Skip to content

chore(deps): migrate to curve25519-dalek 5.0, rand 0.10, sha3 0.12#24

Merged
rubenhensen merged 1 commit into
mainfrom
chore/rustcrypto-rand-dalek-bump
Jul 2, 2026
Merged

chore(deps): migrate to curve25519-dalek 5.0, rand 0.10, sha3 0.12#24
rubenhensen merged 1 commit into
mainfrom
chore/rustcrypto-rand-dalek-bump

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Lands the RustCrypto + rand dependency stack from #15 that was previously blocked on curve25519-dalek shipping a release compatible with rand_core 0.10 / digest 0.11.

curve25519-dalek 5.0.0-rc.1 moves its public API (Scalar::random, Scalar::from_hash) to rand_core 0.10 (CryptoRng) and digest 0.11. Because those APIs flow through gg.rs's setup/keygen/sign and the h_helper SHA3-512 path, the whole group must move together — which is now possible.

Changes

Dependency From To Notes
curve25519-dalek 4.1 =5.0.0-rc.1 pinned exactly (pre-release)
rand_core 0.6 0.10 CryptoRng now implies Rng; dropped the deprecated RngCore from generic bounds
sha3 0.10 0.12 uses digest 0.11
shake 0.1 new depShake128 was moved out of sha3 into the standalone shake crate in 0.12
rand (dev) 0.8 0.10 OsRng removed → tests/bench/doctest use rand::rng() (ThreadRng); thread_rng()rand::rng()

No public API change beyond the generic bound simplification (R: RngCore + CryptoRngR: CryptoRng, which is equivalent since CryptoRng: Rng in rand_core 0.10).

⚠️ Pre-release caveat

curve25519-dalek 5.0.0-rc.1 is a release candidate, not a stable release (max_stable is still 4.1.3). It is pinned with = to block surprise rc bumps, mirroring the existing bincode-next =3.0.0-rc.13 pin. If the maintainer prefers to wait for curve25519-dalek 5.0 stable, this PR can sit until then — the migration itself is complete and green.

Verification

  • cargo fmt --all -- --check
  • cargo test --release --all-features ✅ (15 tests + 1 doctest)
  • cargo build --no-default-features
  • cargo build --target wasm32-unknown-unknown --all-features --lib
  • cargo build --target wasm32-wasip1 --all-features --lib
  • cargo bench --no-run

No warnings. MSRV already declares 1.91.1 (bumped in the earlier bincode-next PR), which satisfies the new stack.

Refs #15

Land the RustCrypto + rand stack that was previously gated on
curve25519-dalek 5.0. The 5.0.0-rc.1 release moves its public API to
rand_core 0.10 and digest 0.11, which unblocks the coupled bumps:

- curve25519-dalek 4.1 -> =5.0.0-rc.1 (pinned; pre-release)
- rand_core 0.6 -> 0.10 (CryptoRng now implies Rng; drop deprecated
  RngCore from the generic bounds)
- sha3 0.10 -> 0.12 (digest 0.11); Shake128 moved to the new `shake`
  crate, added as a dependency
- rand (dev) 0.8 -> 0.10; OsRng removed, tests/bench/doctest use
  rand::rng() (ThreadRng), and thread_rng() -> rand::rng()

MSRV already declares 1.91.1. no_std wasm builds, all tests, doctest
and benches pass.

Refs #15

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dobby-coder dobby-coder Bot requested a review from rubenhensen July 1, 2026 13:27

@dobby-coder dobby-coder Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: APPROVE (sign-off). Posted as a COMMENT-event review only because GitHub blocks a bot from formally approving its own PR — dobby-coder[bot] authored and reviewed this one. Treat this as a clean approval, not a withheld one.

Rules-Dobby-2 gatekeeper — cycle 1

Per-rule compliance check (all memory rules + repos/ibs/notes.md) and Review-Dobby-2's code review both come back clean: 0 actionable findings.

Verified:

  • Migration matches repos/ibs/notes.md exactly: curve25519-dalek =5.0.0-rc.1, rand_core 0.10, sha3 0.12, new shake 0.1 (Shake128 moved out of sha3 in 0.12), dev rand 0.10. The bound change R: RngCore + CryptoRngR: CryptoRng is equivalent since CryptoRng: Rng in rand_core 0.10. OsRng / thread_rng()rand::rng() throughout tests/bench/doctest.
  • PR body's verification matrix is consistent with the diff (fmt check, --all-features tests + doctest, --no-default-features build, wasm unknown + wasip1, bench --no-run).
  • Refs #15 (not Closes #15) is the correct keyword here: #15 is a multi-dependency tracker and this PR lands only the RustCrypto/rand subset — criterion, csv, sha2, rand_xorshift bumps remain open. Tick the #15 checkboxes on merge rather than auto-closing the tracker.

One decision for a human: curve25519-dalek 5.0.0-rc.1 is a release candidate (max_stable is still 4.1.3), pinned with =. Accept the rc pin now or wait for 5.0 stable — maintainer's call. The migration is complete and green either way; flipping to ready-for-review to surface that decision.

@dobby-coder dobby-coder Bot marked this pull request as ready for review July 1, 2026 13:36
@rubenhensen rubenhensen merged commit 0ebff0e into main Jul 2, 2026
7 checks passed
@rubenhensen rubenhensen deleted the chore/rustcrypto-rand-dalek-bump branch July 2, 2026 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant