Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@ledgerhq/hw-transport
Advanced tools
Ledger Hardware Wallet common interface of the communication layer
@ledgerhq/hw-transport is a JavaScript library that provides a set of transport methods to communicate with Ledger hardware wallets. It supports various transport protocols such as USB, WebUSB, and Bluetooth, allowing developers to interact with Ledger devices in a secure and efficient manner.
USB Transport
This feature allows you to connect to a Ledger device using USB. The code sample demonstrates how to establish a connection and then close it.
const Transport = require('@ledgerhq/hw-transport-node-hid').default;
async function connectLedger() {
const transport = await Transport.create();
console.log('Connected to Ledger via USB');
await transport.close();
}
connectLedger();
WebUSB Transport
This feature allows you to connect to a Ledger device using WebUSB. The code sample demonstrates how to establish a connection and then close it.
const TransportWebUSB = require('@ledgerhq/hw-transport-webusb').default;
async function connectLedgerWebUSB() {
const transport = await TransportWebUSB.create();
console.log('Connected to Ledger via WebUSB');
await transport.close();
}
connectLedgerWebUSB();
Bluetooth Transport
This feature allows you to connect to a Ledger device using Bluetooth. The code sample demonstrates how to establish a connection and then close it.
const TransportBLE = require('@ledgerhq/hw-transport-ble').default;
async function connectLedgerBLE() {
const transport = await TransportBLE.create();
console.log('Connected to Ledger via Bluetooth');
await transport.close();
}
connectLedgerBLE();
trezor-connect is a JavaScript library for communicating with Trezor hardware wallets. It provides similar functionalities to @ledgerhq/hw-transport, such as USB and WebUSB support, but is specifically designed for Trezor devices.
bitbox02-api is a JavaScript library for interacting with BitBox02 hardware wallets. It offers functionalities similar to @ledgerhq/hw-transport, including USB communication, but is tailored for BitBox02 devices.
GitHub, Ledger Devs Discord, Developer Portal
@ledgerhq/hw-transport
implements the generic interface of a Ledger Hardware Wallet transport.
Type: {unsubscribe: function (): void}
unsubscribe
function (): void Type: any
A "descriptor" is a parameter that is specific to the implementation, and can be an ID, file path, or URL. type: add or remove event descriptor: a parameter that can be passed to open(descriptor) deviceModel: device info on the model (is it a nano s, nano x, ...) device: transport specific device info
Observer generic type, following the Observer pattern
Type: Readonly<{next: function (event: EventType): any, error: function (e: EventError): any, complete: function (): any}>
The Transport class defines a generic interface for communicating with a Ledger hardware wallet. There are different kind of transports based on the technology (channels like U2F, HID, Bluetooth, Webusb) and environment (Node, Web,...). It is an abstract class that needs to be implemented.
$0
{context: TraceContext?, logType: LogType?} (optional, default {}
)
$0.context
$0.logType
Send data to the device using a low level API. It's recommended to use the "send" method for a higher level API.
_apdu
Buffer
options
Object Contains optional options for the exchange function* abortTimeoutMs: stop the exchange after a given timeout. Another timeout exists
to detect unresponsive device (see unresponsiveTimeout
). This timeout aborts the exchange. (optional, default {}
)
options.abortTimeoutMs
apdu
Buffer The data to send.
Returns Promise<Buffer> A promise that resolves with the response data from the device.
Send apdus in batch to the device using a low level API. The default implementation is to call exchange for each apdu.
apdus
Array<Buffer> array of apdus to send.observer
Observer<Buffer> an observer that will receive the response of each apdu.Returns Subscription A Subscription object on which you can call ".unsubscribe()" to stop sending apdus.
Set the "scramble key" for the next data exchanges with the device. Each app can have a different scramble key and it is set internally during instantiation.
_key
string key
string The scramble key to set.
deprecated This method is no longer needed for modern transports and should be migrated away from.
no @ before deprecated as it breaks documentationjs on version 14.0.2
https://github.com/documentationjs/documentation/issues/1596Close the connection with the device.
Note: for certain transports (hw-transport-node-hid-singleton for ex), once the promise resolved, the transport instance is actually still cached, and the device is disconnected only after a defined timeout. But for the consumer of the Transport, this does not matter and it can consider the transport to be closed.
Returns Promise<void> A promise that resolves when the transport is closed.
Listen for an event on the transport instance. Transport implementations may have specific events. Common events include: "disconnect" : triggered when the transport is disconnected.
Returns void
Stop listening to an event on an instance of transport.
Returns void
Enable or not logs of the binary exchange
Set a timeout (in milliseconds) for the exchange call. Only some transport might implement it. (e.g. U2F)
exchangeTimeout
number Returns void
Define the delay before emitting "unresponsive" on an exchange that does not respond
unresponsiveTimeout
number Returns void
Send data to the device using the higher level API.
cla
number The instruction class for the command.
ins
number The instruction code for the command.
p1
number The first parameter for the instruction.
p2
number The second parameter for the instruction.
data
Buffer The data to be sent. Defaults to an empty buffer. (optional, default Buffer.alloc(0)
)
statusList
Array<number> A list of acceptable status codes for the response. Defaults to [StatusCodes.OK]. (optional, default [StatusCodes.OK]
)
options
Object Contains optional options for the exchange function* abortTimeoutMs: stop the send after a given timeout. Another timeout exists
to detect unresponsive device (see unresponsiveTimeout
). This timeout aborts the exchange. (optional, default {}
)
options.abortTimeoutMs
Returns Promise<Buffer> A promise that resolves with the response data from the device.
Wrapper to make an exchange "atomic" (blocking any other exchange)
It also handles "unresponsiveness" by emitting "unresponsive" and "responsive" events.
f
function (): Promise<Output> The exchange job, using the transport to runReturns Promise<Output> a Promise resolving with the output of the given job
Sets the context used by the logging/tracing mechanism
Useful when re-using (cached) the same Transport instance, but with a new tracing context.
context
TraceContext? A TraceContext, that can undefined to reset the contextUpdates the context used by the logging/tracing mechanism
The update only overrides the key-value that are already defined in the current context.
contextToAdd
TraceContext A TraceContext that will be added to the current contextGets the tracing context of the transport instance
Returns (TraceContext | undefined)
Check if the transport is supported on the current platform/browser.
Type: function (): Promise<boolean>
Returns Promise<boolean> A promise that resolves with a boolean indicating support.
List all available descriptors for the transport.
For a better granularity, checkout listen()
.
Type: function (): Promise<Array<any>>
TransportFoo.list().then(descriptors => ...)
Returns Promise<Array<any>> A promise that resolves with an array of descriptors.
Listen for device events for the transport. The method takes an observer of DescriptorEvent and returns a Subscription. A DescriptorEvent is an object containing a "descriptor" and a "type" field. The "type" field can be "add" or "remove", and the "descriptor" field can be passed to the "open" method. The "listen" method will first emit all currently connected devices and then will emit events as they occur, such as when a USB device is plugged in or a Bluetooth device becomes discoverable.
Type: function (observer: Observer<DescriptorEvent<any>>): Subscription
observer
Observer<DescriptorEvent<any>> An object with "next", "error", and "complete" functions, following the observer pattern.const sub = TransportFoo.listen({
next: e => {
if (e.type==="add") {
sub.unsubscribe();
const transport = await TransportFoo.open(e.descriptor);
...
}
},
error: error => {},
complete: () => {}
})
Returns Subscription A Subscription object on which you can call ".unsubscribe()" to stop listening to descriptors.
Attempt to create a Transport instance with a specific descriptor.
Type: function (descriptor: any, timeoutMs: number, context: TraceContext): Promise<Transport>
descriptor
any The descriptor to open the transport with.timeout
number An optional timeout for the transport connection.context
TraceContext Optional tracing/log contextTransportFoo.open(descriptor).then(transport => ...)
Returns Promise<Transport> A promise that resolves with a Transport instance.
create() allows to open the first descriptor available or throw if there is none or if timeout is reached. This is a light helper, alternative to using listen() and open() (that you may need for any more advanced usecase)
openTimeout
(optional, default 3000
)listenTimeout
number? TransportFoo.create().then(transport => ...)
FAQs
Ledger Hardware Wallet common interface of the communication layer
The npm package @ledgerhq/hw-transport receives a total of 277,738 weekly downloads. As such, @ledgerhq/hw-transport popularity was classified as popular.
We found that @ledgerhq/hw-transport demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.