Releases: solana-labs/solana-web3.js
v1.95.8
1.95.8 (2024-12-03)
Earlier today, a publish-access account was compromised for @solana/web3.js
, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly. This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions. This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys and that updated within the window of 3:20pm UTC and 8:25pm UTC on Tuesday, December 2, 2024.
These two unauthorized versions (1.95.6 and 1.95.7) were caught within hours and have since been unpublished.
We are asking all Solana app developers to upgrade to version 1.95.8. Developers pinned to latest
should also upgrade to 1.95.8.
Developers that suspect they might be compromised should rotate any suspect authority keys, including multisigs, program authorities, server keypairs, and so on.
v1.95.5
v2.0.0
v2.0.0 (2024-11-07)
Today we have dropped the Release Candidate label from @solana/web3.js
v2.0.0. We now recommend it for general use.
Read more in this blog post.
The New web3.js - Release Candidate `rc.4`
v2.0.0-rc.4 (2024-11-05)
This version fixes a bug with program error decoding that we introduced in Release Candidate 2. We now expect this, Release Candidate 4, to be the final version before tagging version 2.0 of @solana/web3.js
. Please submit any final bug reports before Thursday, November 7th by filing a GitHub Issue.
To install the Release Candidate:
npm install --save @solana/web3.js@rc
- Try the runnable examples in the
examples/
directory to get a feel for the API. - Use the example dApp at https://solana-labs.github.io/solana-web3.js/example/ – source available here – for an example of how to build transactions with the new web3.js for use with wallets.
- Install TypeScript clients for on-chain programs like System and Token, then build a useful application or backend service.
Changelog since Release Candidate rc.3
- #3519
2798061
Thanks @lorisleiva! - Accept bigints in RPC error factories, fixing functions such asisProgramError
The New web3.js - Release Candidate `rc.3`
v2.0.0-rc.3 (2024-10-31)
This version fixes a bug with RPC subscriptions that we introduced in Release Candidate 2. We now expect this, Release Candidate 3, to be the final version before tagging version 2.0 of @solana/web3.js
. Please submit any final bug reports before Thursday, November 7th by filing a GitHub Issue.
To install the Release Candidate:
npm install --save @solana/web3.js@rc
- Try the runnable examples in the
examples/
directory to get a feel for the API. - Use the example dApp at https://solana-labs.github.io/solana-web3.js/example/ – source available here – for an example of how to build transactions with the new web3.js for use with wallets.
- Install TypeScript clients for on-chain programs like System and Token, then build a useful application or backend service.
Changelog since Release Candidate rc.2
- #3507
45df702
Thanks @mcintyre94! - Fixed a bug where the subcription server's response would not be detected, because of a mismatch in the format of theid
. Now all RPC message ids are strings, for avoidance of doubt.
The New web3.js - Release Candidate `rc.2`
v2.0.0-rc.2 (2024-10-31)
We expect this to be the final release candidate version before tagging version 2.0 of @solana/web3.js
. Please submit any final bug reports before Thursday, November 7th by filing a GitHub Issue.
To install the Release Candidate:
npm install --save @solana/web3.js@rc
- Try the runnable examples in the
examples/
directory to get a feel for the API. - Use the example dApp at https://solana-labs.github.io/solana-web3.js/example/ – source available here – for an example of how to build transactions with the new web3.js for use with wallets.
- Install TypeScript clients for on-chain programs like System and Token, then build a useful application or backend service.
Changelog since Release Candidate rc.1
-
#3213
3fc388f
Thanks @mcintyre94! - Clean up SolanaRpcApi: no longer extend RpcApiMethods + remove export -
#3137
fd72c2e
Thanks @mcintyre94! - The build is now compatible with the Vercel Edge runtime and Cloudflare Workers through the addition ofedge-light
andworkerd
to the package exports. -
#3251 Thanks @ryoid! -
isAddress()
no longer throws despite that the input might be unparseable as a base-58 string. Now, it correctly, simply, returnsfalse
. -
#3361
441fa3a
Thanks @steveluscher! - Fixed a bug where calls toisEd25519CurveSupported()
might have resulted in uncaught rejections bubbling up through the app, in cases where Ed25519 is not supported -
#3134
38faba0
Thanks @buffalojoec! - Change unix timestamp type to bigint with an unsafe label -
#3128
0158b31
Thanks @lorisleiva! - Fix missing export in@solana/keys
package. This means, thegetPublicKeyFromPrivateKey
function is now properly exported. -
#3407
10b08ac
Thanks @lorisleiva! - UseRpcRequest
,RpcResponse
and their transformers in RPC Subscriptions packagesThis change makes the RPC and RPC Subscriptions architecture more consistent by using the same
RpcRequest
andRpcResponse
types and transformers as the basis for handling user requests (RPC calls or subscriptions) and returning responses to them.See the following PRs for more details:
-
#3453
bafefed
Thanks @mcintyre94! - Rename decodeTransactionMessage to decompileTransactionMessageFetchingLookupTables -
#3290
2368163
Thanks @mcintyre94! - Throw an error if a transaction fails when being simulated to estimate CUs -
#3145
1c25dd4
Thanks @lorisleiva! - RenameRpcResponse
type toRpcResponseData
to make room for a newRpcResponse
type -
#3213
3fc388f
Thanks @mcintyre94! - Clean up SolanaRpcApi: no longer extend RpcApiMethods + remove export -
#3454
1fde4b1
Thanks @mcintyre94! - Correct type of replacementBlockhash in simulateTransaction -
#3456
0245265
Thanks @lorisleiva! - RemoveUnsafeBeyond2Pow53Minus1
type suffixes -
#3150
a705413
Thanks @lorisleiva! - MakeRpcApi
use newRpcRequestTransformer
andRpcResponseTransformer
-
#3202
bf07a60
Thanks @disco-infinex! - PerformanceSample return type field numNonVoteTransaction corrected to numNonVoteTransactions -
#3161
9dfca45
Thanks @lorisleiva! - AddgetIntegerOverflowRequestTransformer
,getBigIntDowncastRequestTransformer
andgetTreeWalkerRequestTransformer
helpers -
#3134
38faba0
Thanks @buffalojoec! - Change unix timestamp type to bigint with an unsafe label -
#3148
e1cb697
Thanks @lorisleiva! - MakeRpcTransport
return newRpcReponse
type instead of parsed JSON data -
#3201
02cefa7
Thanks @lorisleiva! - Update the response type of thegetClusterNodes
RPC method -
#3098
2f541b6
Thanks @buffalojoec! - Update program accounts filters forprogramAccounts
query -
#3221
6b43588
Thanks @lorisleiva! - Add newisJsonRpcPayload
helper method -
c8e6e71
Thanks @steveluscher! - We refactored the lower levels of the subscriptions API entirely.Previously, all layers of the subscriptions implementation, from the
WebSocket
transport to the API that developers use, dealt inAsyncIterables
. These are notoriously difficult to code in such a way that expresses all of the ways in which a subscription might be cancelled or error out. Very slight omissions of care could open memory leaks that would bring down the simplest of apps. The new subscriptions infra in Release Candidate 2 deals with event-based subscriptions all the way up to the highest level API, at which point the subscription is vended to the application as anAsyncIterable
.This has eliminated several classes of memory leak and has made it easier to implement higher-level transports (like the autopinger and the subscription coalescer). Additionally, this update introduces a new channel pool implementation that opens new
WebSocket
connections when existing ones become ‘full.’ Lastly, performance in the new implementation has been improved through a new demultiplexing utility that can separatemessage
events into several channels based on arbitrary criteria, meaning you can apply transforms to the message right at the source, and vend subscriptions to downstream consumers that care only about one particular kind of message...
v1.95.4
v1.95.3
The New web3.js - Release Candidate `rc.1`
v2.0.0-rc.1 (2024-08-09)
Since we published the first Release Candidate of @solana/web3.js@2.0.0
your feedback has helped us to catch bugs that we missed during development. A special thank you today to @WilfredAlmeida the reports that led to the fixes in this, updated Release Candidate rc.1
.
Also new in this release are handy tools that help you load key pairs and to derive public CryptoKey
instances from private CryptoKey
instances.
To install the Release Candidate:
npm install --save @solana/web3.js@rc
- Try the runnable examples in the
examples/
directory to get a feel for the API. - Use the example dApp at https://solana-labs.github.io/solana-web3.js/example/ – source available here – for an example of how to build transactions with the new web3.js for use with wallets.
- Install TypeScript clients for on-chain programs like System and Token, then build a useful application or backend service.
Before the general release of web3.js, shortly before Breakpoint 2024 in September, we want to collect as much feedback as possible from you. If you find a bug, are missing a feature, or would like an API modified, file a GitHub Issue.
Changelog since Release Candidate rc.0
-
#3050
7d310f6
Thanks @lorisleiva! - Add acreateKeyPairFromPrivateKeyBytes
helper that creates a keypair from the 32-byte private key bytes.import { createKeyPairFromPrivateKeyBytes } from '@solana/keys'; const { privateKey, publicKey } = await createKeyPairFromPrivateKeyBytes(new Uint8Array([...]));
-
#3049
f9a8446
Thanks @lorisleiva! - Add agetPublicKeyFromPrivateKey
helper that, given an extractableCryptoKey
private key, gets the corresponding public key as aCryptoKey
.import { createPrivateKeyFromBytes, getPublicKeyFromPrivateKey } from '@solana/keys'; const privateKey = await createPrivateKeyFromBytes(new Uint8Array([...]), true); const publicKey = await getPublicKeyFromPrivateKey(privateKey); const extractablePublicKey = await getPublicKeyFromPrivateKey(privateKey, true);
-
#3051
1ad523d
Thanks @lorisleiva! - Add acreateKeyPairSignerFromPrivateKeyBytes
helper that composecreateKeyPairFromPrivateKeyBytes
andcreateSignerFromKeyPair
. -
#3071
b4bf318
Thanks @steveluscher! - Created a helper that you can use to race two or more promises without having to worry about them leaking memory -
#3070
f2bb4e8
Thanks @steveluscher! - Created a package for dealing with JavaScript Promises, and copied the implementation ofgetAbortablePromise
into it -
#3072
c122c75
Thanks @steveluscher! - Fixed a memory leak with transaction confirmation and subscriptions
The New web3.js - Release Candidate
v2.0.0-rc.0 (2024-07-31)
This is an open invitation to test out what we intend to release as v2.0. Your feedback in these final moments before release will help us catch any bugs and rough edges that we missed during development.
To install the Release Candidate:
npm install --save @solana/web3.js@rc
- Try the runnable examples in the
examples/
directory to get a feel for the API. - Use the example dApp at https://solana-labs.github.io/solana-web3.js/example/ – source available here – for an example of how to build transactions with the new web3.js for use with wallets.
- Install TypeScript clients for on-chain programs like System and Token, then build a useful application or backend service.
Before the general release of web3.js, shortly before Breakpoint 2024 in September, we want to collect as much feedback as possible from you. If you find a bug, are missing a feature, or would like an API modified, file a GitHub Issue.
Changelog since Technology Preview 4
- #2907
677a9c4
Thanks @steveluscher! -__DEV__
mode will now be the default if you don't setprocess.env.NODE_ENV
at all. This means fewer people ‘accidentally’ finding themselves in production mode with minified error messages. - #2905
56fde06
Thanks @steveluscher! - Fixed the type ofconfig
ongetComputeUnitEstimateForTransactionMessage
. It is now optional and does not includetransactionMessage
. - #2968
9239e6e
Thanks @lorisleiva! - Tighten return type of isProgramError - #2928
bac3747
Thanks @steveluscher! - Added auseSignIn
hook that, given aUiWallet
orUiWalletAccount
, returns a function that you can call to trigger a wallet's ‘Sign In With Solana’ feature. - #2950
29821df
Thanks @mcintyre94! - Refactor rpc-spec to remove requirement for transports to implement parts of JSON RPC spec - #2910
42a70f4
Thanks @Jac0xb! - Fixed a bug where the RPC would fail to throw errors in the event that you configured it with anAbortSignal
- #2969
419c12e
Thanks @mcintyre94! - Add a function to replace accounts in a transaction message using lookup tables - #2905
56fde06
Thanks @steveluscher! - Fixed the type ofconfig
ongetComputeUnitEstimateForTransactionMessage
. It is now optional and does not includetransactionMessage
.