chore(deps): migrate to curve25519-dalek 5.0, rand 0.10, sha3 0.12#24
Merged
Conversation
Land the RustCrypto + rand stack that was previously gated on curve25519-dalek 5.0. The 5.0.0-rc.1 release moves its public API to rand_core 0.10 and digest 0.11, which unblocks the coupled bumps: - curve25519-dalek 4.1 -> =5.0.0-rc.1 (pinned; pre-release) - rand_core 0.6 -> 0.10 (CryptoRng now implies Rng; drop deprecated RngCore from the generic bounds) - sha3 0.10 -> 0.12 (digest 0.11); Shake128 moved to the new `shake` crate, added as a dependency - rand (dev) 0.8 -> 0.10; OsRng removed, tests/bench/doctest use rand::rng() (ThreadRng), and thread_rng() -> rand::rng() MSRV already declares 1.91.1. no_std wasm builds, all tests, doctest and benches pass. Refs #15 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
Author
There was a problem hiding this comment.
Verdict: APPROVE (sign-off). Posted as a
COMMENT-event review only because GitHub blocks a bot from formally approving its own PR —dobby-coder[bot]authored and reviewed this one. Treat this as a clean approval, not a withheld one.
Rules-Dobby-2 gatekeeper — cycle 1
Per-rule compliance check (all memory rules + repos/ibs/notes.md) and Review-Dobby-2's code review both come back clean: 0 actionable findings.
Verified:
- Migration matches
repos/ibs/notes.mdexactly:curve25519-dalek =5.0.0-rc.1,rand_core 0.10,sha3 0.12, newshake 0.1(Shake128moved out ofsha3in 0.12), devrand 0.10. The bound changeR: RngCore + CryptoRng→R: CryptoRngis equivalent sinceCryptoRng: Rnginrand_core 0.10.OsRng/thread_rng()→rand::rng()throughout tests/bench/doctest. - PR body's verification matrix is consistent with the diff (fmt check,
--all-featurestests + doctest,--no-default-featuresbuild, wasmunknown+wasip1,bench --no-run). Refs #15(notCloses #15) is the correct keyword here: #15 is a multi-dependency tracker and this PR lands only the RustCrypto/randsubset —criterion,csv,sha2,rand_xorshiftbumps remain open. Tick the #15 checkboxes on merge rather than auto-closing the tracker.
One decision for a human: curve25519-dalek 5.0.0-rc.1 is a release candidate (max_stable is still 4.1.3), pinned with =. Accept the rc pin now or wait for 5.0 stable — maintainer's call. The migration is complete and green either way; flipping to ready-for-review to surface that decision.
rubenhensen
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Lands the RustCrypto +
randdependency stack from #15 that was previously blocked oncurve25519-dalekshipping a release compatible withrand_core 0.10/digest 0.11.curve25519-dalek 5.0.0-rc.1moves its public API (Scalar::random,Scalar::from_hash) torand_core 0.10(CryptoRng) anddigest 0.11. Because those APIs flow throughgg.rs'ssetup/keygen/signand theh_helperSHA3-512 path, the whole group must move together — which is now possible.Changes
curve25519-dalek4.1=5.0.0-rc.1rand_core0.60.10CryptoRngnow impliesRng; dropped the deprecatedRngCorefrom generic boundssha30.100.12digest 0.11shake0.1Shake128was moved out ofsha3into the standaloneshakecrate in 0.12rand(dev)0.80.10OsRngremoved → tests/bench/doctest userand::rng()(ThreadRng);thread_rng()→rand::rng()No public API change beyond the generic bound simplification (
R: RngCore + CryptoRng→R: CryptoRng, which is equivalent sinceCryptoRng: Rnginrand_core 0.10).curve25519-dalek 5.0.0-rc.1is a release candidate, not a stable release (max_stableis still4.1.3). It is pinned with=to block surprise rc bumps, mirroring the existingbincode-next =3.0.0-rc.13pin. If the maintainer prefers to wait forcurve25519-dalek 5.0stable, this PR can sit until then — the migration itself is complete and green.Verification
cargo fmt --all -- --check✅cargo test --release --all-features✅ (15 tests + 1 doctest)cargo build --no-default-features✅cargo build --target wasm32-unknown-unknown --all-features --lib✅cargo build --target wasm32-wasip1 --all-features --lib✅cargo bench --no-run✅No warnings. MSRV already declares
1.91.1(bumped in the earlier bincode-next PR), which satisfies the new stack.Refs #15