Skip to content

chore: update toruslabs/metadata-helper package#387

Merged
chaitanyapotti merged 6 commits intomasterfrom
feat/metadata-helpers-upgrade
Mar 5, 2026
Merged

chore: update toruslabs/metadata-helper package#387
chaitanyapotti merged 6 commits intomasterfrom
feat/metadata-helpers-upgrade

Conversation

@lwin-kyaw
Copy link
Contributor

@lwin-kyaw lwin-kyaw commented Mar 4, 2026
edited by cursor bot
Loading

Motivation and Context

Jira Link:

Description

Upgrade @toruslabs/metadata-helpers and consolidate crypto dependencies

Summary

Upgrades @toruslabs/metadata-helpers to v8.2.0 and leverages its newly re-exported utilities to remove direct dependencies on @noble/curves and @toruslabs/tweetnacl-js, reducing the dependency surface area.

Dependency Changes

Package Before After
@toruslabs/metadata-helpers ^8.1.0 ^8.2.0
@toruslabs/customauth ^22.1.0 ^22.2.0
@toruslabs/secure-pub-sub ^4.1.0 ^4.2.0
@toruslabs/session-manager ^5.3.0 ^5.4.0
@noble/curves ^2.0.1 removed
@toruslabs/tweetnacl-js ^1.0.4 removed

Changes

  • src/core/auth.ts — Use add0x from @toruslabs/metadata-helpers to ensure session IDs are 0x-prefixed before passing to the session manager.
  • src/core/utils.ts — Replace custom safeatob wrapper with decodeBase64Url imported directly from @toruslabs/metadata-helpers.
  • src/ed25519/utils.ts — Replace low-level tweetnacl internals with getEd25519().getPublicKey() and hexToBytes from @toruslabs/metadata-helpers, significantly simplifying the getED25519Key implementation.
  • src/subkey/keyDerivation.ts — Import bytesToNumberBE, mod, and secp256k1 from @toruslabs/metadata-helpers instead of separate @noble/curves entry points.
  • src/subkey/mimcsponge.ts — Replace keccak256 (which returned a hex string) with keccak256Bytes (which returns Uint8Array) from @toruslabs/metadata-helpers.
  • src/utils/utils.ts — Remove now-unused safebtoa / safeatob wrapper functions; callers use encodeBase64Url / decodeBase64Url directly.
  • test/ed25519.test.ts — Rewrite ED25519 tests to validate key structure (64-byte sk, 32-byte pk), Uint8Array input support, and deterministic derivation without depending on @toruslabs/tweetnacl-js.

Motivation

@toruslabs/metadata-helpers v8.2.0 now re-exports common crypto primitives (getEd25519, hexToBytes, bytesToNumberBE, mod, secp256k1, keccak256Bytes, etc.) that were previously pulled in as separate direct dependencies. By consolidating imports through a single package:

  • Fewer direct dependencies@noble/curves and @toruslabs/tweetnacl-js are no longer needed in this package.
  • Simpler import graph — Crypto utilities come from one place, making upgrades and audits easier.
  • Smaller lock file — Net reduction of ~335 lines in package-lock.json.

How has this been tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My code follows the code style of this project. (run lint)
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • My code requires a db migration.

Note

Medium Risk
Touches auth session token handling and cryptographic key/hash derivation paths; while behavior is intended to be equivalent (and ED25519 is covered by vectors), dependency upgrades and 0x-prefix normalization could affect runtime interoperability.

Overview
Upgrades TorusLabs packages (including @toruslabs/metadata-helpers 8.2.0) and updates lockfiles/examples accordingly, removing direct @noble/curves usage and shifting @toruslabs/tweetnacl-js to dev-only (tests).

Updates auth/session handling to always 0x-prefix session_id/loginId via add0x, replaces base64 URL decoding with decodeBase64Url, and refactors crypto utilities (ED25519 key derivation, subkey derivation, MiMC sponge keccak helpers) to use @toruslabs/metadata-helpers re-exports.

Adds .github/CODEOWNERS and excludes it from Prettier formatting.

Written by Cursor Bugbot for commit 57c9f5f. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
@lwin-kyaw lwin-kyaw requested a review from arch1995 March 5, 2026 11:35
cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

@chaitanyapotti chaitanyapotti merged commit 9e66706 into master Mar 5, 2026
5 checks passed
@chaitanyapotti chaitanyapotti deleted the feat/metadata-helpers-upgrade branch March 5, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@chaitanyapotti chaitanyapotti chaitanyapotti approved these changes

@arch1995 arch1995 arch1995 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lwin-kyaw @chaitanyapotti @arch1995