v1.5.1

Bug Fixes

• deps: bump @scure/base to 2.0.0 (#13) — ESM-only release, Node 20.19+ required. Runtime dep; bech32 API unchanged.

---

Reproducible build: byte-identical output verified across two independent CI runners.

Artefact integrity

file:      nsec-tree-1.5.1.tgz
size:      27092 bytes
sha256:    2de31a260259f15ca16fb0eb0e1e265b906495c33e1195297ec8c9d8375efd21
sha512-NUz7EmZoZoRaxORNVaZmkiFvWVamS2RAnHWs4EJzrAt82NSO+DUUfi/5RFRsVEixR9QzP6jilQGwe4wOxgDcEA==

Verify against the registry tarball:

curl -sLO https://registry.npmjs.org/nsec-tree/-/nsec-tree-1.5.1.tgz
shasum -a 256 nsec-tree-1.5.1.tgz

v1.5.0

Changed

• migrate release tooling from semantic-release to forgesworn/release-action. Removes hundreds of transitive devDependencies, eliminates bundled-npm Dependabot noise (handlebars, lodash, picomatch, brace-expansion), and preserves OIDC trusted publishing with provenance. No runtime or API changes for consumers.

Why

semantic-release's bundled npm CLI emits chronic Dependabot advisories that do not affect published artefacts, and its transitive dependency graph is large enough to conflict with the supply-chain posture a cryptography library should hold itself to. The replacement is a pure-bash release tool with hard pre-publish gates: tag-match against package.json, frozen-vector check, exports-map sanity, secret scan over packable artefacts, and runtime-only npm audit. Zero Node tooling inside the release action itself.

nsec-tree is the pilot consumer; the action is intended for org-wide rollout once it has shipped at least one release end to end.

v1.4.4

1.4.4 (2026-04-10)

Bug Fixes

• bound recovery purpose array length (77d12ea)
• harden linkage proof and event parsing against injection (fa4ff57)
• tighten persona name validation (1add0a5)
• tighten secret hygiene and document ownership contracts (5d93940)

v1.4.3

1.4.3 (2026-03-31)

Bug Fixes

• protocol: update attestation format to pipe delimiters in spec docs (619eb19)

v1.4.2

1.4.2 (2026-03-31)

Bug Fixes

• change attestation delimiter to pipe to avoid colon collision with persona purposes (ac62de7)

v1.4.1

1.4.1 (2026-03-20)

Bug Fixes

• correct copyright to TheCryptoDonkey (6adacd3)

v1.4.0

1.4.0 (2026-03-18)

Features

• add deriveFromIdentity for arbitrary-depth key hierarchies (a514968)

v1.3.2

1.3.2 (2026-03-18)

Bug Fixes

• event: reject proof events with missing or mismatched p tag (4f5b034)

v1.3.1

1.3.1 (2026-03-18)

Bug Fixes

• event: harden fromEvent input validation against malformed events (c9d96a8)

v1.3.0

1.3.0 (2026-03-18)

Features

• event: add event subpath export and re-export from index (8d406c6)
• event: implement fromEvent for parsing NIP-78 linkage proof events (70b1928)
• event: implement toUnsignedEvent for linkage proof publishing (5a0591c)
• event: scaffold event module with constants and UnsignedEvent type (08a07a1)