@zingolabs/zebra-rpc

ESM-only, React-Native–friendly JSON-RPC client for Zebra (Zcash). Typed with Zod, supports a superset of Zebra’s RPCs.

Install

pnpm add @zingolabs/zebra-rpc
# Node 18+ or React Native

Quick start

import { ZebraClient } from "@zingolabs/zebra-rpc";

// Basic auth
const basic = (u: string, p: string) =>
  "Basic " + Buffer.from(`${u}:${p}`).toString("base64");

const zebra = new ZebraClient("http://127.0.0.1:8232", {
  headers: { Authorization: basic("rpcuser", "rpcpass") },
  timeoutMs: 10_000,
});

// Standard Zebra RPC
const info = await zebra.getBlockchainInfo();

// Superset
const activated = await zebra.isTflActivated();
const rosterZats = await zebra.getTflRosterZats();
const rosterZec  = await zebra.getTflRosterZec();

Dependency build-scripts policy (pnpm)

We harden installs by denying all dependency lifecycle scripts by default and opting-in via a repo-local allowlist.

• Enforced by: package.json with "pnpm.onlyBuiltDependenciesFile": "security/allowed-build-dependencies.json"

• Allowlist file: security/allowed-build-dependencies.json

• Current policy: Only these packages may run their install/build scripts:

  ["esbuild"]

How it works

• On pnpm install, any package not in the allowlist has its postinstall/build blocked.

• To see what’s being blocked:

  pnpm ignored-builds

• To allow a new package, add it to security/allowed-build-dependencies.json, then:

  pnpm rebuild <pkg>

Local verification

• Fresh install respects the allowlist:

  rm -rf node_modules && pnpm install
  pnpm ignored-builds   # should be "None" if all allowed builds are listed

Notes

• The allowlist should remain minimal.
• Do not use ignoredBuiltDependencies alongside this file. This JSON allowlist is the single source of truth.

General notes

• ESM only. Use via import. CommonJS (require) is not supported.
• Runtime validation is handled via Zod. Large integers are returned as bigint.

License

MIT