Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Deterministic event-sourced state and side effect handling for blockchain applications
Demux is a backend infrastructure pattern for sourcing blockchain events to deterministically update queryable datastores and trigger side effects. This library serves as a reference implementation of that pattern for use with Node applications.
# Using yarn
yarn add demux
# Using npm
npm install demux --save
Taking inspiration from the Flux Architecture pattern and Redux, Demux was born out of the following qualifications:
Storing data in indexed state on blockchains can be useful for three reasons: decentralized consensus of computation results, usage of state from within other blockchain computations, and for retrieval of state for use in client front-ends. When building more complicated front-ends, you run into a few problems when retrieving directly from indexed blockchain state:
Demux solves these problems by off-loading queries to any persistence layer that you want. As blockchain events happen, your chosen persistence layer is updated by updater
functions, which deterministically process an array of Action
objects. The persistence layer can then be queried by your front-end through a suitable API (for example, REST or GraphQL).
This means that we can separate our concerns: for data that needs decentralized consensus of computation or access from other blockchain events, we can still store the data in indexed blockchain state, without having to worry about tailoring to front-end queries. For data required by our front-end, we can pre-process and index data in a way that makes it easy for it to be queried, in a horizontally scalable persistence layer of our choice. The end result is that both systems can serve their purpose more effectively.
Since we have a system for acting upon specific blockchain events deterministically, we can utilize this system to manage non-deterministic events as well. These effect
functions work almost exactly the same as updater
functions, except they run asynchronously, are not run during replays, and modifying the deterministic datastore is off-limits. Examples include: signing and broadcasting a transaction, sending an email, and initiating a traditional fiat payment.
There are other solutions to the above problems that involve legacy persistence layers that are their own sources of truth. By deriving all state from the blockchain, however, we gain the following benefits:
Repository | Description |
---|---|
EOSIO / demux-js-eos * | Action Reader implementations for EOSIO blockchains |
EOSIO / demux-js-postgres * | Action Handler implementation for Postgres databases |
Zapata / demux-js-bitshares | Action Reader implementations for BitShares blockchain |
* Officially supported by Block.one
To get your project listed, add it here and submit a PR!
This library provides the following classes:
AbstractActionReader
: Abstract class used for implementing your own Action Readers
AbstractActionHandler
: Abstract class used for implementing your own Action Handlers
BaseActionWatcher
: Base class that implements a ready-to-use Action Watcher
ExpressActionWatcher
: Exposes the API methods from the BaseActionWatcher through an Express server
In order to process actions, we need the following things:
AbstractActionReader
AbstractActionHandler
HandlerVersion
, which contain Updater
and Effect
arraysAfter we have these things, we need to:
AbstractActionReader
with any needed configurationAbstractActionHandler
, passing in the HandlerVersion
and any other needed configurationBaseActionWatcher
(or a subclass), passing in the Action Handler and Action Watcher instanceswatch()
method (by either calling it directly or otherwise)const { BaseActionWatcher, ExpressActionWatcher } = require("demux")
const { MyActionReader } = require("./MyActionReader")
const { MyActionHandler } = require("./MyActionHandler")
const { handlerVersions } = require("./handlerVersions")
const { readerConfig, handlerConfig, pollInterval, portNumber } = require("./config")
const actionReader = new MyActionReader(readerConfig)
const actioHandler = new MyActionHandler(handlerVersions, handlerConfig)
Then, either
const watcher = new BaseActionWatcher(
actionReader,
actionHandler,
pollInterval,
)
watcher.watch()
Or,
const expressWatcher = new ExpressActionWatcher(
actionReader,
actionHandler,
pollInterval,
portNumber,
)
expressWatcher.listen()
// You can then make a POST request to `/start` on your configured endpoint
See LICENSE for copyright and license terms. Block.one makes its contribution on a voluntary basis as a member of the EOSIO community and is not responsible for ensuring the overall performance of the software or any related applications. We make no representation, warranty, guarantee or undertaking in respect of the software or any related documentation, whether expressed or implied, including but not limited to the warranties or merchantability, fitness for a particular purpose and noninfringement. In no event shall we be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or documentation or the use or other dealings in the software or documentation. Any test results or performance figures are indicative and will not reflect performance under all conditions. Any reference to any third party or third-party product, service or other resource is not an endorsement or recommendation by Block.one. We are not responsible, and disclaim any and all responsibility and liability, for your use of or reliance on any of these resources. Third-party resources may be updated, changed or terminated at any time, so the information here may be out of date or inaccurate.
FAQs
Deterministic event-sourced state and side effect handling for blockchain applications
The npm package demux receives a total of 6 weekly downloads. As such, demux popularity was classified as not popular.
We found that demux demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.