chore(deps): update module filippo.io/edwards25519 to v1.1.1 [security]

[NumaryBot]

This PR contains the following updates:

Package	Type	Update	Change
filippo.io/edwards25519	indirect	patch	v1.1.0 -> v1.1.1

GitHub Vulnerability Alerts

CVE-2026-26958

(*Point).MultiScalarMult failed to initialize its receiver.

If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result.

If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver was the zero value, MultiScalarMult returned an invalid point that compared Equal to every point.

Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on filippo.io/edwards25519 via github.com/go-sql-driver/mysql, you are not affected. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like govulncheck.

---

Invalid result or undefined behavior in filippo.io/edwards25519

CVE-2026-26958 / GHSA-fw7p-63qq-7hpr / GO-2026-4503

More information

Details

Previously, if MultiScalarMult was invoked on an initialized point who was not the identity point, MultiScalarMult produced an incorrect result. If called on an uninitialized point, MultiScalarMult exhibited undefined behavior.

Severity

Unknown

References

• https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
• https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity

CVE-2026-26958 / GHSA-fw7p-63qq-7hpr / GO-2026-4503

More information

Details

(*Point).MultiScalarMult failed to initialize its receiver.

If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result.

If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver was the zero value, MultiScalarMult returned an invalid point that compared Equal to every point.

Note that MultiScalarMult is a rarely used advanced API. For example, if you only depend on filippo.io/edwards25519 via github.com/go-sql-driver/mysql, you are not affected. If you were notified of this issue despite not being affected, consider switching to a vulnerability scanner that is more precise and respectful of your attention, like govulncheck.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

• https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr
• https://nvd.nist.gov/vuln/detail/CVE-2026-26958
• https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb
• https://github.com/FiloSottile/edwards25519
• https://github.com/FiloSottile/edwards25519/releases/tag/v1.1.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

FiloSottile/edwards25519 (filippo.io/edwards25519)

v1.1.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

📝 Walkthrough

Walkthrough

A single indirect dependency version was updated: filippo.io/edwards25519 was bumped from v1.1.0 to v1.1.1 in the go.mod file. No other dependency or control flow changes were made.

Changes

Cohort / File(s)	Summary
Dependency Update go.mod	Upgraded filippo.io/edwards25519 from v1.1.0 to v1.1.1 (indirect dependency).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A hop, a skip, a version's gleam,
Edwards25519 chases a newer dream,
From one-point-oh to one-point-one,
A tiny bump, but progress won! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating the filippo.io/edwards25519 dependency to v1.1.1 for security reasons, which is the primary and only change in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/go-filippo.io-edwards25519-vulnerability

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CVE-2026: Authentication required, not authenticated - You need to authenticate to access this operation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}