Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Deterministic event-sourced state and side effect handling for blockchain applications
Demux is a backend infrastructure pattern for sourcing blockchain events to deterministically update queryable datastores and trigger side effects. This library serves as a reference implementation of that pattern for use with Node applications.
# Using yarn
yarn add demux
# Using npm
npm install demux --save
Taking inspiration from the Flux Architecture pattern and Redux, Demux was born out of the following qualifications:
Storing data in indexed state on blockchains can be useful for three reasons: decentralized consensus of computation results, usage of state from within other blockchain computations, and for retrieval of state for use in client front-ends. When building more complicated front-ends, you run into a few problems when retrieving directly from indexed blockchain state:
Demux solves these problems by off-loading queries to any persistence layer that you want. As blockchain events happen, your chosen persistence layer is updated by updater
functions, which deterministically process an array of Action
objects. The persistence layer can then be queried by your front-end through a suitable API (for example, REST or GraphQL).
This means that we can separate our concerns: for data that needs decentralized consensus of computation or access from other blockchain events, we can still store the data in indexed blockchain state, without having to worry about tailoring to front-end queries. For data required by our front-end, we can pre-process and index data in a way that makes it easy for it to be queried, in a horizontally scalable persistence layer of our choice. The end result is that both systems can serve their purpose more effectively.
Since we have a system for acting upon specific blockchain events deterministically, we can utilize this system to manage non-deterministic events as well. These effect
functions work almost exactly the same as updater
functions, except they run asynchronously, are not run during replays, and modifying the deterministic datastore is off-limits. Examples include: signing and broadcasting a transaction, sending an email, and initiating a traditional fiat payment.
There are other solutions to the above problems that involve legacy persistence layers that are their own sources of truth. By deriving all state from the blockchain, however, we gain the following benefits:
This library provides the following classes:
AbstractActionReader
: Abstract class used for implementing your own Action Readers
AbstractActionHandler
: Abstract class used for implementing your own Action Handlers
BaseActionWatcher
: Base class that implements a ready-to-use Action Watcher
Repository | Description |
---|---|
EOSIO / demux-js-eos * | Action Reader implementations for EOSIO blockchains |
EOSIO / demux-js-postgres * | Action Handler implementation for Postgres databases |
Zapata / demux-js-bitshares | Action Reader implementations for BitShares blockchain |
* Officially supported by Block.one
To get your project listed, add it here and submit a PR!
// Let's read from an EOS node
const { NodeosActionReader } = require("demux-eos")
// Assuming you've created your own subclass of AbstractActionHandler
const MyActionHandler = require("./MyActionHandler")
// Ties everything together in a polling loop
const { BaseActionWatcher } = require("demux")
// Import Updaters and Effects, which are arrays of objects:
// [ { actionType: string, (updater|effect): function }, ... ]
const updaters = require("./updaters")
const effects = require("./effects")
const actionReader = new NodeosActionReader(
"http://some-nodeos-endpoint:8888", // Locally hosted node needed for reasonable indexing speed
12345678, // First actions relevant to this dapp happen at this block
)
const actionHandler = new MyActionHandler(
updaters,
effects,
)
const actionWatcher = new BaseActionWatcher(
actionReader,
actionHandler,
250, // Poll at twice the block interval for less latency
)
actionWatcher.watch() // Start watch loop
For more complete examples, see the examples directory.
FAQs
Deterministic event-sourced state and side effect handling for blockchain applications
The npm package demux receives a total of 6 weekly downloads. As such, demux popularity was classified as not popular.
We found that demux demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.