chore(deps): update module filippo.io/edwards25519 to v1.1.1 [security]

[NumaryBot]

This PR contains the following updates:

Package	Type	Update	Change
filippo.io/edwards25519	indirect	patch	v1.1.0 -> v1.1.1

GitHub Vulnerability Alerts

CVE-2026-26958

(*Point).MultiScalarMult failed to initialize its receiver.

If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result.

If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver was the zero value, MultiScalarMult returned an invalid point that compared Equal to every point.

Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on filippo.io/edwards25519 via github.com/go-sql-driver/mysql, you are not affected. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like govulncheck.

---

Invalid result or undefined behavior in filippo.io/edwards25519

CVE-2026-26958 / GHSA-fw7p-63qq-7hpr / GO-2026-4503

More information

Details

Previously, if MultiScalarMult was invoked on an initialized point who was not the identity point, MultiScalarMult produced an incorrect result. If called on an uninitialized point, MultiScalarMult exhibited undefined behavior.

Severity

Unknown

References

• https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
• https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity

CVE-2026-26958 / GHSA-fw7p-63qq-7hpr / GO-2026-4503

More information

Details

(*Point).MultiScalarMult failed to initialize its receiver.

If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result.

If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver was the zero value, MultiScalarMult returned an invalid point that compared Equal to every point.

Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on filippo.io/edwards25519 via github.com/go-sql-driver/mysql, you are not affected. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like govulncheck.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

• https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
• https://nvd.nist.gov/vuln/detail/CVE-2026-26958
• https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
• https://github.com/FiloSottile/edwards25519
• https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

FiloSottile/edwards25519 (filippo.io/edwards25519)

v1.1.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• go.mod is excluded by !**/*.mod
• go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/go-filippo.io-edwards25519-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 28.80%. Comparing base (026c610) to head (ee689ab).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #550      +/-   ##
==========================================
+ Coverage   28.75%   28.80%   +0.04%     
==========================================
  Files         175      175              
  Lines        7062     7062              
==========================================
+ Hits         2031     2034       +3     
+ Misses       4913     4911       -2     
+ Partials      118      117       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.