News from the Fadroma Frontlines. Issue 2

Open source contributions from Fadroma over the past couple months

Fadroma is committed to being a good citizen of the Free and Open Source Software (FOSS) ecosystem — which powers Web 2.0, Web3, and the Internet of Anything.

A big part of a healthy open source strategy involves contributing to upstream repositories. As the communication channels of the CosmWasm ecosystem are somewhat less inclusive than necessary (in no small part due to depending on yikes Telegram), we’ve been testing the waters with a few small-ish PRs direct to GitHub.

Here goes:

Secret Network

On Aug 17, SecretJS, the JS/TS client for Secret Network, the Intel SGX-powered chain with encrypted transactions, gained the following:

scrtlabs/secretjs#155: fix(test): make test.sh portable.

Mac-centric developers might not be affected by this, but the “correct” way to start a shell script is #!/usr/bin/env bash, not just #!/bin/bash . This tiny one-line fix enables the test suite of SecretJS to be run on a more varied range of workstations; thus making it one step easier for devs running custom systems to lend a hand to Secret Network maintainer Assaf Morami (you rock, man ????)

scrtlabs/secretjs#156: fix(CVE-2023–36665): upgrade protobufjs to 6.11.4.

Prototype pollution is a nasty trick that allows third-party code to mess with the workings of JavaScript — by modifying the default behavior of all objects. ????

Since people also use the same thing for legitimate purposes (such as bringing new features of JavaScript to older platforms), it isn’t fixable at the language level. That’s why libraries which use Object.assign on input data must now take extra care to sanitize inputs. ????

SecretJS uses Protobuf.js to talk to nodes. We’ve updated SecretJS to use the latest fixed version of Protobuf’s v6 branch, in order to keep your private keys and mnemonics a little safer. ???? 

One further pull request to secretjs awaits to be merged:

scrtlabs/secretjs#154: perf(npm): move sinon to devDependencies

This is a performance upgrade that moves the Sinon testing library into the devDependencies of SecretJS’s package.json . This way, npm install has to download 8MiB less when getting started with secretjs, amounting to a 15–25% improvement in download size!

We’re eagerly awaiting the upcoming release of SecretJS 1.9.4, which will contain the above improvements.

Up next

In the coming weeks, we plan to submit several more proposed improvements to SecretJS:

• Replace the bip32 and bip39 dependencies with @scure/bip32 and @scure/bip39, which are actively maintained and natively ESM-compatible.
• Move miscreant.js and curve25519 in the secretjs source tree, as they are both unmaintained and CJS-only.
• Separate import and import type declarations in the TypeScript sources of SecretJS. This way, compiling SecretJS won’t contain missing imports. Type definitions don’t exist in JavaScript, but still end up as part of the import statements in the compiled code. As untangling them manually is a daunting task, we’ve written an AST rewriting tool to update them in one go.
• Make the contained Protobuf.js bindings directly usable in Node.js. Right now, Node adds an extra default when importing the (still CJS-based) Protobuf.js library, which breaks stuff in certain contexts. Fixing this without confusing TypeScript is also fiddly, so we’ve used that same tool again (announcement soon!)
• Permanently resolve a circular import or two. Bundlers sometimes resolve those at build time, but in the case of direct TS->ESM compilation they remain problematic. (We tried two circular dependency checkers from NPM and neither caught them, so had to fish them out manually.)

OKP4 Network

From Jul 23 to Sep 8, we collaborated with OKP4 Network, an innovative French blockchain that brings Prolog-based Governance-as-a-Service to the CosmWasm space, to improve their documentation:

okp4/docs#276: Docs: Replace broken, sprawling jsonschema2md output with 3 compact guides generated by Fadroma

okp4/contracts#342: chore: update @fadroma/schema to 1.1.0

(Now, that title is quite a mouthful, isn’t it. Striking a balance between brevity and accuracy is one of the main challenges in effective tech communication.)

In short: we replaced “one page per field” with “one page per contract”.

Rather than wading through the output of jsonschema2md (a barely maintained Adobe tool which had generated many difficult to navigate pages that contained a ton of Undefined identifiers), you can now get all the info for talking to their contracts in one place — thanks to a brand new addition to the Fadroma toolkit, @fadroma/schema .

You can now browse the updated docs at https://docs.okp4.network/contracts. Thanks to the OKP4 team for keeping the link to @fadroma/schema in the generated pages! ❤️

In the pipeline

On the OKP4 side, our bindings to OKP4 contracts are looking good. The desire to bring them to all platforms and developers made us base them on an ESM-compatible fork of CosmJS Stargate — which will also become a source of pull requests in the near future, enabling a wider variety of dev tooling to be used when building CosmWasm client applications.

Expect a tutorial for using OKP4 from Fadroma soon!

Future work

As Secret Network documentation work seems to be experiencing a lack of resources, we invite projects using Secret Network to send us their contract addresses and APIs, so we can add support for them to @fadroma/scr — and publish a new index of Secret Network apps and contracts, alongside an easy way to use them all. ????

Do you know any nitpicks, papercuts, and other specific improvements you would like to see in CosmWasm dev tooling? Let us know in the comments —  or at hello@fadroma.tech !

Until next time! ????