Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
@ethereum-sourcify/lib-sourcify
Advanced tools
Library for Sourcify's contract verification methods, contract validation, types, and interfaces.
lib-sourcify is Sourcify's reusable backbone library for verifying contracts. Additionally it contains:
CheckedContract
s
The lib-sourcify
library does not come with the Solidity compiler as a dependency. Instead, you need to provide a class that implements the ISolidityCompiler
interface and pass it to any function that requires a compiler.
// The external Solidity Compiler
import solidityCompiler from "./compiler/solidityCompiler";
// Include also CompilerOutput and JsonInput as dependncies of ISolidityCompiler
import {
ISolidityCompiler
CompilerOutput,
JsonInput,
} from "@ethereum-sourcify/lib-sourcify";
// The custom class implementing ISolidityCompiler
class Solc implements ISolidityCompiler {
async compile(
version: string,
solcJsonInput: JsonInput,
forceEmscripten: boolean = false
): Promise<CompilerOutput> {
return await solidityCompiler.compile(version, solcJsonInput, forceEmscripten);
}
}
const solc = new Solc()
// Pass the class to the functions that needs it
const checkedContract = new CheckedContract(
solc,
{/** metadata */},
{/** solidity files */},
)
The initial step to verify a contract is to validation, i.e. creating a CheckedContract
. This can be done with checkFiles
which takes files in PathBuffer
as input and outputs a CheckedContract
array:
const pathBuffers: PathBuffer[] = [];
pathBuffers.push({
path: filePath,
buffer: fs.readFileSync(filePath),
});
For a CheckedContract
to be valid i.e. compilable, you need to provide a contract metadata JSON file identifying the contract and the source files of the contract listed under the sources
field of the metadata.
const checkedContracts: CheckedContract[] = await checkFiles(solc, pathBuffers);
Each contract source either has a content
field containing the Solidity code as a string, or urls to fetch the sources from (Github, IPFS, Swarm etc.). If the contract sources are available, you can fetch them with.
CheckedContract.fetchMissing(checkedContracts[0]); // static method
You can check if a contract is ready to be compiled with:
CheckedContract.isValid(checkedContracts[0]); // true
A contract verification essentially requires a CheckedContract
and an on-chain contract to compare against the CheckedContract
.
You can verify a deployed contract with:
export async function verifyDeployed(
checkedContract: CheckedContract,
sourcifyChain: SourcifyChain,
address: string,
creatorTxHash?: string
): Promise<Match>;
a SourcifyChain
here is the chain object of ethereum-lists/chains. This states which chain to look the contract in (e.g. chainId
) and through which rpc
s to retrieve the deployed contract from.
const goerliChain = {
name: "Goerli",
rpc: [
"https://locahlhost:8545/"
"https://goerli.infura.io/v3/${INFURA_API_KEY}",
],
chainId: 5,
},
const match = verifyDeployed(
checkedContract[0],
goerliChain,
'0x00878Ac0D6B8d981ae72BA7cDC967eA0Fae69df4'
)
console.log(match.status) // 'perfect'
Alternatively you can verify counterfactual contracts created with the CREATE2 opcode. This does not require a SourcifyChain
and address
as the contract address is pre-deterministicly calculated and the contract is not necessarily deployed.
export async function verifyCreate2(
checkedContract: CheckedContract,
deployerAddress: string,
salt: string,
create2Address: string,
abiEncodedConstructorArguments?: string
): Promise<Match>;
Example:
const match = await verifyCreate2(
checkedContract[0],
deployerAddress,
salt,
create2Address,
abiEncodedConstructorArguments
);
console.log(match.chainId); // '0'. create2 matches return 0 as chainId
console.log(match.status); // 'perfect'
lib-sourcify
has a basic logging system
You can specify the log level using the setLibSourcifyLoggerLevel(level)
where:
0
is nothing1
is errors2
is warnings [default]3
is infos4
is debugYou can override the logger by calling setLogger(logger: ILibSourcifyLogger)
. This is an example:
const winston = require('winston');
const logger = winston.createLogger({
// ...
});
setLibSourcifyLogger({
logLevel: 4,
setLevel(level: number) {
this.logLevel = level;
},
log(level, msg) {
if (level <= this.logLevel) {
switch (level) {
case 1:
logger.error(msg);
break;
case 2:
logger.warn(msg);
break;
case 3:
logger.info(msg);
break;
case 4:
logger.debug(msg);
break;
}
}
},
});
FAQs
Library for Sourcify's contract verification methods, contract validation, types, and interfaces.
The npm package @ethereum-sourcify/lib-sourcify receives a total of 2 weekly downloads. As such, @ethereum-sourcify/lib-sourcify popularity was classified as not popular.
We found that @ethereum-sourcify/lib-sourcify demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.