Skip to content

chore(deps): bump @noble/secp256k1 from 2.3.0 to 3.1.0 #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump @noble/secp256k1 from 2.3.0 to 3.1.0 #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/faucet/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
},
"dependencies": {
"@noble/hashes": "^1.7.2",
"@noble/secp256k1": "^2.2.3",
"@noble/secp256k1": "^3.1.0",
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification for `@noble/secp256k1` v3 migration readiness.
# Expected: no v2-style usage patterns in active call sites.

set -euo pipefail

echo "1) Locate `@noble/secp256k1` imports/usages"
rg -n --type=ts --type=tsx --type=js --type=mjs --type=cjs \
  "(`@noble/secp256k1`|from ['\"]`@noble/secp256k1`['\"]|require\\(['\"]`@noble/secp256k1`['\"]\\))" -C 3

echo
echo "2) Inspect common crypto API call sites with context"
rg -nP --type=ts --type=tsx --type=js --type=mjs \
  "\\b(sign|verify|getPublicKey|recoverPublicKey|schnorr|Signature)\\s*\\(" -C 3

echo
echo "3) Heuristic: detect obvious string-literal args passed to crypto funcs (often v2-style hex input)"
rg -nP --type=ts --type=tsx --type=js --type=mjs \
  "\\b(sign|verify|getPublicKey|recoverPublicKey)\\s*\\(\\s*['\"`]" -C 2 || true

Repository: Sentriscloud/frontend

Length of output: 153

🏁 Script executed:

#!/bin/bash
# Read-only verification for `@noble/secp256k1` v3 migration readiness.
# Corrected to avoid unsupported file types.

set -euo pipefail

echo "=== 1) Locate `@noble/secp256k1` imports/usages ==="
rg -n "`@noble/secp256k1`" -C 2 || echo "  (no imports found)"

echo
echo "=== 2) Find all TypeScript/JavaScript files in faucet and shared ==="
find apps/faucet -name "*.ts" -o -name "*.js" 2>/dev/null | head -20

echo
echo "=== 3) Inspect faucet source files for secp256k1 call sites ==="
if [ -d "apps/faucet/src" ]; then
  find apps/faucet/src -type f \( -name "*.ts" -o -name "*.js" \) -exec grep -l "sign\|verify\|getPublicKey\|secp256k1" {} \;
else
  echo "  (apps/faucet/src not found)"
fi

echo
echo "=== 4) Check package.json for secp256k1 dependencies ==="
rg "`@noble/secp256k1`" apps/faucet/package.json || echo "  (dependency info)"

echo
echo "=== 5) List shared/workspace packages ==="
if [ -d "packages" ]; then
  ls -la packages/ | grep -E "^d" || true
elif [ -d "libs" ]; then
  ls -la libs/ | grep -E "^d" || true
fi

Repository: Sentriscloud/frontend

Length of output: 4909

🏁 Script executed:

#!/bin/bash
# Inspect actual secp256k1 usage in faucet and solux

echo "=== apps/faucet/src/app/api/faucet/route.ts ===" 
cat -n apps/faucet/src/app/api/faucet/route.ts | head -100

echo
echo "=== apps/faucet/src/lib/ws.ts ==="
cat -n apps/faucet/src/lib/ws.ts 2>/dev/null || echo "(file not found or empty)"

echo
echo "=== apps/solux/src/lib/crypto.ts (full file for v3 migration context) ==="
if [ -f apps/solux/src/lib/crypto.ts ]; then
  wc -l apps/solux/src/lib/crypto.ts
  cat -n apps/solux/src/lib/crypto.ts
else
  echo "(file not found)"
fi

Repository: Sentriscloud/frontend

Length of output: 20594

🏁 Script executed:

#!/bin/bash
# Find secp256k1 function calls in faucet route

echo "=== Searching for secp.* calls in faucet route ==="
grep -n "secp\." apps/faucet/src/app/api/faucet/route.ts || echo "(no secp.* calls found)"

echo
echo "=== Full faucet route file (line count first) ==="
wc -l apps/faucet/src/app/api/faucet/route.ts

echo
echo "=== Faucet route from line 100 onwards ==="
tail -n +100 apps/faucet/src/app/api/faucet/route.ts

Repository: Sentriscloud/frontend

Length of output: 14568

@noble/secp256k1 v3 migration incomplete in faucet — critical signature bug at line 338.

The faucet imports v3 correctly but is missing the breaking API change mitigation. Line 338's secp.signAsync(msgHash, privKeyBytes) must include { prehash: false } to avoid double-hashing:

Current (broken) signature code 
// Line 337-339 in apps/faucet/src/app/api/faucet/route.ts
const msgHash = sha256(new TextEncoder().encode(signingPayload))
const sig = await secp.signAsync(msgHash, privKeyBytes)  // ❌ missing prehash:false
const sigHex = bytesToHex(sig.toCompactRawBytes())

In v3, signAsync defaults to prehashing input, so this signs sha256(sha256(payload)) instead of sha256(payload). Chain verification will reject all transactions.

See apps/solux/src/lib/crypto.ts line 79 for the correct pattern: secp.signAsync(msgHash, keyBytes, { lowS: true, prehash: false }).

Fix: Add { prehash: false } option to line 338's signAsync call.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/faucet/package.json` at line 14, The signature call in the faucet's
signing flow is using secp.signAsync(msgHash, privKeyBytes) which, with
`@noble/secp256k1` v3, will prehash again and produce invalid signatures; update
the sign call in the route handler that computes msgHash (the lines around
signingPayload, msgHash, sig, sigHex) to pass the option { prehash: false } (and
keep any existing options like lowS if desired) so it signs the already-hashed
payload: secp.signAsync(msgHash, privKeyBytes, { prehash: false }).

"@privy-io/react-auth": "^3.23.0",
"@privy-io/wagmi": "^4.0.6",
"@sentriscloud/wallet-config": "workspace:*",
Expand Down
2 changes: 1 addition & 1 deletion apps/solux/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
"dependencies": {
"@noble/ciphers": "^2.2.0",
"@noble/hashes": "^2.0.1",
"@noble/secp256k1": "^3.0.0",
"@noble/secp256k1": "^3.1.0",
"@scure/bip32": "^2.2.0",
"@scure/bip39": "^2.2.0",
"@tanstack/react-query": "^5.97.0",
Expand Down
13 changes: 4 additions & 9 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading