
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@canton-network/core-provider-ledger
Advanced tools
A Splice Provider implementation for direct ledger access.
This package provides a SpliceProvider (see https://github.com/canton-network/wallet/tree/main/core/splice-provider) implementation intended for direct Ledger usage. It is suitable for both NodeJS and browser environments, but if you are building a Canton dApp, then you likely want to use the dapp-sdk instead, which gives a DappProvider.
This provider only supports a single method, ledgerApi, which proxies request through to an underlying Ledger JSON-API client. Due to the nature of the Canton Ledger JSON-API, the only supported transport is HTTP.
import { LedgerProvider } from '@canton-network/core-provider-ledger'
const provider = new LedgerProvider({
baseUrl: 'https://ledger-api.example.com',
accessToken: 'jwt...',
})
const version = await provider.request({
method: 'ledgerApi',
params: {
resource: '/v2/version',
requestMethod: 'get',
},
})
Due to some type inference limitations, the return type of request collapses to unknown. In order to aid the compiler, you can supply an optional type argument corresponding to the operation you are using on the ledgerApi. Afterwards, the response is cleanly typed:
import { LedgerProvider, Ops } from '@canton-network/core-provider-ledger'
// ...
const party = await provider.request<Ops.PostV2Parties>({
method: 'ledgerApi',
params: {
resource: '/v2/parties',
requestMethod: 'post',
body: {
partyHint: 'my-party',
},
},
})
console.log(party.partyDetails?.party)
There are various ways to pass data into the request, depending on the operation. Let type inference guide you, but know there are three possibilities:
provider.request({
method: 'ledgerApi',
params: {
...,
body?: {
// usually for POST requests (JSON object body)
},
path?: {
// `path` arguments, usually for GET requests (i.e., `/v2/parties/{party-id}`)
"party-id": "some-party-id"
},
query?: {
// `query` params, usually for GET requests (i.e., `/v2/...?param=data`)
"param": "data"
}
}
})
Any particular operation may require just one, none, or multiple client data inputs.
FAQs
A Splice Provider implementation for direct ledger access.
The npm package @canton-network/core-provider-ledger receives a total of 99,640 weekly downloads. As such, @canton-network/core-provider-ledger popularity was classified as popular.
We found that @canton-network/core-provider-ledger demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.