chore: update deps

[hieu-w]

Motivation and Context

Jira Link

https://consensyssoftware.atlassian.net/browse/W3APD-5248

Description

Stack upgrade:

• Remove umd build & webpack
• Upgrade all deps to latest
• Drop node 20 support. All repos .nvmrc min as node 22
• keep node 24 as active and all lock files to point to node 24
• eliptics replaced by @noble/curves
• Remove buffer

Summary

• Replaced legacy crypto libraries (elliptic, bn.js, Buffer) with modern alternatives (@noble/curves, native bigint, Uint8Array) across the entire codebase for improved security, bundle size, and ESM compatibility.
• Updated all dependencies to latest major versions including @toruslabs/constants v16, @toruslabs/eccrypto v7, @toruslabs/http-helpers v9, vitest v4, typescript v5.9, and more.
• Added source and authorizationServerUrl as new optional parameters to TorusCtorOptions.

Change Patterns

Crypto Library Migration

• new EC("secp256k1") / new EC("ed25519") → secp256k1 / ed25519 from @noble/curves
• ecCurve.keyFromPrivate(sk).getPublic() → ecCurve.Point.BASE.multiply(sk).toAffine()
• ecCurve.keyFromPublic({x, y}) → ecCurve.Point.fromAffine({x, y})
• ecCurve.genKeyPair().getPrivate() → ecCurve.utils.randomSecretKey()
• ecCurve.n → ecCurve.Point.CURVE().n
• ecCurve.sign(msg, key) → secp256k1.sign(msg, key, { prehash: false })

Data Type Replacements

• BN → bigint (all arithmetic uses native operators + mod()/invert() from @noble/curves/abstract/modular)
• new BN(x, "hex") → toBigIntBE(x)
• bn.toString("hex", 64) → bigintToHex(bn)
• bn.add/sub/mul/umod → + / - / * / mod()
• bn.invm(n) → invert(bn, n)
• bn.cmp(other) → native comparison operators (===, <, >)

Buffer → Uint8Array

• Buffer.from(hex, "hex") → hexToBytes(hex)
• buffer.toString("hex") → bytesToHex(bytes)
• Buffer.from(str, "utf8") → utf8ToBytes(str) (via TextEncoder)
• buffer.toString("base64") → bytesToBase64(bytes) (via btoa)
• Buffer.from(b64, "base64") → base64ToBytes(b64) (via atob)
• Buffer.concat([...]) → concatBytes(...)
• Buffer.from(keccakHash(...)) → bytesToHex(keccakHash(...))

Type Definitions

• EC type → Curve (typeof secp256k1 | typeof ed25519)
• BNString → BigIntString (string | bigint)
• curve.base.BasePoint → Point2D ({ x: bigint; y: bigint })

Edge Case Handling

• Guard against 0n scalar in Point.multiply() (noble-curves rejects zero scalar)
• Signature recovery byte appended after compact signature (not prepended)
• secp256k1.sign() called with { prehash: false } to avoid double-hashing

Breaking Changes

• BN → bigint in all public APIs (Point, Share, Polynomial, utility functions)
• Buffer → Uint8Array in all public APIs
• EC → Curve type for curve parameters
• Node.js >=22 required (previously >=18)
• elliptic and bn.js removed from dependencies

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

Note

Low Risk
Only repo configuration/documentation changes (code ownership, tooling ignores, and Node version baseline) with no runtime/library logic changes.

Overview
Adds a .github/CODEOWNERS file to enforce review ownership, with admin fallback ownership and separate owners for src/ and test/.

Updates .nvmrc to require Node >=24.x and adjusts eslint.config.mjs to ignore dist/** and babel.config.js, plus disables import/no-extraneous-dependencies under test/** (and removes the README’s UMD build mention).

^{Written by Cursor Bugbot for commit b114b3d. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​toruslabs/​config@​3.1.0 ⏵ 4.0.0	-1		+2	+7
	@​toruslabs/​constants@​15.0.0 ⏵ 16.0.0				+6
	@​toruslabs/​eslint-config-typescript@​4.1.0 ⏵ 5.0.0	-1		+2	-2
	@​vitest/​coverage-istanbul@​3.0.8 ⏵ 4.0.18	+1		+5
	@​types/​jsonwebtoken@​9.0.9 ⏵ 9.0.10
	@​toruslabs/​torus-scripts@​7.1.2 ⏵ 8.0.0	+2		+1	-3
	@​babel/​register@​7.25.9 ⏵ 7.28.6	+1		+1
	vitest@​3.0.8 ⏵ 4.0.18	+1			-1
	@​babel/​runtime@​7.26.9 ⏵ 7.28.6	+1	+2
	json-stable-stringify@​1.2.1 ⏵ 1.3.0	+1
	tsx@​4.19.3 ⏵ 4.21.0			+1
	cross-env@​7.0.3 ⏵ 10.1.0
	rimraf@​6.0.1 ⏵ 6.1.2	+1
	ethereum-cryptography@​3.1.0 ⏵ 3.2.0
	jsonwebtoken@​9.0.2 ⏵ 9.0.3	+1
	@​noble/​curves@​1.8.1 ⏵ 2.0.1
	@​toruslabs/​http-helpers@​8.1.1 ⏵ 9.0.0				+2
	lint-staged@​15.4.3 ⏵ 16.2.7	+1		+1	+1
	@​faker-js/​faker@​9.6.0 ⏵ 10.3.0	+5		+12	+3
	typescript@​5.8.2 ⏵ 5.9.3	+1		+1
	prettier@​3.5.3 ⏵ 3.8.1	-7		+1
	@​toruslabs/​fetch-node-details@​15.0.0 ⏵ 16.0.0	+1			+6
	@​toruslabs/​eccrypto@​6.0.2 ⏵ 7.0.0				+7
	dotenv@​16.4.7 ⏵ 17.2.4			+1
	eslint@​9.22.0 ⏵ 9.39.2	+5

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The examined code is a standard, benign helper for constructing and wrapping configuration items from descriptors within Babel’s tooling. There is no evidence of data leakage, exfiltration, backdoors, or other malicious activity in this fragment. The combination of immutability, brand-based identity, and non-enumerable descriptor storage indicates a well-scoped internal utility rather than anything suspicious. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/register@7.28.6 → npm/@vitest/coverage-istanbul@4.0.18 → npm/@toruslabs/torus-scripts@8.0.0 → npm/@babel/core@7.29.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @napi-rs/wasm-runtime is 100.0% likely to have a medium risk anomaly Notes: The fragment appears to implement a substantial WASI/N-API bridge with comprehensive memory and filesystem interfacing. There is no concrete evidence of malicious payloads such as data exfiltration, backdoors, or remote command execution in this snippet. The primary concerns relate to the unusual in-browser input path (readStdin) and the large surface area for data flows across threads and FFI boundaries. A targeted, broader audit of the complete module and any wasm payloads loaded through these bindings is recommended to ensure rights enforcement and memory safety. Overall risk is moderate but current evidence does not indicate active malware. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@toruslabs/eslint-config-typescript@5.0.0 → npm/@napi-rs/wasm-runtime@0.2.12 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@napi-rs/wasm-runtime@0.2.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm acorn is 100.0% likely to have a medium risk anomaly Notes: Overall, the analyzed code is a legitimate, well-structured Acorn 8.x parser fragment with robust handling for ES2020+ features. There is no direct malicious payload, backdoor, or exfiltration mechanism within this fragment. The primary security considerations relate to safe handling of untrusted input to avoid DoS via complex/ pathological RegExp usage or verbose error reporting. In a typical extension usage, isolate parsing to a sandbox and limit resource usage to mitigate potential abuse. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/eslint@9.39.2 → npm/acorn@8.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/acorn@8.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm consola is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a feature-rich, standard Consola logging utility responsible for redirecting and managing log output with throttling, pausing, and reporter integration. There is no direct evidence of malicious activity, hardcoded secrets, or exfiltration within this snippet. However, the powerful I/O overrides pose privacy and data flow risks if reporters or downstream sinks are untrusted. The security posture hinges on trusted reporters and proper governance of the overall supply chain. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@toruslabs/torus-scripts@8.0.0 → npm/consola@3.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/consola@3.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm es-module-lexer is 100.0% likely to have a medium risk anomaly Notes: This es-module-lexer component appears legitimate in its intended role but contains a significant risk surface: (a) an eval-based sink that can execute code derived from untrusted module input, and (b) an embedded wasm blob loaded at runtime that could be manipulated via supply chain compromise. The combination means using this parser with untrusted code or in an unsafe host environment could enable arbitrary code execution or behavior modification. The code shows no obvious exfiltration or persistence mechanisms, but the eval path is unacceptable in many security models and requires strict sandboxing or replacement with safer parsing patterns. Recommend using only trusted inputs, hardening the eval path (remove or heavily restrict), and validating the wasm blob integrity via checksums/signatures in the build/publish process. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/vitest@4.0.18 → npm/es-module-lexer@1.7.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-module-lexer@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm esbuild is 100.0% likely to have a medium risk anomaly Notes: On its face this package.json looks like the legitimate esbuild package layout: it runs a local install.js during postinstall and defines many optional platform-specific packages. The main risk is that the uninspected install.js may perform arbitrary, privileged actions (download remote binaries, execute code, add hooks, exfiltrate data, etc.). You should audit the contents of install.js (and any code it downloads or executes) before trusting installation in sensitive environments. The package.json itself does not contain obvious malicious indicators (no http:// deps, no non-registry dependency URLs, no overrides), but the postinstall hook makes it potentially risky. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/vitest@4.0.18 → npm/tsx@4.21.0 → npm/esbuild@0.27.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm get-intrinsic is 100.0% likely to have a medium risk anomaly Notes: The GetIntrinsic module is a conventional intrinsic resolver designed for sandboxed JavaScript environments. It includes careful validation, alias handling, and selective dynamic evaluation for specific intrinsics. While there is a real potential risk from Function-based evaluation if exposed to untrusted input, in this isolated code path there is no evidence of data leakage, backdoors, or external communications. The component is acceptable with proper sandbox boundaries; the most important mitigations are ensuring inputs are trusted and that dynamic evaluation cannot be triggered by untrusted sources. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@toruslabs/eslint-config-typescript@5.0.0 → npm/json-stable-stringify@1.3.0 → npm/get-intrinsic@1.3.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/get-intrinsic@1.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@toruslabs/eslint-config-typescript@5.0.0 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm jiti is 100.0% likely to have a medium risk anomaly Notes: The fragment implements a sophisticated on-the-fly loader using JITI for transpilation and execution, with careful handling of JSON interop based on nearby package.json type. There is no explicit malicious behavior identified (no external network activity, no hardcoded secrets). However, the dynamic code execution path introduced by _wrapSource and the synthetic module environment represents a potential risk vector if untrusted inputs are loaded, or if jiti/mjs execution context could be manipulated. This warrants strict review of the loader environment, the version and security of JITI, and checks on the sources being loaded to mitigate potential code execution or supply chain concerns. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/eslint@9.39.2 → npm/vitest@4.0.18 → npm/@toruslabs/torus-scripts@8.0.0 → npm/jiti@2.6.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@2.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm open is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate cross-platform URL/application launcher with broad compatibility. There is no clear malicious behavior, but the use of external process invocations and encoded PowerShell commands warrants careful input validation and least-privilege deployment in sensitive environments. Emphasize input sanitization (target URLs, app names/arguments) and ensure secure handling of platform-specific commands to minimize potential abuse. Overall security risk remains moderate due to command execution surfaces, but no malicious activity identified in this fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@toruslabs/torus-scripts@8.0.0 → npm/open@10.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/open@10.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: The module installs hidden signal handlers for SIGINT and SIGTERM, hides them from other code by monkey-patching process.listenerCount and process.listeners, forwards signals to an external client callback, and may force exit. That stealthy interception of process signals is suspicious from a supply-chain/security perspective because it can be used to intercept or suppress normal shutdown behavior and to forward events to another module which may perform network I/O or exfiltration. There is no direct evidence in this file of data exfiltration, reverse shell, or explicit malicious payload, but the hiding behavior and delegation to an external client warrant caution and further inspection of the imported client and cjs modules. Recommend auditing the client callback and cjs/index.cjs for network operations or data-leaking behavior before trusting this package. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: This fragment appears to be a bundler-generated bootstrap/initialization piece that imports many modules and executes an initialization function (r). No explicit malicious activity is evident within this fragment itself, but the risk stems from side effects of the imported modules on load. A careful review of the implementations of the imported modules (especially those exporting r and those performing initialization, build-time, or network/file operations) is recommended to rule out hidden telemetry, backdoors, or undesired side effects. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: This module installs signal handlers and actively hides them from inspection by monkeypatching listener inspection APIs. In the main thread it can forward SIGINT/SIGTERM events to a remote client (via client.connectingToServer) and may exit the process after forwarding. The concealment is a noteworthy red flag: it makes detection and auditing harder and may be used to implement covert telemetry or control. The file alone is not conclusively malicious, but the combination of hiding handlers and forwarding signals to an external component warrants careful review of the client module (client-D6NvIMSC.cjs) and any network destinations it uses before trusting this package in sensitive environments. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: No clear indicators of classic malware (no reverse shell, no network connections, no child_process usage, no hard-coded credentials). The primary risk is information leakage: the loader posts module load events and dependency paths to external consumers via p.port and O.send. In contexts where those channels are controlled by an untrusted or remote party, this could leak local file paths or project structure. The module otherwise performs expected loader duties (file reads, tsconfig handling, transforming CJS to ESM, returning data: URLs). Review runtime consumers of O and any provided p.port to ensure they are trusted before using this loader in a sensitive environment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly Notes: The script performs an in-place, lossy re-encoding of a local file from UTF-8 to Latin-1 and rewrites it without backups or validation. This is unsafe due to potential data loss and code corruption, and could be exploited to tamper with source files in a supply chain. It does not exhibit active malware behavior, but its destructive nature warrants removal or strict safeguards (backups, explicit intent, error handling). Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@toruslabs/torus-scripts@8.0.0 → npm/undici@6.23.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.23.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm yaml is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard YAML stringify module with robust tag resolution, anchor handling, and formatting controls. It correctly delegates to appropriate stringify logic and handles edge cases like circular aliases and unresolved tags with explicit errors. Overall security posture is conservative and typical for a serialization library; no malicious activity detected. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/vitest@4.0.18 → npm/lint-staged@16.2.7 → npm/yaml@2.8.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yaml@2.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• @emnapi/core@1.8.1
• @inquirer/external-editor@1.0.3
• @isaacs/brace-expansion@5.0.0
• @tybys/wasm-util@0.10.1
• @unrs/resolver-binding-wasm32-wasi@1.11.1
• giget@2.0.0
• napi-postinstall@0.3.4
• node-fetch-native@1.6.7
• pkg-types@2.3.0
• undici-types@7.16.0
• unrs-resolver@1.11.1
• @noble/curves@2.0.1
• jwa@2.0.1
• prettier@3.8.1

View full report

[hieu-w]

@cursor review

[cursor]

Skipping Bugbot: Bugbot is disabled for this repository

[hieu-w]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[hieu-w]

@SocketSecurity ignore npm/@isaacs/brace-expansion@5.0.0
@SocketSecurity ignore npm/@emnapi/core@1.8.1
@SocketSecurity ignore npm/@inquirer/external-editor@1.0.3
@SocketSecurity ignore npm/@noble/curves@2.0.1
@SocketSecurity ignore npm/@tybys/wasm-util@0.10.1
@SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1
@SocketSecurity ignore npm/giget@2.0.0
@SocketSecurity ignore npm/napi-postinstall@0.3.4
@SocketSecurity ignore npm/node-fetch-native@1.6.7
@SocketSecurity ignore npm/pkg-types@2.3.0
@SocketSecurity ignore npm/prettier@3.8.1
@SocketSecurity ignore npm/undici-types@7.16.0
@SocketSecurity ignore npm/unrs-resolver@1.11.1
@SocketSecurity ignore npm/jwa@2.0.1

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[matthiasgeihs]

@cursor can you do a review? please don't push any commits

[cursor]

Based on the PR comments and code review, here are my findings:

Code Review Summary

1. CODEOWNERS File Location ✅ RESOLVED

The CODEOWNERS file is correctly placed at .github/CODEOWNERS. The comment referencing "wrong folder" appears to be outdated or mistaken - the file is in the correct location and will function properly.

2. Code Splitting Improvements (common.ts lines 63, 76)

  if (keyType === KEY_TYPE.SECP256K1) {
    return secp256k1.utils.randomSecretKey();
  } else if (keyType === KEY_TYPE.ED25519) {
    return ed25519.utils.randomSecretKey();
  }
  throw new Error(`Invalid keyType: ${keyType}`);

Issue: Direct imports of secp256k1 and ed25519 at module level prevent effective tree-shaking. For better code splitting, generatePrivateKey and getKeyCurve should accept the curve as a parameter rather than determining it internally.

Recommendation: Consider refactoring to pass the curve instance as a parameter where possible, allowing consumers to import only the curves they need.

3. Potential API Duplication (common.ts line 163)

export function encParamsBufToHex(encParams: Ecies): EciesHex {
  return {
    iv: bytesToHex(encParams.iv),
    ephemPublicKey: bytesToHex(encParams.ephemPublicKey),
    ciphertext: bytesToHex(encParams.ciphertext),
    mac: bytesToHex(encParams.mac),
    mode: "AES256",
  };
}

export function encParamsHexToBuf(eciesData: Omit<EciesHex, "ciphertext">): Omit<Ecies, "ciphertext"> {
  return {
    ephemPublicKey: hexToBytes(eciesData.ephemPublicKey),
    iv: hexToBytes(eciesData.iv),
    mac: hexToBytes(eciesData.mac),
  };
}

Question: These conversion utilities may already exist in @toruslabs/eccrypto v7. If they do, consider importing them instead to reduce duplication and maintenance burden.

4. API Abstraction (keyUtils.ts line 180)

export function derivePubKey(ecCurve: Curve, sk: bigint): Point2D {
  return ecCurve.Point.BASE.multiply(sk).toAffine();
}

Good Practice: While this is correct, the manual Point.BASE.multiply(sk).toAffine() pattern appears multiple times. The wrapper function derivePubKey should be used consistently throughout the codebase instead of the raw noble-curves API. This improves:

• Maintainability (single place to update if noble-curves API changes)
• Readability (clearer intent)
• Zero scalar handling (can add guards in one place)

5. Type Strictness - BigIntString Usage

Multiple reviewers suggested tightening type constraints:

Share.ts constructor:

  constructor(shareIndex: BigIntString, share: BigIntString) {
    this.share = toBigIntBE(share);
    this.shareIndex = toBigIntBE(shareIndex);
  }

Polynomial.ts generateShares:

  generateShares(shareIndexes: BigIntString[]): ShareMap {
    const newShareIndexes = shareIndexes.map((index) => {
      if (typeof index === "number") {
        return BigInt(index);
      }
      if (typeof index === "bigint") {
        return index;
      }
      if (typeof index === "string") {
        return toBigIntBE(index);
      }
      return index;
    });

Recommendation: Consider this refactoring approach:

1. Change public APIs to accept only bigint for better type safety
2. Create a separate conversion helper toBigInt(value: string | bigint): bigint
3. Handle BigIntString conversion only at serialization boundaries (fromJSON methods)
4. Remove the BigIntString type from internal constructors

Benefits:

• Stricter compile-time guarantees
• Less runtime type checking overhead
• Clearer API contracts
• Conversion complexity isolated to deserialization layer

6. Type Casting Concerns (nodeUtils.ts line 747)

      sessionTokensResolved.forEach((x, index) => {
        if (!x || !sessionSigsResolved[index]) sessionTokenData.push(undefined);
        else
          sessionTokenData.push({
            token: bytesToBase64(x as Uint8Array),
            signature: bytesToHex(sessionSigsResolved[index] as Uint8Array),
            node_pubx: (completedRequests[index] as JRPCResponse<ShareRequestResult>).result.node_pubx,
            node_puby: (completedRequests[index] as JRPCResponse<ShareRequestResult>).result.node_puby,
          });
      });

Issue: The as Uint8Array casts bypass TypeScript's type checking. Looking at the code, these values come from promise resolutions that can be undefined (lines 685, 700), making the array type (Uint8Array | undefined)[].

Recommendation: Since there's already a null check (if (!x || !sessionSigsResolved[index])), the types should naturally narrow. If TypeScript isn't narrowing correctly, the issue is likely with allPromises typing. Consider:

token: bytesToBase64(x), // Remove 'as'
signature: bytesToHex(sessionSigsResolved[index]), // Remove 'as'

If type errors occur, fix the promise array typing rather than casting away the problem.

---

Overall Assessment

The migration from elliptic/bn.js/Buffer to @noble/curves/bigint/Uint8Array is well-executed. The main concerns are:

1. Type safety: Tighten BigIntString usage at API boundaries
2. Code splitting: Refactor to support better tree-shaking
3. Type casts: Remove unsafe casts and fix root type issues
4. API consistency: Use helper functions consistently instead of raw noble-curves calls

These are refinements rather than blockers. The changes are architecturally sound and achieve the stated modernization goals.

 

[ieow]

Buffer.from still being used in torus.ts

[chaitanyapotti]

rename all places Buffer is used with bytes

[chaitanyapotti]

Most of the places don't need keccak256 in hex. It's causing double conversions where you convert hash to hex and hex back to bytes/bigint

[chaitanyapotti]

@cursor address all comments and create a new branch and push fixes there

[cursor]

❌ Unable to add follow-up after multiple attempts. The agent may be experiencing issues.

Please try again later or Open in Web to view the status.

---

 

_{Learn more about Cursor Agents}

[matthiasgeihs]

still don't get why we do this? Why don't we simply reference the object as a constant? (without calling a function)

[matthiasgeihs]

could be renamed to AffinePoint, which is the technical term in the context of elliptic curves.

[matthiasgeihs]

could have a dedicated function for this.