
Research
/Security News
Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
@xmtp/browser-sdk
Advanced tools
This package provides the XMTP client SDK for browsers.
To keep up with the latest SDK developments, see the Issues tab in this repo.
[!CAUTION] This SDK is in beta status and ready for you to build with in production. Software in this status may change based on feedback.
To learn how to use the XMTP client SDK for browsers, see Get started with the XMTP Browser SDK.
Coming soon
This SDK uses the origin private file system (OPFS) to persist a SQLite database and the SyncAccessHandle Pool VFS to access it. This VFS does not support multiple simultaneous connections.
This means that when using this SDK in your app, you must prevent multiple browser tabs or windows from accessing your app at the same time.
This SDK and some of its dependencies use import.meta.url
. Some bundlers must be configured to account for this during development.
Add the following to vite.config.ts
:
import { defineConfig } from "vite";
export default defineConfig({
optimizeDeps: {
exclude: ["@xmtp/wasm-bindings", "@xmtp/browser-sdk"],
include: ["@xmtp/proto"],
},
});
NPM
npm install @xmtp/browser-sdk
PNPM
pnpm install @xmtp/browser-sdk
Yarn
yarn add @xmtp/browser-sdk
Run yarn dev
to build the SDK and watch for changes, which will trigger a rebuild.
yarn build
: Builds the SDKyarn clean
: Removes node_modules
, dist
, and .turbo
foldersyarn dev
: Builds the SDK and watches for changes, which will trigger a rebuildyarn test
: Runs all testsyarn typecheck
: Runs tsc
Because this SDK is in active development, you should expect breaking revisions that might require you to adopt the latest SDK release to enable your app to continue working as expected.
Breaking revisions in a Browser SDK release are described on the Releases page.
Older versions of the SDK will eventually be deprecated, which means:
The following table provides the deprecation schedule.
Announced | Effective | Minimum Version | Rationale |
---|---|---|---|
No more support for XMTP V2 | May 1, 2025 | >=1.1.4 | In a move toward better security with MLS and the ability to decentralize, we will be shutting down XMTP V2 and moving entirely to XMTP V3. To learn more about V2 deprecation, see XIP-53: XMTP V2 deprecation plan. To learn how to upgrade, see @xmtp/browser-sdk v1.1.4. |
Bug reports, feature requests, and PRs are welcome in accordance with these contribution guidelines.
FAQs
XMTP client SDK for browsers written in TypeScript
The npm package @xmtp/browser-sdk receives a total of 524 weekly downloads. As such, @xmtp/browser-sdk popularity was classified as not popular.
We found that @xmtp/browser-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
Product
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Product
Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.