
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@arcjet/transport
Advanced tools
@arcjet/transportTransport mechanisms for the Arcjet protocol.
This package provides a way to talk to our protocol.
This is an internal Arcjet package not designed for public use. See our Get started guide for how to use Arcjet in your application.
This package is ESM only. Install with npm in Node.js:
npm install @arcjet/transport
This package requires >=22.21.0 <23 || >=24.5.0. Proxy support relies on the
built-in proxy support of the Node.js HTTP agent, which is only available on
Node.js >=22.21.0 and, on the 24 line, >=24.5.0. Node.js 20 is end-of-life
and Node.js 23 is not supported. Anyone tracking an active LTS release is
unaffected.
Because every Arcjet SDK depends on this package, the same requirement applies across the Arcjet SDKs.
import { createTransport } from "@arcjet/transport";
const transport = createTransport("https://decide.arcjet.com");
// This can now be passed to `createClient` from `@arcjet/protocol`.
This package exports the identifier
createTransport.
There is no default export.
This package exports the TypeScript types
ProxyEnvironment,
TransportLogger, and
TransportOptions.
createTransport(baseUrl[, options])Creates a transport that talks to the Arcjet API. On Node.js it uses
@connectrpc/connect-node over HTTP/2; separate entry points for Bun, Deno,
Edge Light, and workerd use @connectrpc/connect-web instead. This is a thin
wrapper around createConnectTransport.
The standard proxy environment variables (HTTP_PROXY and HTTPS_PROXY, while
respecting NO_PROXY) are auto-detected, making it possible to connect to the
Arcjet API through a proxy such as Squid. When a proxy is in use, a
line is logged at startup at info level (so set ARCJET_LOG_LEVEL=info to see
it). The proxy URL itself is not logged, since it can contain credentials. How
the request is actually proxied depends on the runtime, using each runtime's
built-in proxy support:
proxyHttpVersion: "2" to instead keep HTTP/2 while
proxying (see HTTP/2 through a proxy below).fetch performs the proxying natively.workerd — these edge runtimes don't support outbound
proxy environment variables, so no proxy is used.NO_PROXY accepts a comma- or space-separated list of host suffixes, each with
an optional leading . or *. and an optional :port, plus * to bypass the
proxy for every host. Entries are matched as host names; IP/CIDR ranges (such as
10.0.0.0/8) are not supported, the same as curl. On Bun and
Deno the runtime's fetch applies NO_PROXY itself, so its exact semantics are
the runtime's.
By default, proxying on Node.js downgrades the connection from HTTP/2 to HTTP/1.1, because Node's built-in agent proxy support only works over HTTP/1.1. For a latency-sensitive API this is unfortunate: it gives up HTTP/2's multiplexing, so a burst of concurrent requests opens a new proxy connection each instead of sharing one.
Setting proxyHttpVersion: "2" keeps HTTP/2 end-to-end. The transport opens an
HTTP CONNECT tunnel to the proxy and then performs the TLS handshake — and the
ALPN negotiation that selects h2 — directly with the origin. The proxy only
blindly forwards the tunnel, so it never sees, and cannot downgrade, the
negotiated protocol.
This comes with caveats:
fetch (over HTTP/1.1) regardless of this
setting, and the edge runtimes don't proxy at all.CONNECT) proxy — the common kind for HTTPS egress,
including Squid. A proxy that terminates TLS and re-originates an
HTTP/1.1 connection to the origin (a TLS-intercepting / "MITM" proxy) cannot
preserve HTTP/2 no matter what this option is set to.TCP_NODELAY) on
its side of the tunnel, but if the proxy buffers tunneled bytes (or leaves
Nagle enabled on its upstream socket) the interaction with delayed ACKs can
add roughly 40 ms of latency per round trip, erasing the benefit.
Tunneling proxies such as Squid set TCP_NODELAY on CONNECT tunnels by
default; verify this if you use a different proxy.When no proxy applies, this option has no effect — direct connections always use HTTP/2.
baseUrl (string, example: https://example.com/my-api)
— the base URL for all HTTP requestsoptions (TransportOptions, optional)
— configurationA Connect transport that you can pass to createClient from
@arcjet/protocol.
ProxyEnvironmentMap of environment variables used to detect an outbound proxy (TypeScript
type). This is the same shape as process.env.
TransportLoggerLogger used to print a line at startup when a proxy is detected (TypeScript
type). It must provide an info method.
TransportOptionsConfiguration for createTransport (TypeScript type).
log (TransportLogger, optional)
— logger used to print a line at startup when a proxy is detected; defaults
to a logger configured from the ARCJET_LOG_LEVEL environment variableproxyEnv (ProxyEnvironment or false, optional)
— environment variables used to detect an outbound proxy; defaults to
process.env so standard proxy environment variables are auto-detected; pass
false to ignore proxy environment variablesproxyHttpVersion ("1.1" or "2", optional, default "1.1")
— HTTP version to use when a proxy is in use on Node.js; "1.1" routes
through the proxy using the Node.js HTTP agent, while "2" keeps HTTP/2 by
tunneling through the proxy with CONNECT; has no effect without a proxy, or
on Bun, Deno, and the edge runtimes (see
HTTP/2 through a proxy)FAQs
Transport mechanisms for the Arcjet protocol
The npm package @arcjet/transport receives a total of 49,715 weekly downloads. As such, @arcjet/transport popularity was classified as popular.
We found that @arcjet/transport demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.