Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@bitski/provider-engine
Advanced tools
[![Greenkeeper badge](https://badges.greenkeeper.io/MetaMask/provider-engine.svg)](https://greenkeeper.io/)
Web3 ProviderEngine is a tool for composing your own web3 providers.
Built to be modular - works via a stack of 'sub-providers' which are like normal web3 providers but only handle a subset of rpc methods.
The subproviders can emit new rpc requests in order to handle their own; e.g. eth_call
may trigger eth_getAccountBalance
, eth_getCode
, and others.
The provider engine also handles caching of rpc request results.
const ProviderEngine = require('web3-provider-engine')
const CacheSubprovider = require('web3-provider-engine/subproviders/cache.js')
const FixtureSubprovider = require('web3-provider-engine/subproviders/fixture.js')
const FilterSubprovider = require('web3-provider-engine/subproviders/filters.js')
const VmSubprovider = require('web3-provider-engine/subproviders/vm.js')
const HookedWalletSubprovider = require('web3-provider-engine/subproviders/hooked-wallet.js')
const NonceSubprovider = require('web3-provider-engine/subproviders/nonce-tracker.js')
const RpcSubprovider = require('web3-provider-engine/subproviders/rpc.js')
var engine = new ProviderEngine()
var web3 = new Web3(engine)
// static results
engine.addProvider(new FixtureSubprovider({
web3_clientVersion: 'ProviderEngine/v0.0.0/javascript',
net_listening: true,
eth_hashrate: '0x00',
eth_mining: false,
eth_syncing: true,
}))
// cache layer
engine.addProvider(new CacheSubprovider())
// filters
engine.addProvider(new FilterSubprovider())
// pending nonce
engine.addProvider(new NonceSubprovider())
// vm
engine.addProvider(new VmSubprovider())
// id mgmt
engine.addProvider(new HookedWalletSubprovider({
getAccounts: function(cb){ ... },
approveTransaction: function(cb){ ... },
signTransaction: function(cb){ ... },
}))
// data source
engine.addProvider(new RpcSubprovider({
rpcUrl: 'https://testrpc.metamask.io/',
}))
// log new blocks
engine.on('block', function(block){
console.log('================================')
console.log('BLOCK CHANGED:', '#'+block.number.toString('hex'), '0x'+block.hash.toString('hex'))
console.log('================================')
})
// network connectivity error
engine.on('error', function(err){
// report connectivity errors
console.error(err.stack)
})
// start polling for blocks
engine.start()
When importing in webpack:
import * as Web3ProviderEngine from 'web3-provider-engine';
import * as RpcSource from 'web3-provider-engine/subproviders/rpc';
import * as HookedWalletSubprovider from 'web3-provider-engine/subproviders/hooked-wallet';
The Ethereum JSON RPC was not designed to have one node service many clients. However a smaller, lighter subset of the JSON RPC can be used to provide the blockchain data that an Ethereum 'zero-client' node would need to function. We handle as many types of requests locally as possible, and just let data lookups fallback to some data source ( hosted rpc, blockchain api, etc ). Categorically, we don’t want / can’t have the following types of RPC calls go to the network:
dist
from git (but published in npm module)dist/es5
hooked-wallet-ethtx
message signinghooked-wallet
default txParamseth-block-tracker
@2.0.0eth-block-tracker
.personalRecoverSigner
to recoverPersonalSignature
pollingShouldUnref
option now defaults to falseFAQs
Bitski's ProviderEngine is a refactored version of Metamask's original provider engine library. This is the base of the Bitski Javascript SDKs (both browser and node).
The npm package @bitski/provider-engine receives a total of 133 weekly downloads. As such, @bitski/provider-engine popularity was classified as not popular.
We found that @bitski/provider-engine demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.