Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Read/write XDR encoded data structures (RFC 4506)
XDR is an open data format, specified in RFC 4506. This library provides a way to read and write XDR data from javascript. It can read/write all of the primitive XDR types and also provides facilities to define readers for the compound XDR types (enums, structs and unions)
via npm:
npm install --save @stellar/js-xdr
You can find some examples here.
First, let's import the library:
var xdr = require('@stellar/js-xdr');
// or
import xdr from '@stellar/js-xdr';
Now, let's look at how to decode some primitive types:
// booleans
xdr.Bool.fromXDR([0, 0, 0, 0]); // returns false
xdr.Bool.fromXDR([0, 0, 0, 1]); // returns true
// the inverse of `fromXDR` is `toXDR`, which returns a Buffer
xdr.Bool.toXDR(true); // returns Buffer.from([0,0,0,1])
// XDR ints and unsigned ints can be safely represented as
// a javascript number
xdr.Int.fromXDR([0xff, 0xff, 0xff, 0xff]); // returns -1
xdr.UnsignedInt.fromXDR([0xff, 0xff, 0xff, 0xff]); // returns 4294967295
// XDR Hypers, however, cannot be safely represented in the 53-bits
// of precision we get with a JavaScript `Number`, so we allow creation from big-endian arrays of numbers, strings, or bigints.
var result = xdr.Hyper.fromXDR([0, 0, 0, 0, 0, 0, 0, 0]); // returns an instance of xdr.Hyper
result = new xdr.Hyper(0); // equivalent
// convert the hyper to a string
result.toString(); // return '0'
// math!
var ten = result.toBigInt() + 10;
var minusone = result.toBigInt() - 1;
// construct a number from a string
var big = xdr.Hyper.fromString('1099511627776');
// encode the hyper back into xdr
big.toXDR(); // <Buffer 00 00 01 00 00 00 00 00>
There are a couple of caveats to be aware of with this library:
js-xdr
by itself does not have any ability to parse XDR IDL files and produce
a parser for your custom data types. Instead, that is the responsibility of
xdrgen
. xdrgen will take your .x files
and produce a javascript file that target this library to allow for your own
custom types.
See stellar-base
for an example
(check out the src/generated directory)
Please see CONTRIBUTING.md for details.
git clone https://github.com/stellar/js-xdr.git
cd js-xdr
npm i
Because we support the oldest maintenance version of Node, please install and develop on Node 14 so you don't get surprised when your code works locally but breaks in CI.
Here's out to install nvm
if you haven't: https://github.com/creationix/nvm
nvm install
# if you've never installed 14.x before you'll want to re-install yarn
npm install -g yarn
If you work on several projects that use different Node versions, you might it helpful to install this automatic version manager: https://github.com/wbyoung/avn
While you're making changes, make sure to run the linter periodically to catch any linting errors (in addition to making sure your text editor supports ESLint)
yarn fmt
If you're working on a file not in src
, limit your code to Node 14! See what's
supported here: https://node.green/ (The reason is that our npm library must
support earlier versions of Node, so the tests need to run on those versions.)
FAQs
Read/write XDR encoded data structures (RFC 4506)
We found that js-xdr demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.