Bump @noble/post-quantum from 0.4.1 to 0.5.2

[dependabot]

Bumps @noble/post-quantum from 0.4.1 to 0.5.2.

Release notes

Sourced from @​noble/post-quantum's releases.

0.5.2

• Disable extension-less imports. If you've used /ml-dsa, switch to /ml-dsa.js now. See 0.5.0 for more details.
• package.json: specify exported submodules to ensure typescript autocompletion

GitHub Immutable Releases

This GH release does not standalone noble-post-quantum.js, until we fix bugs related to newly added GitHub Immutable Releases

Full Changelog: paulmillr/noble-post-quantum@0.5.1...0.5.2

0.5.1

• Use stable noble-hashes and noble-curves v2

Full Changelog: paulmillr/noble-post-quantum@0.5.0...0.5.1

0.5.0

New features

• Add hybrid PQ algorithms: XWing, KitchenSinkMLKEM768X25519, QSFMLKEM768P256, QSFMLKEM1024P384
• Add context to ML-DSA & SLH-DSA
• Add getPublicKey to ML-KEM & ML-DSA

Changes

• The package is now ESM-only. ESM can finally be loaded from common.js on node v20.19+
  • Node v20.19 is now the minimum required version
  • Reduces unpacked npm size (on-disk space): 423KB => 312KB
• .js extension must be used for all modules
  • Old: @noble/post-quantum/slh-dsa
  • New: @noble/post-quantum/slh-dsa.js
  • This simplifies working in browsers natively without transpilers
• Changed argument order in all methods to be consistent with noble-curves
  • sign(secretKey, msg, rnd) => sign(msg, secretKey, opts)
  • verify(publicKey, msg, sig, ctx) => verify(sig, msg, publicKey, opts)
• Use noble-hashes v2 with smaller package size and improved security
• New prehash API
• Upgrade typescript compilation env to ts5.9 and es2022

Full Changelog: paulmillr/noble-post-quantum@0.4.1...0.5.0

Commits

• a095660 Release 0.5.2.
• d362f41 pkg.json: add back export maps for text editor autocompletion
• 9380901 Release 0.5.1.
• 3c9a8be Bump jsbt
• 381ab3e Fix bench
• 9f5415d Make validation errors more descriptive
• 0113a8c readme
• 028ddc0 Release 0.5.0.
• 4e86935 Improve error
• d309663 mldsa, slhdsa: Move ctx and randomness to opts.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
js-post-quantum	Ignored			Dec 2, 2025 2:23am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​noble/​post-quantum@​0.5.2

View full report