Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Read/write XDR encoded data structures (RFC 4506)
XDR is an open data format, specified in RFC 4506. This library provides a way to read and write XDR data from javascript. It can read/write all of the primitive XDR types and also provides facilities to define readers for the compound XDR types (enums, structs and unions)
via npm:
npm install --save @stellar/js-xdr
You can find some examples here.
First, let's import the library:
var xdr = require('@stellar/js-xdr');
// or
import xdr from '@stellar/js-xdr';
Now, let's look at how to decode some primitive types:
// booleans
xdr.Bool.fromXDR([0, 0, 0, 0]); // returns false
xdr.Bool.fromXDR([0, 0, 0, 1]); // returns true
// the inverse of `fromXDR` is `toXDR`, which returns a Buffer
xdr.Bool.toXDR(true); // returns Buffer.from([0,0,0,1])
// XDR ints and unsigned ints can be safely represented as
// a javascript number
xdr.Int.fromXDR([0xff, 0xff, 0xff, 0xff]); // returns -1
xdr.UnsignedInt.fromXDR([0xff, 0xff, 0xff, 0xff]); // returns 4294967295
// XDR Hypers, however, cannot be safely represented in the 53-bits
// of precision we get with a JavaScript `Number`, so we allow creation from big-endian arrays of numbers, strings, or bigints.
var result = xdr.Hyper.fromXDR([0, 0, 0, 0, 0, 0, 0, 0]); // returns an instance of xdr.Hyper
result = new xdr.Hyper(0); // equivalent
// convert the hyper to a string
result.toString(); // return '0'
// math!
var ten = result.toBigInt() + 10;
var minusone = result.toBigInt() - 1;
// construct a number from a string
var big = xdr.Hyper.fromString('1099511627776');
// encode the hyper back into xdr
big.toXDR(); // <Buffer 00 00 01 00 00 00 00 00>
There are a couple of caveats to be aware of with this library:
js-xdr
by itself does not have any ability to parse XDR IDL files and produce
a parser for your custom data types. Instead, that is the responsibility of
xdrgen
. xdrgen will take your .x files
and produce a javascript file that target this library to allow for your own
custom types.
See stellar-base
for an example
(check out the src/generated directory)
Please see CONTRIBUTING.md for details.
git clone https://github.com/stellar/js-xdr.git
cd js-xdr
npm i
Because we support the oldest maintenance version of Node, please install and develop on Node 14 so you don't get surprised when your code works locally but breaks in CI.
Here's out to install nvm
if you haven't: https://github.com/creationix/nvm
nvm install
# if you've never installed 14.x before you'll want to re-install yarn
npm install -g yarn
If you work on several projects that use different Node versions, you might it helpful to install this automatic version manager: https://github.com/wbyoung/avn
While you're making changes, make sure to run the linter periodically to catch any linting errors (in addition to making sure your text editor supports ESLint)
yarn fmt
If you're working on a file not in src
, limit your code to Node 14! See what's
supported here: https://node.green/ (The reason is that our npm library must
support earlier versions of Node, so the tests need to run on those versions.)
FAQs
Read/write XDR encoded data structures (RFC 4506)
The npm package js-xdr receives a total of 13,401 weekly downloads. As such, js-xdr popularity was classified as popular.
We found that js-xdr demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.