bitcoinjs / bitcoinjs-lib

A javascript Bitcoin library for node.js and browsers.
MIT License
5.72k stars 2.11k forks source link
bitcoin bitcoinjs bitcoinjs-lib browserify javascript nodejs
BitcoinJS kawaii logo

(Logo by @sawaratsuki1004)

(LICENSE for the logo is on SAWARATSUKI Github repo)

Github CI NPM code style: prettier

A javascript Bitcoin library for node.js and browsers. Written in TypeScript, but committing the JS files to verify.

Released under the terms of the MIT LICENSE.

Should I use this in production?

If you are thinking of using the master branch of this library in production, stop. Master is not stable; it is our development branch, and only tagged releases may be classified as stable.

Can I trust this code?

Don't trust. Verify.

We recommend every user of this library and the bitcoinjs ecosystem audit and verify any underlying code for its validity and suitability, including reviewing any and all of your project's dependencies.

Mistakes and bugs happen, but with your help in resolving and reporting issues, together we can produce open source software that is:

Documentation

Visit our documentation to explore the available resources. We're continually enhancing our documentation with additional features for an enriched experience. If you need further guidance beyond what our examples offer, don't hesitate to ask for help. We're here to assist you.

You can find a Web UI that covers most of the psbt.ts, transaction.ts and p2*.ts APIs here.

How can I contact the developers outside of Github?

Most of the time, this is not appropriate. Creating issues and pull requests in the open will help others with similar issues, so please try to use public issues and pull requests for communication.

That said, sometimes developers might be open to taking things off the record (ie. You want to share code that you don't want public to get help with it). In that case, please negotiate on the public issues as to where you will contact.

We have created public rooms on IRC (#bitcoinjs on libera.chat) and Matrix (#bitcoinjs-dev:matrix.org). These two channels have been joined together in a Matrix "Space" which has the Matrix room AND an IRC bridge room that can converse with the IRC room. The "Space" is #bitcoinjs-space:matrix.org.

Matrix and IRC both have functions for direct messaging, but IRC is not end to end encrypted, so Matrix is recommended for most communication. The official Matrix client maintained by the Matrix core team is called "Element" and can be downloaded here: https://element.io/download (Account creation is free on the matrix.org server, which is the default setting for Element.)

We used to have a Slack. It is dead. If you find it, no one will answer you most likely.

No we will not make a Discord.

Installation

npm install bitcoinjs-lib
# optionally, install a key derivation library as well
npm install ecpair bip32
# ecpair is the ECPair class for single keys
# bip32 is for generating HD keys

Previous versions of the library included classes for key management (ECPair, HDNode(->"bip32")) but now these have been separated into different libraries. This lowers the bundle size significantly if you don't need to perform any crypto functions (converting private to public keys and deriving HD keys).

Typically we support the Node Maintenance LTS version. TypeScript target will be set to the ECMAScript version in which all features are fully supported by current Active Node LTS. However, depending on adoption among other environments (browsers etc.) we may keep the target back a year or two. If in doubt, see the main_ci.yml for what versions are used by our continuous integration tests.

WARNING: We presently don't provide any tooling to verify that the release on npm matches GitHub. As such, you should verify anything downloaded by npm against your own verified copy.

Usage

Crypto is hard.

When working with private keys, the random number generator is fundamentally one of the most important parts of any software you write. For random number generation, we default to the randombytes module, which uses window.crypto.getRandomValues in the browser, or Node js' crypto.randomBytes, depending on your build system. Although this default is ~OK, there is no simple way to detect if the underlying RNG provided is good enough, or if it is catastrophically bad. You should always verify this yourself to your own standards.

This library uses tiny-secp256k1, which uses RFC6979 to help prevent k re-use and exploitation. Unfortunately, this isn't a silver bullet. Often, Javascript itself is working against us by bypassing these counter-measures.

Problems in Buffer (UInt8Array), for example, can trivially result in catastrophic fund loss without any warning. It can do this through undermining your random number generation, accidentally producing a duplicate k value, sending Bitcoin to a malformed output script, or any of a million different ways. Running tests in your target environment is important and a recommended step to verify continuously.

Finally, adhere to best practice. We are not an authoritative source of best practice, but, at the very least:

Browser

The recommended method of using bitcoinjs-lib in your browser is through browserify.

If you'd like to use a different (more modern) build tool than browserify, you can compile just this library and its dependencies into a single JavaScript file:

$ npm install bitcoinjs-lib browserify
$ npx browserify --standalone bitcoin -o bitcoinjs-lib.js <<< "module.exports = require('bitcoinjs-lib');"

Which you can then import as an ESM module:

<script type="module">import "/scripts/bitcoinjs-lib.js"</script>

Using Taproot:

When utilizing Taproot features with bitcoinjs-lib, you may need to include an additional ECC (Elliptic Curve Cryptography) library. The commonly used tiny-secp256k1 library, however, might lead to compatibility issues due to its reliance on WASM (WebAssembly). The following alternatives may be used instead, though they may be significantly slower for high volume of signing and pubkey deriving operations.

Alternatives for ECC Library:

  1. @bitcoinjs-lib/tiny-secp256k1-asmjs A version of tiny-secp256k1 compiled to ASM.js directly from the WASM version, potentially better supported in browsers. This is the slowest option.
  2. @bitcoinerlab/secp256k1 Another alternative library for ECC functionality. This requires access to the global BigInt primitive. For advantages and detailed comparison of these libraries, visit: tiny-secp256k1 GitHub page.

NOTE: We use Node Maintenance LTS features, if you need strict ES5, use --transform babelify in conjunction with your browserify step (using an es2015 preset).

WARNING: iOS devices have problems, use at least buffer@5.0.5 or greater, and enforce the test suites (for Buffer, and any other dependency) pass before use.

Typescript or VSCode users

Type declarations for Typescript are included in this library. Normal installation should include all the needed type information.

Examples

The below examples are implemented as integration tests, they should be very easy to understand. Otherwise, pull requests are appreciated. Some examples interact (via HTTPS) with a 3rd Party Blockchain Provider (3PBP).

If you have a use case that you feel could be listed here, please ask for it!

Contributing

See CONTRIBUTING.md.

Running the test suite

npm test
npm run-script coverage

Complementing Libraries

Alternatives

LICENSE MIT