chore(deps): upgrade to Noble 2.0, nostr-tools 2.x, vitest 4 (v0.2.0)

Replace @noble/secp256k1 with @noble/curves, migrate @noble/hashes/sha256
to sha2, enforce Uint8Array-only inputs, rename randomPrivateKey to
randomSecretKey. All 11 tests pass, 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

package.json

@@ -1,6 +1,6 @@
 {
     "name": "node-red-contrib-nostr",
-    "version": "0.1.5",
+    "version": "0.2.0",
     "description": "Node-RED nodes for seamless Nostr protocol integration. Features robust WebSocket handling, event filtering, and NPUB-based routing. Built with TypeScript for type safety and extensive testing. Perfect for Nostr automation flows.",
     "author": "vveerrgg",
     "type": "commonjs",
@@ -49,11 +49,11 @@
         }
     },
     "dependencies": {
-        "@noble/hashes": "^1.8.0",
-        "@noble/secp256k1": "^2.3.0",
+        "@noble/curves": "^2.0.1",
+        "@noble/hashes": "^2.0.1",
         "bech32": "^2.0.0",
-        "nostr-tools": "^1.17.0",
-        "nostr-websocket-utils": "^0.3.13",
+        "nostr-tools": "^2.23.3",
+        "nostr-websocket-utils": "file:../nostr-websocket-utils",
         "ws": "^8.19.0"
     },
     "devDependencies": {
@@ -63,16 +63,16 @@
         "@types/ws": "^8.18.1",
         "@typescript-eslint/eslint-plugin": "^8.56.0",
         "@typescript-eslint/parser": "^8.56.0",
-        "@vitest/coverage-v8": "^3.2.4",
-        "@vitest/ui": "^3.2.4",
+        "@vitest/coverage-v8": "^4.0.18",
+        "@vitest/ui": "^4.0.18",
         "eslint": "^10.0.1",
         "node-red": "^4.1.5",
         "node-red-node-test-helper": "^0.3.6",
         "typescript": "^5.9.3",
-        "vitest": "^3.2.4"
+        "vitest": "^4.0.18"
     },
     "engines": {
-        "node": ">=14.0.0"
+        "node": ">=18.0.0"
     },
     "repository": {
         "type": "git",

src/core/event.ts

@@ -1,5 +1,5 @@
-import { sha256 } from '@noble/hashes/sha256';
-import { bytesToHex } from '@noble/hashes/utils';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { bytesToHex } from '@noble/hashes/utils.js';
 import { NostrEvent } from '../nodes/shared/types';
 import { KeyManager } from '../crypto/keys';
 

src/crypto/keys.ts

@@ -1,8 +1,7 @@
-// Types only
-import type * as secp256k1Type from '@noble/secp256k1';
+import { secp256k1 } from '@noble/curves/secp256k1.js';
 import { bech32 } from 'bech32';
-import { bytesToHex } from '@noble/hashes/utils';
-import { sha256 } from '@noble/hashes/sha256';
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
+import { sha256 } from '@noble/hashes/sha2.js';
 
 // Lazily-initialized ephemeral key pair for read-only operations.
 // Generated at first use so no secret material is stored in source code.
@@ -15,27 +14,17 @@ export async function getDefaultReaderKeys(): Promise<{ privateKey: string; publ
     return _defaultReaderKeys;
 }
 
-let secp256k1: typeof secp256k1Type;
-
-async function initSecp256k1() {
-    if (!secp256k1) {
-        secp256k1 = await import('@noble/secp256k1');
-    }
-    return secp256k1;
-}
-
 /**
  * Generate a new Nostr key pair
  * @returns {Promise<Object>} Object containing private and public keys
  */
 export async function generateKeyPair() {
-    const secp = await initSecp256k1();
-    const privateKey = secp.utils.randomPrivateKey();
-    const publicKey = secp.getPublicKey(privateKey, true);
-    
+    const privateKey = secp256k1.utils.randomSecretKey();
+    const publicKey = secp256k1.getPublicKey(privateKey, true);
+
     return {
-        privateKey: Buffer.from(privateKey).toString('hex'),
-        publicKey: Buffer.from(publicKey).toString('hex')
+        privateKey: bytesToHex(privateKey),
+        publicKey: bytesToHex(publicKey)
     };
 }
 
@@ -65,47 +54,36 @@ export function npubToHex(npub: string): string {
  * @returns {Promise<string>} Public key in hex format
  */
 export async function getPublicKey(privateKeyHex: string): Promise<string> {
-    const secp = await initSecp256k1();
-    const publicKey = secp.getPublicKey(privateKeyHex, true);
-    return Buffer.from(publicKey).toString('hex');
+    const publicKey = secp256k1.getPublicKey(hexToBytes(privateKeyHex), true);
+    return bytesToHex(publicKey);
 }
 
 export class KeyManager {
-    private secp256k1Promise: Promise<typeof secp256k1Type>;
-
-    constructor() {
-        this.secp256k1Promise = initSecp256k1();
-    }
-
     async generatePrivateKey(): Promise<string> {
-        const secp = await this.secp256k1Promise;
-        const privateKey = secp.utils.randomPrivateKey();
-        return Buffer.from(privateKey).toString('hex');
+        const privateKey = secp256k1.utils.randomSecretKey();
+        return bytesToHex(privateKey);
     }
 
     async getPublicKey(privateKey: string): Promise<string> {
-        const secp = await this.secp256k1Promise;
-        const publicKey = secp.getPublicKey(privateKey, true);
-        return Buffer.from(publicKey).toString('hex');
+        const publicKey = secp256k1.getPublicKey(hexToBytes(privateKey), true);
+        return bytesToHex(publicKey);
     }
 
     async sign(
         privateKey: string,
         message: string
     ): Promise<string> {
-        const secp = await this.secp256k1Promise;
-        const messageHash = sha256(Buffer.from(message));
-        const signature = await secp.sign(messageHash, privateKey);
-        return bytesToHex(signature.toCompactRawBytes());
+        const messageHash = sha256(new TextEncoder().encode(message));
+        const signature = secp256k1.sign(messageHash, hexToBytes(privateKey));
+        return bytesToHex(signature);
     }
 
     async verify(
         publicKey: string,
         message: string,
         signature: string
     ): Promise<boolean> {
-        const secp = await this.secp256k1Promise;
-        const messageHash = sha256(Buffer.from(message));
-        return secp.verify(signature, messageHash, publicKey);
+        const messageHash = sha256(new TextEncoder().encode(message));
+        return secp256k1.verify(hexToBytes(signature), messageHash, hexToBytes(publicKey));
     }
 }

src/nips/nip04.ts

@@ -1,6 +1,6 @@
-import * as secp256k1 from '@noble/secp256k1';
-import { bytesToHex, hexToBytes } from '@noble/hashes/utils';
-import { sha256 } from '@noble/hashes/sha256';
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
+import { sha256 } from '@noble/hashes/sha2.js';
 import { NostrEvent } from '../nodes/shared/types';
 import { EventBuilder } from '../core/event';
 
@@ -34,7 +34,7 @@ export class NIP04 {
             hexToBytes(publicKey)
         );
         const _sharedX = sharedPoint.slice(1, 33);
-        
+
         // TODO: Implement actual decryption using AES-256-CBC
         return "decrypted text";
     }