6.0.2
• 4639c0f Fix tests
• 7c74a5a Add docs everywhere. Upgrade to ts 6.0-rc, jsbt 0.5. Add pkg.json scripts.
• 18cf7c0 Merge pull request #141 from Zosoled/bugfix/p-documentation
• 0f3c1e9 Fix P documentation in .ts
• 3e1e0ce Merge pull request #140 from Zosoled/bugfix/p-documentation
• f7cb2dc Fix P documentation
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​noble/secp256k1 since your current version.

Summary by CodeRabbit

• Chores
  • Updated cryptographic library dependencies to the latest compatible versions across applications.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7eceb181-72bc-44d0-bb3f-dc2aaa13fd4f

📥 Commits

Reviewing files that changed from the base of the PR and between 8ff9ddd and 895d3b0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• apps/faucet/package.json
• apps/solux/package.json

✅ Files skipped from review due to trivial changes (1)

• apps/solux/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/faucet/package.json

---

📝 Walkthrough

Walkthrough

This pull request updates the @noble/secp256k1 dependency in two applications to version 3.1.0: in apps/faucet from ^2.2.3 to ^3.1.0 and in apps/solux from ^3.0.0 to ^3.1.0. Only those two package.json lines changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• satyakwok

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing required sections: Summary (1-3 sentences explaining what changed and why) and Test plan (bulleted checklist). Only release notes are provided.	Add a Summary section (1-3 sentences explaining the upgrade rationale and key changes) and a Test plan section with testing checklist items for both happy-path and edge cases.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading @noble/secp256k1 across the codebase from 2.3.0 to 3.1.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/noble/secp256k1-3.1.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/faucet/package.json`:
- Line 14: The signature call in the faucet's signing flow is using
secp.signAsync(msgHash, privKeyBytes) which, with `@noble/secp256k1` v3, will
prehash again and produce invalid signatures; update the sign call in the route
handler that computes msgHash (the lines around signingPayload, msgHash, sig,
sigHex) to pass the option { prehash: false } (and keep any existing options
like lowS if desired) so it signs the already-hashed payload:
secp.signAsync(msgHash, privKeyBytes, { prehash: false }).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: d7118895-bb6b-4868-81be-d34bfe9a5739

📥 Commits

Reviewing files that changed from the base of the PR and between a9b736b and 8ff9ddd.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• apps/faucet/package.json
• apps/solux/package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification for `@noble/secp256k1` v3 migration readiness.
# Expected: no v2-style usage patterns in active call sites.

set -euo pipefail

echo "1) Locate `@noble/secp256k1` imports/usages"
rg -n --type=ts --type=tsx --type=js --type=mjs --type=cjs \
  "(`@noble/secp256k1`|from ['\"]`@noble/secp256k1`['\"]|require\\(['\"]`@noble/secp256k1`['\"]\\))" -C 3

echo
echo "2) Inspect common crypto API call sites with context"
rg -nP --type=ts --type=tsx --type=js --type=mjs \
  "\\b(sign|verify|getPublicKey|recoverPublicKey|schnorr|Signature)\\s*\\(" -C 3

echo
echo "3) Heuristic: detect obvious string-literal args passed to crypto funcs (often v2-style hex input)"
rg -nP --type=ts --type=tsx --type=js --type=mjs \
  "\\b(sign|verify|getPublicKey|recoverPublicKey)\\s*\\(\\s*['\"`]" -C 2 || true

Repository: Sentriscloud/frontend

Length of output: 153

---

🏁 Script executed:

#!/bin/bash
# Read-only verification for `@noble/secp256k1` v3 migration readiness.
# Corrected to avoid unsupported file types.

set -euo pipefail

echo "=== 1) Locate `@noble/secp256k1` imports/usages ==="
rg -n "`@noble/secp256k1`" -C 2 || echo "  (no imports found)"

echo
echo "=== 2) Find all TypeScript/JavaScript files in faucet and shared ==="
find apps/faucet -name "*.ts" -o -name "*.js" 2>/dev/null | head -20

echo
echo "=== 3) Inspect faucet source files for secp256k1 call sites ==="
if [ -d "apps/faucet/src" ]; then
  find apps/faucet/src -type f \( -name "*.ts" -o -name "*.js" \) -exec grep -l "sign\|verify\|getPublicKey\|secp256k1" {} \;
else
  echo "  (apps/faucet/src not found)"
fi

echo
echo "=== 4) Check package.json for secp256k1 dependencies ==="
rg "`@noble/secp256k1`" apps/faucet/package.json || echo "  (dependency info)"

echo
echo "=== 5) List shared/workspace packages ==="
if [ -d "packages" ]; then
  ls -la packages/ | grep -E "^d" || true
elif [ -d "libs" ]; then
  ls -la libs/ | grep -E "^d" || true
fi

Repository: Sentriscloud/frontend

Length of output: 4909

---

🏁 Script executed:

#!/bin/bash
# Inspect actual secp256k1 usage in faucet and solux

echo "=== apps/faucet/src/app/api/faucet/route.ts ===" 
cat -n apps/faucet/src/app/api/faucet/route.ts | head -100

echo
echo "=== apps/faucet/src/lib/ws.ts ==="
cat -n apps/faucet/src/lib/ws.ts 2>/dev/null || echo "(file not found or empty)"

echo
echo "=== apps/solux/src/lib/crypto.ts (full file for v3 migration context) ==="
if [ -f apps/solux/src/lib/crypto.ts ]; then
  wc -l apps/solux/src/lib/crypto.ts
  cat -n apps/solux/src/lib/crypto.ts
else
  echo "(file not found)"
fi

Repository: Sentriscloud/frontend

Length of output: 20594

---

🏁 Script executed:

#!/bin/bash
# Find secp256k1 function calls in faucet route

echo "=== Searching for secp.* calls in faucet route ==="
grep -n "secp\." apps/faucet/src/app/api/faucet/route.ts || echo "(no secp.* calls found)"

echo
echo "=== Full faucet route file (line count first) ==="
wc -l apps/faucet/src/app/api/faucet/route.ts

echo
echo "=== Faucet route from line 100 onwards ==="
tail -n +100 apps/faucet/src/app/api/faucet/route.ts

Repository: Sentriscloud/frontend

Length of output: 14568

---

@noble/secp256k1 v3 migration incomplete in faucet — critical signature bug at line 338.

The faucet imports v3 correctly but is missing the breaking API change mitigation. Line 338's secp.signAsync(msgHash, privKeyBytes) must include { prehash: false } to avoid double-hashing:

Current (broken) signature code

// Line 337-339 in apps/faucet/src/app/api/faucet/route.ts
const msgHash = sha256(new TextEncoder().encode(signingPayload))
const sig = await secp.signAsync(msgHash, privKeyBytes)  // ❌ missing prehash:false
const sigHex = bytesToHex(sig.toCompactRawBytes())

In v3, signAsync defaults to prehashing input, so this signs sha256(sha256(payload)) instead of sha256(payload). Chain verification will reject all transactions.

See apps/solux/src/lib/crypto.ts line 79 for the correct pattern: secp.signAsync(msgHash, keyBytes, { lowS: true, prehash: false }).

Fix: Add { prehash: false } option to line 338's signAsync call.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/faucet/package.json` at line 14, The signature call in the faucet's
signing flow is using secp.signAsync(msgHash, privKeyBytes) which, with
`@noble/secp256k1` v3, will prehash again and produce invalid signatures; update
the sign call in the route handler that computes msgHash (the lines around
signingPayload, msgHash, sig, sigHex) to pass the option { prehash: false } (and
keep any existing options like lowS if desired) so it signs the already-hashed
payload: secp.signAsync(msgHash, privKeyBytes, { prehash: false }).