Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
@uniswap/token-lists
Advanced tools
This package includes a JSON schema for token lists, and TypeScript utilities for working with token lists.
The JSON schema represents the technical specification for a token list which can be used in a dApp interface, such as the Uniswap Interface.
Uniswap Token Lists is a specification for lists of token metadata (e.g. address, decimals, ...) that can be used by any dApp interfaces that needs one or more lists of tokens.
Anyone can create and maintain a token list, as long as they follow the specification.
Specifically an instance of a token list is a JSON blob that contains a list of ERC20 token metadata for use in dApp user interfaces. Token list JSON must validate against the JSON schema in order to be used in the Uniswap Interface. Tokens on token lists, and token lists themselves, are tagged so that users can easily find tokens.
The JSON schema ID is https://uniswap.org/tokenlist.schema.json
This package does not include code for token list validation. You can easily do this by including a library such as ajv to perform the validation against the JSON schema. The schema is exported from the package for ease of use.
import { schema } from '@uniswap/token-lists'
import Ajv from 'ajv'
import addFormats from 'ajv-formats'
import fetch from 'node-fetch'
const ARBITRUM_LIST = 'https://bridge.arbitrum.io/token-list-42161.json'
async function validate() {
const ajv = new Ajv({ allErrors: true, verbose: true })
addFormats(ajv)
const validator = ajv.compile(schema);
const response = await fetch(ARBITRUM_LIST)
const data = await response.json()
const valid = validator(data)
if (valid) {
return valid
}
if (validator.errors) {
throw validator.errors.map(error => {
delete error.data
return error
})
}
}
validate()
.then(console.log("Valid List."))
.catch(console.error)
The best way to manually author token lists is to use an editor that supports JSON schema validation. Most popular code editors do, such as IntelliJ or VSCode. Other editors can be found here.
The schema is registered in the SchemaStore, and any file that matches
the pattern *.tokenlist.json
should
automatically utilize
the JSON schema for the supported text editors.
In order for your token list to be able to be used, it must pass all JSON schema validation.
If you want to automate token listing, e.g. by pulling from a smart contract, or other sources, you can use this npm package to take advantage of the JSON schema for validation and the TypeScript types. Otherwise, you are simply working with JSON. All the usual tools apply, e.g.:
import { TokenList, schema } from '@uniswap/token-lists'
// generate your token list however you like.
const myList: TokenList = generateMyTokenList();
// use a tool like `ajv` to validate your generated token list
validateMyTokenList(myList, schema);
// print the resulting JSON to stdout
process.stdout.write(JSON.stringify(myList));
Lists include a version
field, which follows semantic versioning.
List versions must follow the rules:
Changing a token address or chain ID is considered both a remove and an add, and should be a major version update.
Note that list versioning is used to improve the user experience, but not for security, i.e. list versions are not meant to provide protection against malicious updates to a token list; i.e. the list semver is used as a lossy compression of the diff of list updates. List updates may still be diffed in the client dApp.
Once you have authored the list, you can make it available at any URI. Prefer pinning your list to IPFS (e.g. via pinata.cloud) and referencing the list by an ENS name that resolves to the contenthash.
If hosted on HTTPS, make sure the endpoint is configured to send an access-control-allow-origin header to avoid CORS errors.
An ENS name can be assigned to an IPFS hash via the contenthash text record. This is the preferred way of referencing your list.
You can find a simple example of a token list in test/schema/example.tokenlist.json.
A snapshot of the Uniswap default list encoded as a token list is found in test/schema/bigexample.tokenlist.json.
FAQs
📚 The Token Lists specification
The npm package @uniswap/token-lists receives a total of 28,048 weekly downloads. As such, @uniswap/token-lists popularity was classified as popular.
We found that @uniswap/token-lists demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.