npm - @gvnrdao/dh-sdk - Versions diffs - 0.0.272 → 0.0.273 - Mend

@gvnrdao/dh-sdk 0.0.272 → 0.0.273

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/browser/dist/browser.js +1 -1
package/dist/index.js +14 -3
package/dist/index.mjs +14 -3
package/dist/utils/service-endpoint-policy.d.ts +4 -0
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -34716,6 +34716,12 @@ function getSepoliaConfig() {
   });
   return {
     mode: "service",
+    // No production default — fail closed if unset. A missing LIT_OPS_ENDPOINT must
+    // NOT silently route signed/authenticated requests to the production service:
+    // that masks misconfiguration in local/dev/test. Returns "" when unset (Node:
+    // env missing; browser: always), so downstream validateServiceModeConfig throws.
+    // Node consumers must set LIT_OPS_ENDPOINT; browser apps pass serviceEndpoint
+    // explicitly from decrypted /v1/init (user config still wins over this).
     serviceEndpoint: readInitBackedEnv("LIT_OPS_ENDPOINT"),
     chainId: 11155111,
     name: "sepolia",
@@ -107694,7 +107700,8 @@ function assertSafeServiceEndpoint(endpoint) {
   if (url.protocol === "http:") {
     const host = url.hostname.replace(/^\[|\]$/g, "");
     const isLoopback = host === "localhost" || host === "127.0.0.1" || host === "::1" || // IPv4 loopback range 127.0.0.0/8 (numeric — not resolvable/hijackable).
-    /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+    // Each of the trailing three octets must be a valid 0–255 value.
+    /^127\.(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){2}(?:25[0-5]|2[0-4]\d|1?\d?\d)$/.test(host);
     if (isLoopback)
       return;
     throw new Error(
@@ -123004,11 +123011,15 @@ Error data: ${errorData || "none"}`
   async getAddressBalance(vaultAddress) {
     this.ensureInitialized();
     try {
-      if (this.config.mode !== "service") {
+      if (!isServiceModeConfig(this.config)) {
         throw new Error("getAddressBalance requires service mode \u2014 standalone mode is not supported");
       }
+      const trimmedAddress = vaultAddress?.trim();
+      if (!trimmedAddress) {
+        throw new Error("vaultAddress is required");
+      }
       const serviceEndpoint = this.config.serviceEndpoint;
-      const url = `${serviceEndpoint}/api/lit/address-balance?vaultAddress=${encodeURIComponent(vaultAddress)}`;
+      const url = `${serviceEndpoint}/api/lit/address-balance?vaultAddress=${encodeURIComponent(trimmedAddress)}`;
       const response = await fetch(url, {
         headers: await this.getAuthHeader()
       });

package/dist/index.mjs CHANGED Viewed

@@ -34722,6 +34722,12 @@ function getSepoliaConfig() {
   });
   return {
     mode: "service",
+    // No production default — fail closed if unset. A missing LIT_OPS_ENDPOINT must
+    // NOT silently route signed/authenticated requests to the production service:
+    // that masks misconfiguration in local/dev/test. Returns "" when unset (Node:
+    // env missing; browser: always), so downstream validateServiceModeConfig throws.
+    // Node consumers must set LIT_OPS_ENDPOINT; browser apps pass serviceEndpoint
+    // explicitly from decrypted /v1/init (user config still wins over this).
     serviceEndpoint: readInitBackedEnv("LIT_OPS_ENDPOINT"),
     chainId: 11155111,
     name: "sepolia",
@@ -107618,7 +107624,8 @@ function assertSafeServiceEndpoint(endpoint) {
   if (url.protocol === "http:") {
     const host = url.hostname.replace(/^\[|\]$/g, "");
     const isLoopback = host === "localhost" || host === "127.0.0.1" || host === "::1" || // IPv4 loopback range 127.0.0.0/8 (numeric — not resolvable/hijackable).
-    /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+    // Each of the trailing three octets must be a valid 0–255 value.
+    /^127\.(?:(?:25[0-5]|2[0-4]\d|1?\d?\d)\.){2}(?:25[0-5]|2[0-4]\d|1?\d?\d)$/.test(host);
     if (isLoopback)
       return;
     throw new Error(
@@ -122928,11 +122935,15 @@ Error data: ${errorData || "none"}`
   async getAddressBalance(vaultAddress) {
     this.ensureInitialized();
     try {
-      if (this.config.mode !== "service") {
+      if (!isServiceModeConfig(this.config)) {
         throw new Error("getAddressBalance requires service mode \u2014 standalone mode is not supported");
       }
+      const trimmedAddress = vaultAddress?.trim();
+      if (!trimmedAddress) {
+        throw new Error("vaultAddress is required");
+      }
       const serviceEndpoint = this.config.serviceEndpoint;
-      const url = `${serviceEndpoint}/api/lit/address-balance?vaultAddress=${encodeURIComponent(vaultAddress)}`;
+      const url = `${serviceEndpoint}/api/lit/address-balance?vaultAddress=${encodeURIComponent(trimmedAddress)}`;
       const response = await fetch(url, {
         headers: await this.getAuthHeader()
       });

package/dist/utils/service-endpoint-policy.d.ts CHANGED Viewed

@@ -8,5 +8,9 @@
  * loopback by RFC 6761, but not every resolver honours it strictly — a hostile or misconfigured
  * DNS could resolve `foo.localhost` to an off-host IP and exfiltrate the cleartext token. Exact
  * loopback literals + the numeric 127.0.0.0/8 range can't be DNS-hijacked.
+ *
+ * IPv4-mapped IPv6 loopback (e.g. `http://[::ffff:127.0.0.1]`) is intentionally NOT accepted: the
+ * URL parser normalises it to a hex form (`[::ffff:7f00:1]`) that is fragile to match safely. Use
+ * `127.0.0.1`, `::1`, or `localhost` for local development.
  */
 export declare function assertSafeServiceEndpoint(endpoint: string): void;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gvnrdao/dh-sdk",
-  "version": "0.0.272",
+  "version": "0.0.273",
   "description": "TypeScript SDK for Diamond Hands Protocol - Bitcoin-backed lending with LIT Protocol PKPs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",