Released under the terms of the MIT LICENSE.
If you are thinking of using the master branch of this library in production, stop. Master is not stable; it is our development branch, and only tagged releases may be classified as stable.
Don't trust. Verify.
We recommend every user of this library and the bitcoinjs ecosystem audit and verify any underlying code for its validity and suitability, including reviewing any and all of your project's dependencies.
Mistakes and bugs happen, but with your help in resolving and reporting issues, together we can produce open source software that is:
Buffer's throughout, and
npm install bitcoinjs-lib # optionally, install a key derivation library as well npm install ecpair bip32 # ecpair is the ECPair class for single keys # bip32 is for generating HD keys
Previous versions of the library included classes for key management (ECPair, HDNode(->"bip32")) but now these have been separated into different libraries. This lowers the bundle size significantly if you don't need to perform any crypto functions (converting private to public keys and deriving HD keys).
Typically we support the Node Maintenance LTS version. TypeScript target will be set to the ECMAScript version in which all features are fully supported by current Active Node LTS. However, depending on adoption among other environments (browsers etc.) we may keep the target back a year or two. If in doubt, see the main_ci.yml for what versions are used by our continuous integration tests.
WARNING: We presently don't provide any tooling to verify that the release on
npm matches GitHub. As such, you should verify anything downloaded by
npm against your own verified copy.
Crypto is hard.
When working with private keys, the random number generator is fundamentally one of the most important parts of any software you write.
For random number generation, we default to the
randombytes module, which uses
window.crypto.getRandomValues in the browser, or Node js'
crypto.randomBytes, depending on your build system.
Although this default is ~OK, there is no simple way to detect if the underlying RNG provided is good enough, or if it is catastrophically bad.
You should always verify this yourself to your own standards.
This library uses tiny-secp256k1, which uses RFC6979 to help prevent
k re-use and exploitation.
Unfortunately, this isn't a silver bullet.
Buffer (UInt8Array), for example, can trivially result in catastrophic fund loss without any warning.
It can do this through undermining your random number generation, accidentally producing a duplicate
k value, sending Bitcoin to a malformed output script, or any of a million different ways.
Running tests in your target environment is important and a recommended step to verify continuously.
Finally, adhere to best practice. We are not an authorative source of best practice, but, at the very least:
Math.random- in any way - don't.
The recommended method of using
bitcoinjs-lib in your browser is through Browserify.
If you're familiar with how to use browserify, ignore this and carry on, otherwise, it is recommended to read the tutorial at https://browserify.org/.
Type declarations for Typescript are included in this library. Normal installation should include all the needed type information.
The below examples are implemented as integration tests, they should be very easy to understand. Otherwise, pull requests are appreciated. Some examples interact (via HTTPS) with a 3rd Party Blockchain Provider (3PBP).
If you have a use case that you feel could be listed here, please ask for it!
npm test npm run-script coverage