Sad state

[berkus]

What's important in this (allegedly security) update is the commit 441b742:

ec: validate that a point before deriving keys

This update checks to make sure that the public key passed in to
ECDH is a point that actually exists on the curve. This is
important to prevent a twist attack that can be used to reveal
the private key of a party in an ECDH operation over a number of
occurances.

For more details on the attack see this blog post:
https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md

CVE: CVE-2020-28498

So to actually understand why @dependabot is frantically updating all my repos with this patch-level update I have to go through all commits and realise that this aptly worded ec: validate that a point before deriving keys is actually something meaningful.

It's really sad that cryptography- and security-related packages are done in this way - no release notes, no severity assessment, NOTHING.

It doesn't help much to see comments like this in the security code either:

But most of all, please adopt modern publishing practices that are suitable for a security-related package.

[paulmillr]

Check out paulmillr/noble-secp256k1 as an alternative here. It's been audited and is 1/10 of elliptic size.