Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@libp2p/webrtc
Advanced tools
A libp2p transport using WebRTC connections
$ npm i @libp2p/webrtc
<script>
tagLoading this module through a script tag will make it's exports available as Libp2pWebrtc
in the global namespace.
<script src="https://unpkg.com/@libp2p/webrtc/dist/index.min.js"></script>
import { createLibp2p } from 'libp2p'
import { noise } from '@chainsafe/libp2p-noise'
import { multiaddr } from '@multiformats/multiaddr'
import first from 'it-first'
import { pipe } from 'it-pipe'
import { fromString, toString } from 'uint8arrays'
import { webRTC } from '@libp2p/webrtc'
const node = await createLibp2p({
transports: [webRTC()],
connectionEncryption: [noise()],
});
await node.start()
const ma = multiaddr('/ip4/0.0.0.0/udp/56093/webrtc/certhash/uEiByaEfNSLBexWBNFZy_QB1vAKEj7JAXDizRs4_SnTflsQ')
const stream = await node.dialProtocol(ma, ['/my-protocol/1.0.0'])
const message = `Hello js-libp2p-webrtc\n`
const response = await pipe([fromString(message)], stream, async (source) => await first(source))
const responseDecoded = toString(response.slice(0, response.length))
Examples can be found in the examples folder.
Browsers can usually only dial
, but listen
is supported in the WebRTC
transport when paired with another listener like CircuitV2, where you listen on
a relayed connection. Take a look at index.js for
an example.
interface MultiaddrConnection extends Duplex<Uint8Array> {
close: (err?: Error) => Promise<void>
remoteAddr: Multiaddr
timeline: MultiaddrConnectionTimeline
}
class WebRTCMultiaddrConnection implements MultiaddrConnection { }
Contributions are welcome! The libp2p implementation in JavaScript is a work in progress. As such, there's a few things you can do right now to help out:
Please be aware that all interactions related to libp2p are subject to the IPFS Code of Conduct.
Small note: If editing the README, please conform to the standard-readme specification.
This module leans heavily on (Aegir)[https://github.com/ipfs/aegir] for most of the package.json
scripts.
The build script is a wrapper to aegir build
. To build this package:
npm run build
The build will be located in the /dist
folder.
There is also npm run generate:proto
script that uses protoc to populate the generated code directory proto_ts
based on *.proto
files in src. Don't forget to run this step before build
any time you make a change to any of the *.proto
files.
To run all tests:
npm test
To run tests for Chrome only:
npm run test:chrome
To run tests for Firefox only:
npm run test:firefox
Aegir is also used to lint the code, which follows the Standard JS linter. The VS Code plugin for this standard is located at https://marketplace.visualstudio.com/items?itemName=standard.vscode-standard. To lint this repo:
npm run lint
You can also auto-fix when applicable:
npm run lint:fix
npm run clean
npm run deps-check
Licensed under either of
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
FAQs
A libp2p transport using WebRTC connections
The npm package @libp2p/webrtc receives a total of 6,502 weekly downloads. As such, @libp2p/webrtc popularity was classified as popular.
We found that @libp2p/webrtc demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.