{"id":28493776,"url":"https://github.com/bitcoinjs/merkle-lib","last_synced_at":"2025-07-08T13:32:00.534Z","repository":{"id":11644162,"uuid":"70217415","full_name":"bitcoinjs/merkle-lib","owner":"bitcoinjs","description":"A performance conscious library for merkle root and tree calculations.","archived":false,"fork":false,"pushed_at":"2024-08-08T14:27:50.000Z","size":554,"stargazers_count":31,"open_issues_count":6,"forks_count":14,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-06-06T01:18:54.723Z","etag":null,"topics":["bitcoin","digest","hash","merkle","merkle-root","merkle-tree"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitcoinjs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-07T05:14:16.000Z","updated_at":"2025-01-07T15:29:13.000Z","dependencies_parsed_at":"2024-06-18T13:49:10.416Z","dependency_job_id":"ba9b8c2f-d841-4007-9c4a-79646827ad4d","html_url":"https://github.com/bitcoinjs/merkle-lib","commit_stats":{"total_commits":73,"total_committers":6,"mean_commits":"12.166666666666666","dds":0.3287671232876712,"last_synced_commit":"627ba4b90093a3eeee18f4b2d99960c29a8871e1"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/bitcoinjs/merkle-lib","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitcoinjs%2Fmerkle-lib","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitcoinjs%2Fmerkle-lib/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitcoinjs%2Fmerkle-lib/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitcoinjs%2Fmerkle-lib/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitcoinjs","download_url":"https://codeload.github.com/bitcoinjs/merkle-lib/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitcoinjs%2Fmerkle-lib/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262235156,"owners_count":23279532,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bitcoin","digest","hash","merkle","merkle-root","merkle-tree"],"created_at":"2025-06-08T09:31:09.575Z","updated_at":"2025-07-08T13:32:00.521Z","avatar_url":"https://github.com/bitcoinjs.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# merkle-lib\n\n[![Build Status](https://travis-ci.org/bitcoinjs/merkle-lib.png?branch=master)](https://travis-ci.org/bitcoinjs/merkle-lib)\n[![NPM](https://img.shields.io/npm/v/merkle-lib.svg)](https://www.npmjs.org/package/merkle-lib)\n\n[![js-standard-style](https://cdn.rawgit.com/feross/standard/master/badge.svg)](https://github.com/feross/standard)\n\nA performance conscious library for merkle root and tree calculations.\n\n\n## Warnings\nThis implementation is vulnerable to a forgery attack [as a second pre-image attack](https://en.wikipedia.org/wiki/Merkle_tree#Second_preimage_attack), see these[\\[1\\]](https://crypto.stackexchange.com/questions/2106/what-is-the-purpose-of-using-different-hash-functions-for-the-leaves-and-interna)[\\[2\\]](https://crypto.stackexchange.com/questions/43430/what-is-the-reason-to-separate-domains-in-the-internal-hash-algorithm-of-a-merkl/44971#44971) crypto.stackexchange questions for an explanation.\nTo avoid this vulnerability,  you should pre-hash your leaves *using a different hash function* than the function provided such that `H(x) != H'(x)`.\n\nAdditionally, this implementation is vulnerable to a forgery attack [for an unbalanced merkle tree](https://bitcointalk.org/?topic=102395),  wherein,  in an unbalanced merkle tree, the last leaf node can be duplicated to create an artificial balanced tree,  resulting in the same root hash.\nTo avoid this vulnerability [in this implementation],  do not accept unbalanced merkle trees in your application.\n\n\n## Examples\nPreamble\n``` javascript\nvar crypto = require('crypto')\n\nfunction sha256 (data) {\n  return crypto.createHash('sha256').update(data).digest()\n}\n\nvar data = [\n  'cafebeef',\n  'ffffffff',\n  'aaaaaaaa',\n  'bbbbbbbb',\n  'cccccccc'\n].map(x =\u003e new Buffer(x, 'hex'))\n\n// ... now, the examples\n```\n\nTree\n``` javascript\nvar merkle = require('merkle-lib')\nvar tree = merkle(data, sha256)\n\nconsole.log(tree.map(x =\u003e x.toString('hex')))\n// =\u003e [\n//  'cafebeef',\n//  'ffffffff',\n//  'aaaaaaaa',\n//  'bbbbbbbb',\n//  'cccccccc',\n//  'bda5c39dec343da54ce91c57bf8e796c2ca16a1bd8cae6a2cefbdd16efc32578',\n//  '8b722baf6775a313f1032ba9984c0dce32ff3c40d7a67b5df8de4dbaa43a3db0',\n//  '3d2f424783df5853c8d7121b1371650c04241f318e1b0cd46bedbc805b9164c3',\n//  'bb232963fd0efdeacb0fd76e26cf69055fa5facc19a5f5c2f2f27a6925d1db2f',\n//  '2256e70bea2c591190a0d4d6c1415acd7458fae84d8d85cdc68b851da27777d4',\n//  'c2692b0e127b3b774a92f6e1d8ff8c3a5ea9eef9a1d389fe294f0a7a2fec9be1'\n//]\n```\n\nRoot only (equivalent to `tree[tree.length - 1]`)\n``` javascript\nvar fastRoot = require('merkle-lib/fastRoot')\nvar root = fastRoot(data, sha256)\n\nconsole.log(root.toString('hex'))\n// =\u003e 'c2692b0e127b3b774a92f6e1d8ff8c3a5ea9eef9a1d389fe294f0a7a2fec9be1'\n```\n\nProof (with verify)\n``` javascript\nvar merkleProof = require('merkle-lib/proof')\nvar proof = merkleProof(tree, data[0])\n\nif (proof === null) {\n  console.error('No proof exists!')\n}\n\nconsole.log(proof.map(x =\u003e x \u0026\u0026 x.toString('hex')))\n// =\u003e [\n//   'cafebeef',\n//   'ffffffff',\n//   null,\n//   '8b722baf6775a313f1032ba9984c0dce32ff3c40d7a67b5df8de4dbaa43a3db0',\n//   null,\n//   '2256e70bea2c591190a0d4d6c1415acd7458fae84d8d85cdc68b851da27777d4',\n//   'c2692b0e127b3b774a92f6e1d8ff8c3a5ea9eef9a1d389fe294f0a7a2fec9be1'\n// ]\n\nconsole.log(merkleProof.verify(proof, sha256))\n// =\u003e true\n```\n\n\n#### Credits\nThanks to [Meni Rosenfield on bitcointalk](https://bitcointalk.org/index.php?topic=403231.msg9054025#msg9054025) for the math.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitcoinjs%2Fmerkle-lib","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitcoinjs%2Fmerkle-lib","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitcoinjs%2Fmerkle-lib/lists"}