helius-labs / helius-sdk Goto Github PK

When using the getAssetsByOwner() function, the interface "FungibleToken" is encountered, but it's not available as an option in the SDK's Interface enum.

The events (TransactionEvent) property of EnrichedTransaction should have an array when the burned asset is a compressed NFT, but instead the declared type is CompressedNftEvent | null.

See: https://github.com/helius-labs/helius-sdk/blob/main/src/types/types.ts#L228

Since version 1.2.2 creating a webhook using the createWebhook gives the following error:

Error: invalid API path: /v0/webhooks

Hey! It would be awesome if the SDK has a method for the /v0/transactions (parsed transactions) endpoint. The endpoint's response is pretty complex, if you're trying to write type-safe code you would need to manually write the types for the response (or use a type generator).

Will these 2 lines of code throw an error if the user wants to listen to PDA addresses, since PDA addresses are not on the curve (I believe)?

This should be checked. I'll give my best to do it early next week.
Posting this issue as a reminder to myself and to increase awareness to you guys for potential errors which these lines might cause.

Currently, Helius client can be only initialized by apiKey for backend services.

I think it would be better to have it available for frontend and it needs to be initialized with secure url as well.

This field allows a string delegate address to be included when searching assets. It doesn't return anything if a number is used.

I would like to create a webhook with a ID like 'solana-webhook' for my account so I don't have to save/reference a randomly generated UUID. Thanks!

I believe this should be string[]:

https://github.com/helius-labs/helius-sdk/blob/1661f48bdfeae5dc08c36cbf37ec761cbae167bf/src/types/das-types.ts#L57C19-L57C19

• Current typescript type for Webhook:

Summary:
I believe I have identified a security vulnerability in the helius-sdk package and its dependencies. The issue relates to the version of Axios being used in the package's dependency chain, which is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability (severity: moderate). This vulnerability can potentially expose applications to security risks.

Steps to Reproduce:
Install the helius-sdk package using the command: npm install helius-sdk
Check the npm audit report using: npm audit

Observed Behavior:
The npm audit report identifies the following vulnerabilities:

Axios (0.8.1 - 1.5.1): Moderate severity CSRF vulnerability. Advisory Link
aptos (<= 1.13.3): Depends on vulnerable Axios versions.
@irys/sdk: Depends on vulnerable versions of aptos.
helius-sdk (>= 1.0.16): Depends on vulnerable versions of @irys/sdk.

Expected Behavior:
The helius-sdk package should use an updated version of Axios that does not have known security vulnerabilities.

Impact:
The identified vulnerabilities may expose applications to potential security threats and could lead to unauthorized actions, data breaches, or other security issues.

Additional Information:
The vulnerability report indicates that updating Axios to a secure version is a possible solution, but it may result in a breaking change ([email protected]).

Steps Taken:
I've made sure my node and npm are fully updated.

Environment:
Node.js version: 20.11.0
npm version: 10.2.4

Additional Notes:
This is the first GitHub issue I've reported. There could be a misunderstanding on my part. Also this vulnerability may not even affect anything about the functionality of the library. I'm testing out the Helius SDK and thought I would report it. Thank you.

Currently, Helius client can be only initialized by apiKey for backend services.

I think it would be better to have it available for frontend and it needs to be initialized with secure url as well.

Steps to reproduce

const endpoint = "https://rpc-devnet.helius.xyz/?api-key=<API_KEY>" // insert API key
const connection = new Connection(endpoint, 'confirmed');
const signature = await connection.requestAirdrop(
  new PublicKey('<WALLET_ADDRESS>'), // insert some wallet address
  1000000000, // 1 Solana
);

// Things broke down at this point but in case they start working it's nice to wait for transaction confirmation
const blockhashWithExpiryBlockHeight = await connection.getLatestBlockhash();
await connection.confirmTransaction(
  {
    signature: sign,
    ...blockhashWithExpiryBlockHeight,
  },
  'confirmed',
);

Issue happens in the create and validate functions from the superstruct package

/**
 * Create a value with the coercion logic of struct and validate it.
 */

export function create<T, S>(
  value: unknown,
  struct: Struct<T, S>,
  message?: string
): T {
  const result = validate(value, struct, { coerce: true, message })

  if (result[0]) {
    throw result[0]
  } else {
    return result[1]
  }
}

In this context, grand_total is a number or undefined, not boolean.

https://github.com/helius-labs/helius-sdk/blob/0fdf3f941cec356f658ffab27f2dea521ee3c42c/src/types/das-types.ts#L139C17-L139C24