Update dependencies and CI

Author: FiloSottile

.github/workflows/build.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x # Current as of 2025-07
+          node-version: 25.x # Current as of 2025-12
       - run: npm clean-install
       - run: npm run build
       - run: npm run lint
@@ -29,7 +29,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          node-version: 25.x # Current as of 2025-12
       - run: npm clean-install
       - run: npm run build
       - run: node_modules/.bin/esbuild --target=es2022 --bundle --outfile=typage.js --global-name=age age-encryption
@@ -74,7 +74,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          node-version: 25.x # Current as of 2025-12
           registry-url: "https://registry.npmjs.org"
       - run: npm clean-install
       - run: npx jsr publish

.github/workflows/test.yml

@@ -12,9 +12,10 @@ jobs:
     strategy:
       matrix:
         node-version:
-          - 20.x # Maintenance LTS as of 2025-07
-          - 22.x # Active LTS as of 2025-07
-          - 24.x # Current as of 2025-07
+          - 20.x # Maintenance LTS as of 2025-12
+          - 22.x # Maintenance LTS as of 2025-12
+          - 24.x # Active LTS as of 2025-12
+          - 25.x # Current as of 2025-12
     steps:
       - uses: actions/checkout@v4
         with:
@@ -36,7 +37,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          node-version: 25.x # Current as of 2025-12
       - run: npm update
       - run: npm run build
       - run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
@@ -49,7 +50,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          node-version: 25.x # Current as of 2025-12
       - uses: oven-sh/setup-bun@v1
         with:
           bun-version: latest
@@ -66,7 +67,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          node-version: 25.x # Current as of 2025-12
       - uses: denoland/setup-deno@v2
         with:
           deno-version: vx.x.x
@@ -81,7 +82,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          node-version: 25.x # Current as of 2025-12
       - run: npm update
       - run: npm run build
       - run: npm run examples:yarn
@@ -93,7 +94,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          node-version: 25.x # Current as of 2025-12
       - uses: pnpm/action-setup@v4
         with:
           version: latest

eslint.config.js

@@ -1,9 +1,10 @@
 import eslint from "@eslint/js"
+import { defineConfig } from "eslint/config"
 import tseslint from "typescript-eslint"
 import stylistic from "@stylistic/eslint-plugin"
 import tsdoc from "eslint-plugin-tsdoc"
 
-export default tseslint.config(
+export default defineConfig(
     // Global ignores for generated files.
     { ignores: ["dist/", "tests/examples/age.js"] },
 

lib/index.ts

@@ -1,7 +1,7 @@
-import { hmac } from "@noble/hashes/hmac"
-import { hkdf } from "@noble/hashes/hkdf"
-import { sha256 } from "@noble/hashes/sha2"
-import { randomBytes } from "@noble/hashes/utils"
+import { hmac } from "@noble/hashes/hmac.js"
+import { hkdf } from "@noble/hashes/hkdf.js"
+import { sha256 } from "@noble/hashes/sha2.js"
+import { randomBytes } from "@noble/hashes/utils.js"
 import { HybridIdentity, HybridRecipient, ScryptIdentity, ScryptRecipient, X25519Identity, X25519Recipient } from "./recipients.js"
 import { encodeHeader, encodeHeaderNoMAC, parseHeader, Stanza } from "./format.js"
 import { ciphertextSize, decryptSTREAM, encryptSTREAM, plaintextSize } from "./stream.js"
@@ -183,12 +183,14 @@ export class Encrypter {
             stanzas.push(...await recipient.wrapFileKey(fileKey))
         }
 
-        const hmacKey = hkdf(sha256, fileKey, undefined, "header", 32)
+        const labelHeader = new TextEncoder().encode("header")
+        const hmacKey = hkdf(sha256, fileKey, undefined, labelHeader, 32)
         const mac = hmac(sha256, hmacKey, encodeHeaderNoMAC(stanzas))
         const header = encodeHeader(stanzas, mac)
 
         const nonce = randomBytes(16)
-        const streamKey = hkdf(sha256, fileKey, nonce, "payload", 32)
+        const labelPayload = new TextEncoder().encode("payload")
+        const streamKey = hkdf(sha256, fileKey, nonce, labelPayload, 32)
         const encrypter = encryptSTREAM(streamKey)
 
         if (!(file instanceof ReadableStream)) {
@@ -282,7 +284,8 @@ export class Decrypter {
         const { fileKey, headerSize, rest } = await this.decryptHeaderInternal(s)
         const { data: nonce, rest: payload } = await read(rest, 16)
 
-        const streamKey = hkdf(sha256, fileKey, nonce, "payload", 32)
+        const label = new TextEncoder().encode("payload")
+        const streamKey = hkdf(sha256, fileKey, nonce, label, 32)
         const decrypter = decryptSTREAM(streamKey)
         const out = payload.pipeThrough(decrypter)
 
@@ -316,7 +319,8 @@ export class Decrypter {
         const fileKey = await this.unwrapFileKey(h.stanzas)
         if (fileKey === null) throw Error("no identity matched any of the file's recipients")
 
-        const hmacKey = hkdf(sha256, fileKey, undefined, "header", 32)
+        const label = new TextEncoder().encode("header")
+        const hmacKey = hkdf(sha256, fileKey, undefined, label, 32)
         const mac = hmac(sha256, hmacKey, h.headerNoMAC)
         if (!compareBytes(h.MAC, mac)) throw Error("invalid header HMAC")
 

lib/io.ts

@@ -1,4 +1,4 @@
-import { randomBytes } from "@noble/hashes/utils"
+import { randomBytes } from "@noble/hashes/utils.js"
 
 export class LineReader {
     private s: ReadableStreamDefaultReader<Uint8Array>

lib/recipients.ts

@@ -1,10 +1,10 @@
 import { bech32 } from "@scure/base"
-import { hkdf, extract, expand } from "@noble/hashes/hkdf"
-import { sha256 } from "@noble/hashes/sha2"
-import { scrypt } from "@noble/hashes/scrypt"
-import { chacha20poly1305 } from "@noble/ciphers/chacha"
-import { XWing } from "@noble/post-quantum/hybrid.js"
-import { randomBytes } from "@noble/hashes/utils"
+import { hkdf, extract, expand } from "@noble/hashes/hkdf.js"
+import { sha256 } from "@noble/hashes/sha2.js"
+import { scrypt } from "@noble/hashes/scrypt.js"
+import { chacha20poly1305 } from "@noble/ciphers/chacha.js"
+import { MLKEM768X25519 } from "@noble/post-quantum/hybrid.js"
+import { randomBytes } from "@noble/hashes/utils.js"
 import { base64nopad } from "@scure/base"
 import * as x25519 from "./x25519.js"
 import { Stanza } from "./format.js"
@@ -73,7 +73,7 @@ export async function identityToRecipient(identity: string | CryptoKey): Promise
         const res = bech32.decodeToBytes(identity)
         if (res.prefix.toUpperCase() !== "AGE-SECRET-KEY-PQ-" ||
             res.bytes.length !== 32) { throw Error("invalid identity") }
-        const recipient = XWing.getPublicKey(res.bytes)
+        const recipient = MLKEM768X25519.getPublicKey(res.bytes)
         // Use encode directly to disable the 90 character bech32 limit.
         return bech32.encode("age1pq", bech32.toWords(recipient), false)
     } else {
@@ -99,7 +99,7 @@ export class HybridRecipient implements Recipient {
     }
 
     wrapFileKey(fileKey: Uint8Array): Stanza[] {
-        const { cipherText: encapsulatedKey, sharedSecret } = XWing.encapsulate(this.recipient)
+        const { cipherText: encapsulatedKey, sharedSecret } = MLKEM768X25519.encapsulate(this.recipient)
         const label = new TextEncoder().encode("age-encryption.org/mlkem768x25519")
         const { key, nonce } = hpkeContext(hpkeMLKEM768X25519, sharedSecret, label)
         const ciphertext = chacha20poly1305(key, nonce).encrypt(fileKey)
@@ -134,7 +134,7 @@ export class HybridIdentity implements Identity {
                 throw Error("invalid mlkem768x25519 stanza")
             }
 
-            const sharedSecret = XWing.decapsulate(share, this.identity)
+            const sharedSecret = MLKEM768X25519.decapsulate(share, this.identity)
             const label = new TextEncoder().encode("age-encryption.org/mlkem768x25519")
             const { key, nonce } = hpkeContext(hpkeMLKEM768X25519, sharedSecret, label)
             try {
@@ -226,7 +226,8 @@ export class X25519Recipient implements Recipient {
         salt.set(share)
         salt.set(this.recipient, share.length)
 
-        const key = hkdf(sha256, secret, salt, "age-encryption.org/v1/X25519", 32)
+        const label = new TextEncoder().encode("age-encryption.org/v1/X25519")
+        const key = hkdf(sha256, secret, salt, label, 32)
         return [new Stanza(["X25519", base64nopad.encode(share)], encryptFileKey(fileKey, key))]
     }
 }
@@ -269,7 +270,8 @@ export class X25519Identity implements Identity {
             salt.set(share)
             salt.set(recipient, share.length)
 
-            const key = hkdf(sha256, secret, salt, "age-encryption.org/v1/X25519", 32)
+            const label = new TextEncoder().encode("age-encryption.org/v1/X25519")
+            const key = hkdf(sha256, secret, salt, label, 32)
             const fileKey = decryptFileKey(s.body, key)
             if (fileKey !== null) return fileKey
         }

lib/stream.ts

@@ -1,4 +1,4 @@
-import { chacha20poly1305 } from "@noble/ciphers/chacha"
+import { chacha20poly1305 } from "@noble/ciphers/chacha.js"
 
 const chacha20poly1305Overhead = 16
 

lib/webauthn.ts

@@ -1,7 +1,7 @@
 import { bech32, base64nopad } from "@scure/base"
-import { randomBytes } from "@noble/hashes/utils"
-import { extract } from "@noble/hashes/hkdf"
-import { sha256 } from "@noble/hashes/sha2"
+import { randomBytes } from "@noble/hashes/utils.js"
+import { extract } from "@noble/hashes/hkdf.js"
+import { sha256 } from "@noble/hashes/sha2.js"
 import { type Identity, type Recipient } from "./index.js"
 import { Stanza } from "./format.js"
 import { decryptFileKey, encryptFileKey } from "./recipients.js"
@@ -94,7 +94,7 @@ export async function createCredential(options: CreationOptions): Promise<string
             rp: { name: "", id: options.rpId },
             user: {
                 name: options.keyName,
-                id: randomBytes(8), // avoid overwriting existing keys
+                id: domBuffer(randomBytes(8)), // avoid overwriting existing keys
                 displayName: "",
             },
             pubKeyCredParams: defaultAlgorithms,
@@ -192,11 +192,11 @@ class WebAuthnInternal {
         const assertion = await navigator.credentials.get({
             publicKey: {
                 allowCredentials: this.credId ? [{
-                    id: this.credId,
+                    id: domBuffer(this.credId),
                     transports: this.transports as AuthenticatorTransport[],
                     type: "public-key"
                 }] : [],
-                challenge: randomBytes(16),
+                challenge: domBuffer(randomBytes(16)),
                 extensions: { prf: { eval: prfInputs(nonce) } },
                 userVerification: "required", // prf requires UV
                 rpId: this.rpId,
@@ -298,5 +298,12 @@ function deriveKey(results: AuthenticationExtensionsPRFValues): Uint8Array {
     const prf = new Uint8Array(results.first.byteLength + results.second.byteLength)
     prf.set(new Uint8Array(results.first as ArrayBuffer), 0)
     prf.set(new Uint8Array(results.second as ArrayBuffer), results.first.byteLength)
-    return extract(sha256, prf, label)
+    return extract(sha256, prf, new TextEncoder().encode(label))
+}
+
+// TypeScript 5.9+ made Uint8Array generic, defaulting to Uint8Array<ArrayBufferLike>.
+// DOM APIs like WebAuthn require Uint8Array<ArrayBuffer> (no SharedArrayBuffer).
+// This helper narrows the type while still catching non-Uint8Array arguments.
+function domBuffer(arr: Uint8Array): Uint8Array<ArrayBuffer> {
+    return arr as Uint8Array<ArrayBuffer>
 }

lib/x25519.ts

@@ -1,4 +1,4 @@
-import { x25519 } from "@noble/curves/ed25519"
+import { x25519 } from "@noble/curves/ed25519.js"
 
 const exportable = false
 
@@ -33,7 +33,7 @@ export async function webCryptoFallback<Return>(
 export async function scalarMult(scalar: Uint8Array | CryptoKey, u: Uint8Array): Promise<Uint8Array> {
     return await webCryptoFallback(async () => {
         const key = isCryptoKey(scalar) ? scalar : await importX25519Key(scalar)
-        const peer = await crypto.subtle.importKey("raw", u, { name: "X25519" }, exportable, [])
+        const peer = await crypto.subtle.importKey("raw", domBuffer(u), { name: "X25519" }, exportable, [])
         // 256 bits is the fixed size of a X25519 shared secret. It's kind of
         // worrying that the WebCrypto API encourages truncating it.
         return new Uint8Array(await crypto.subtle.deriveBits({ name: "X25519", public: peer }, key, 256))
@@ -84,3 +84,10 @@ async function importX25519Key(key: Uint8Array): Promise<CryptoKey> {
 function isCryptoKey(key: unknown): key is CryptoKey {
     return typeof CryptoKey !== "undefined" && key instanceof CryptoKey
 }
+
+// TypeScript 5.9+ made Uint8Array generic, defaulting to Uint8Array<ArrayBufferLike>.
+// DOM APIs like crypto.subtle require Uint8Array<ArrayBuffer> (no SharedArrayBuffer).
+// This helper narrows the type while still catching non-Uint8Array arguments.
+function domBuffer(arr: Uint8Array): Uint8Array<ArrayBuffer> {
+    return arr as Uint8Array<ArrayBuffer>
+}