Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
@ethereum-sourcify/lib-sourcify
Advanced tools
Library for Sourcify's contract verification methods, contract validation, types, and interfaces.
lib-sourcify is Sourcify's reusable backbone library for verifying contracts. Additionally it contains:
CheckedContract
s
The initial step to verify a contract is to validation, i.e. creating a CheckedContract
. This can be done with checkFiles
which takes files in PathBuffer
as input and outputs a CheckedContract
array:
const pathBuffers: PathBuffer[] = [];
pathBuffers.push({
path: filePath,
buffer: fs.readFileSync(filePath),
});
For a CheckedContract
to be valid i.e. compilable, you need to provide a contract metadata JSON file identifying the contract and the source files of the contract listed under the sources
field of the metadata.
const checkedContracts: CheckedContract[] = await checkFiles(pathBuffers);
Each contract source either has a content
field containing the Solidity code as a string, or urls to fetch the sources from (Github, IPFS, Swarm etc.). If the contract sources are available, you can fetch them with.
CheckedContract.fetchMissing(checkedContracts[0]); // static method
You can check if a contract is ready to be compiled with:
CheckedContract.isValid(checkedContracts[0]); // true
A contract verification essentially requires a CheckedContract
and an on-chain contract to compare against the CheckedContract
.
You can verify a deployed contract with:
export async function verifyDeployed(
checkedContract: CheckedContract,
sourcifyChain: SourcifyChain,
address: string,
creatorTxHash?: string
): Promise<Match>;
a SourcifyChain
here is the chain object of ethereum-lists/chains. This states which chain to look the contract in (e.g. chainId
) and through which rpc
s to retrieve the deployed contract from.
const goerliChain = {
name: "Goerli",
rpc: [
"https://locahlhost:8545/"
"https://goerli.infura.io/v3/${INFURA_API_KEY}",
],
chainId: 5,
},
const match = verifyDeployed(
checkedContract[0],
goerliChain,
'0x00878Ac0D6B8d981ae72BA7cDC967eA0Fae69df4'
)
console.log(match.status) // 'perfect'
Alternatively you can verify counterfactual contracts created with the CREATE2 opcode. This does not require a SourcifyChain
and address
as the contract address is pre-deterministicly calculated and the contract is not necessarily deployed.
export async function verifyCreate2(
checkedContract: CheckedContract,
deployerAddress: string,
salt: string,
create2Address: string,
abiEncodedConstructorArguments?: string
): Promise<Match>;
Example:
const match = await verifyCreate2(
checkedContract[0],
deployerAddress,
salt,
create2Address,
abiEncodedConstructorArguments
);
console.log(match.chainId); // '0'. create2 matches return 0 as chainId
console.log(match.status); // 'perfect'
sourcify-monorepo@1.1.1 - 2023-12-19
latest
tag not being pushed to Docker Hub.FAQs
Library for Sourcify's contract verification methods, contract validation, types, and interfaces.
The npm package @ethereum-sourcify/lib-sourcify receives a total of 2 weekly downloads. As such, @ethereum-sourcify/lib-sourcify popularity was classified as not popular.
We found that @ethereum-sourcify/lib-sourcify demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.