Skip to content

Update dependency @noble/hashes to v2#291

Closed
renovate[bot] wants to merge 2 commits intomainfrom
renovate/noble-hashes-2.x
Closed

Update dependency @noble/hashes to v2#291
renovate[bot] wants to merge 2 commits intomainfrom
renovate/noble-hashes-2.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 20, 2026

This PR contains the following updates:

Package Change Age Confidence
@noble/hashes (source) ^1.7.2^2.2.0 age confidence

Release Notes

paulmillr/noble-hashes (@​noble/hashes)

v2.2.0

Compare Source

  • March 2026 self-audit (all files): no major issues found
    • Audited for spec compliance and security
    • Fix: dkLen=0 handling in pbkdf2, blake2, turboshake, kt
    • Fix: parallelHash with blockLen=0
    • Fix: argon2 progress callback now reaches 100%
    • Improve: digestInto no longer returns a value (better performance)
    • Improve: argon2, blake2 support non-4-divisible dkLen
  • Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
    • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
    • This creates incompatibility of code between versions
    • Previously, it was hard to use and constantly emitted errors similar to TS2345
    • See typescript#62240 for more context
  • sha3: speed-up by up to 50%. Contributed by @​ChALkeR in #​126
  • Fix compilation issues on TypeScript v6
  • Make package Big Endian friendly. All tests pass on s390x
  • Improve tree-shaking, reduce bundle sizes
  • Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-hashes@2.0.1...2.2.0

v2.0.1

Compare Source

  • .js extension must be used for all modules
    • Old: @noble/hashes/sha3
    • New: @noble/hashes/sha3.js
    • This simplifies working in browsers natively without transpilers
    • This was planned for 2.0.0, but was accidentally left out
  • package.json: specify exported submodules to ensure typescript autocompletion
  • scrypt: Fix error message for maxmem check by @​ChALkeR in #​121
  • scrypt: 4% speed-up by @​ChALkeR in #​122

Full Changelog: paulmillr/noble-hashes@2.0.0...2.0.1

v2.0.0

Compare Source

High-level
  • The package is now ESM-only. ESM can finally be loaded from common.js on node v20.19+
    • Node v20.19 is now the minimum required version
    • Package imports now work correctly in bundler-less environments, such as browsers
    • Reduces npm package size (traffic consumed): 152KB => 136KB
    • Reduces unpacked npm size (on-disk space): 1.1MB => 669KB
  • Make bundle sizes smaller, compared to v1.x
  • .js extension must be used for all modules
    • Old: @noble/hashes/sha3
    • New: @noble/hashes/sha3.js
    • This simplifies working in browsers natively without transpilers
Changes
  • Only allow Uint8Array as hash inputs, prohibit string
    • Strict validation checks improve security
    • To replicate previous behavior, use utils.utf8ToBytes
  • Rename / remove some modules for consistency. Previously, sha384 resided in sha512, which was weird
    • sha256, sha512 => sha2.js (consistent with sha3.js)
    • blake2b, blake2s => blake2.js (consistent with blake3.js, blake1.js)
    • ripemd160, sha1, md5 => legacy.js (all low-security hashes are there)
    • _assert => utils.js
    • crypto internal module got removed: use built-in WebCrypto instead
  • Improve typescript types & option autocomplete
  • Upgrade typescript compilation env to ts5.9 and es2022
  • Massively improve error messages, make them more descriptive

Full Changelog: paulmillr/noble-hashes@1.8.0...2.0.0

v1.8.0

Compare Source

Preparation for v2

The release contains bugfixes and a few improvements which pave the way for upcoming v2.0.

  • Modules are now available with .js extension
    • Old: @noble/hashes/sha2
    • New: @noble/hashes/sha2.js
    • Old path is still available
    • This simplifies working in browsers natively without transpilers
  • Refactor core functionality, remove duplicate code
  • Decrease package size
Deprecations

In v2, some modules will be removed. For example, sha256 will become sha2. In v1.8, the old names still exist, but are marked as deprecated, to simplify upgrade path.

One of the reasons for moving those was the fact sha384 resided in sha512, sha224 in sha256 - which was confusing. New naming scheme simplifies reasoning and decreases amount of modules.

  • sha256 became sha2 (which already existed for several releases)
  • sha512 became sha2
  • _assert became utils
  • blake2b became blake2
  • blake2s became blake2
  • ripemd160 became legacy (to signify its low security level 2^80)
  • sha1 became legacy

Full Changelog: paulmillr/noble-hashes@1.7.2...1.8.0

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • "before 3am on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
evlog-docs Ready Ready Preview, Comment, Open in v0 Apr 20, 2026 0:38am
just-use-evlog Ready Ready Preview, Comment Apr 20, 2026 0:38am

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "Update dependency @noble/hashes to v2". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - breaking
 - feat
 - fix
 - build
 - ci
 - docs
 - enhancement
 - chore
 - perf
 - style
 - test
 - refactor
 - revert

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 20, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@HugoRCD HugoRCD closed this Apr 20, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 20, 2026

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x releases. But if you manually upgrade to 2.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate Bot deleted the renovate/noble-hashes-2.x branch April 20, 2026 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HugoRCD