📢 steem-js v1.0.13 and v1.0.14 Released

ety001 (73)in #steemit • 12 hours ago

We’re pleased to announce two new releases of steem-js, the official JavaScript library for the Steem blockchain.

v1.0.13 — Full binary serialization (PR #519)

v1.0.13 adds complete binary serialization support for all Steem operation types (indices 0–54).

Serializer: Full serializeOperationData coverage and per-operation serializers for vote, comment, transfer, account create/update, witness, escrow, market, rewards, PoW, custom ops, and the rest of the protocol set, aligned with the steemutil protocol and C++ FC layout.
Helpers: Shared encoding for assets, authorities, time points, booleans, extensions, chain properties, and related types.
Tests: Cross-language fixtures (generated with steemutil) and test/serializer-cross-lang.test.ts to ensure JS output matches expected hex.
Docs: New “Transaction serialization (binary)” section in the Broadcast docs describing coverage, usage (toBuffer / serializeTransaction), and compatibility.
comment_options: Serialization implemented (previously threw “not fully implemented”).

This release is based on PR #519 (branch refactor/serializer-all-ops → next).

v1.0.14 — Security audit fixes (PR #520–#533)

v1.0.14 incorporates fixes from a security audit, addressing key and transport hardening, validation, and safe defaults.

Key and validation

PR #520 — WIF parsing: enforce 37-byte length and explicit slice ranges to avoid out-of-bounds reads.
PR #521 — Constant-time comparison for WIF checksum to mitigate timing side channels.
PR #523 — PrivateKey.fromBuffer: require exactly 32 bytes; throw instead of warning and continuing.
PR #524 — Serializer fromBuffer: require at least 66 bytes before reading two 33-byte public keys.
PR #525 — Memo nonce: remove Number fallback; use Long.fromString only to avoid precision loss.

Signing and RPC

PR #522 — RPC signed requests: allow clock skew (e.g. 5 minutes) in addition to 60s validity to reduce false rejections.
PR #527 — Canonical signature search: cap nonce attempts at 1000 to avoid theoretical infinite loops.

Randomness and encryption

PR #526 — random32ByteBuffer: use secure random as primary; optional entropy mixed in a single hash (no time-based loop).
PR #531 — uniqueNonce: use randomBytes(4) plus timestamp for a 64-bit nonce instead of Math.random().

Transport and TLS

PR #528 — HTTP transport: optional httpsOptions (rejectUnauthorized, ca) and Node-only use of node:undici Agent for custom TLS/certificate pinning.

Memo and API

PR #530 — Memo decode: optional expectedRecipientPubKey and explicit “not encrypted for this key” error when the key matches neither from nor to.

Logging and build

PR #529 — Signature recovery: log r/s and public key only when NODE_ENV === 'development'.
PR #532 — Production minified UMD: drop_console: true and strip console.log / console.info / console.debug.
PR #533 — Transaction debug: full payload only in development; add pnpm run audit for dependency checks.

All of the above are included in PRs #520–#533 (security audit remediation).

Upgrade

npm: npm install @steemit/steem-js@1.0.14
pnpm: pnpm add @steemit/steem-js@1.0.14
Git: tag v1.0.14 or branch next

We recommend all applications using steem-js for signing, broadcast, or memo encryption to upgrade to v1.0.14 for the security fixes. v1.0.13 remains available if you need only the serializer changes.