Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
@solana/rpc-spec
Advanced tools
This package contains types that describe the implementation of the JSON RPC API, as well as methods to create one. It can be used standalone, but it is also exported as part of the Solana JavaScript SDK @solana/web3.js@rc
.
This API is designed to be used as follows:
const rpc =
// Step 1 - Create an `Rpc` instance. This may be stateful.
createSolanaRpc(mainnet('https://api.mainnet-beta.solana.com'));
const response = await rpc
// Step 2 - Call supported methods on it to produce `PendingRpcRequest` objects.
.getLatestBlockhash({ commitment: 'confirmed' })
// Step 3 - Call the `send()` method on those pending requests to trigger them.
.send({ abortSignal: AbortSignal.timeout(10_000) });
PendingRpcRequest<TResponse>
Pending requests are the result of calling a supported method on an Rpc
object. They encapsulate all of the information necessary to make the request without actually making it.
Calling the send(options)
method on a PendingRpcRequest
will trigger the request and return a promise for TResponse
.
Rpc<TRpcMethods, TRpcTransport>
An object that exposes all of the functions described by TRpcMethods
, and fulfils them using TRpcTransport
. Calling each method returns a PendingRpcRequest<TResponse>
where TResponse
is that method's response type.
RpcApi<TRpcMethods>
For each of TRpcMethods
this object exposes a method with the same name that maps between its input arguments and a RpcPlan<TResponse>
that describes how to prepare a JSON RPC request to fetch TResponse
.
RpcApiMethods
This is a marker interface that all RPC method definitions must extend to be accepted for use with the RpcApi
creator.
RpcPlan
This type allows an RpcApi
to describe how a particular request should be issued to the JSON RPC server. Given a function that was called on a Rpc
, this object returns an execute
function that dictates which request will be sent, how the underlying transport will be used and how the responses will be transformed.
This function accepts an RpcTransport
and an AbortSignal
and asynchronously returns an RpcResponse
. This gives us the opportunity to:
payload
from the requested method name and parameters before passing it to the transport.TResponse
specified by the PendingRpcRequest<TResponse>
returned from that function.RpcSendOptions
A configuration object consisting of the following properties:
abortSignal
: An optional signal that you can supply when triggering a PendingRpcRequest
that you might later need to abort.RpcTransport
Any function that implements this interface can act as a transport for an Rpc
. It need only return a promise for a response given the following config:
payload
: A value of arbitrary type to be sent.signal
: An optional AbortSignal
on which the 'abort'
event will be fired if the request should be cancelled.createRpc(config)
Creates an RPC instance given an RpcApi<TRpcMethods>
and a RpcTransport
capable of fulfilling them.
A config object with the following properties:
api
: An instance of RpcApi
transport
: A function that implements the RpcTransport
interfacecreateJsonRpcApi(config)
Creates a JavaScript proxy that converts any function call called on it to a RpcPlan
by creating an execute
function that:
methodName
and params
properties, optionally transformed by config.requestTransformer
.config.responseTransformer
function, if provided.// For example, given this `RpcApi`:
const rpcApi = createJsonRpcApi({
requestTransformer: (...rawParams) => rawParams.reverse(),
responseTransformer: response => response.result,
});
// ...the following function call:
rpcApi.foo('bar', { baz: 'bat' });
// ...will produce an `RpcPlan` that:
// - Uses the following payload: { id: 1, jsonrpc: '2.0', method: 'foo', params: ['bar', { baz: 'bat' }] }.
// - Returns the "result" attribute of the RPC response.
A config object with the following properties:
requestTransformer<T>(request: RpcRequest<T>): RpcRequest
: An optional function that transforms the RpcRequest
before it is sent to the JSON RPC server.responseTransformer<T>(response: RpcResponse, request: RpcRequest): RpcResponse<T>
: An optional function that transforms the RpcResponse
before it is returned to the caller.isJsonRpcPayload(payload)
A helper function that returns true
if the given payload is a JSON RPC v2 payload. This means, the payload is an object such that:
jsonrpc
property with a value of '2.0'
.method
property that is a string.params
property of any type.import { isJsonRpcPayload } from '@solana/rpc-spec';
if (isJsonRpcPayload(payload)) {
const payloadMethod: string = payload.method;
const payloadParams: unknown = payload.params;
}
FAQs
A generic implementation of JSON RPCs using proxies
The npm package @solana/rpc-spec receives a total of 7,697 weekly downloads. As such, @solana/rpc-spec popularity was classified as popular.
We found that @solana/rpc-spec demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 14 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.