npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@corpus-core/colibri-stateless

v1.1.20

Published

Colibri is a stateless and trustless ethereum client, which is optimized for the mobile apps or embedded devices, because it does not hols the state, but verifies on demand.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

stkuxstkuxscorpusscorpus

Keywords

beaconethereumclientminimumstatelessproofverifier

Readme

C4 (corpus core colibri client)

ETH2.0_Spec_Version 1.4.0

The colibri client is a stateless and trustless ethereum client, which is optimized for the mobile apps or embedded devices, because it does not hols the state, but verifies on demand.

Installation

npm install @corpus-core/colibri-stateless

Import / Usage (ESM and CommonJS)

Colibri is published as a dual package and can be used in both ESM and CommonJS environments.

ESM (browsers, modern bundlers, Node ESM)

import Colibri, { Strategy, set_wasm_url } from "@corpus-core/colibri-stateless";

// Optional: only needed if you want to pin the WASM location explicitly
// set_wasm_url("https://example.com/c4w.wasm");

const client = new Colibri();

CommonJS (e.g. Jest, older Node toolchains)

const { default: Colibri, Strategy, set_wasm_url } = require("@corpus-core/colibri-stateless");

// Optional: in Node you can explicitly point to the wasm file path
// set_wasm_url(require("node:path").join(__dirname, "c4w.wasm"));

const client = new Colibri();

Using Colibri as RPC Provider

The Colibri Class implements the EIP-1193 Interface, so any library supporting EIP-1193 Providers can easily use Colibri as RPCProvider.

Right now Subscription and Filters have not been implemented, so in case you need those features, jus use a different Provider for those tasks and the verify the found logs using Colibri. But those features will be implemented in one of the next releases.

EthersJs 6.x

import { BrowserProvider } from "ethers";
import Colibri from "@corpus-core/colibri-stateless";

async function main() {

    // Initialize the client with the default configuration and RPCs
    const client = new Colibri({prover:['https://mainnet.colibri-proof.tech']});

    // Use Colibri client as the EIP-1193 provider for ethers (v6)
    const provider = new BrowserProvider(client);

    // Fetch the latest block using the ethers provider
    const block = await provider.getBlock('latest');
    console.log("Block fetched via ethers:", block);
}

main().catch(console.error);

EthersJs 5.x

import * as ethers from "ethers";
import Colibri from "@corpus-core/colibri-stateless";

async function main() {

    // Initialize the client with the default configuration and RPCs
    const client = new Colibri({prover:['https://mainnet.colibri-proof.tech']});

    // Use Colibri client as the EIP-1193 provider for ethers (v6)
    const provider = new ethers.providers.Web3Provider(client);

    // Fetch the latest block using the ethers provider
    const block = await provider.getBlock('latest');
    console.log("Block fetched via ethers:", block);
}

main().catch(console.error);

Web3.js

import Web3 from 'web3';
import Colibri from "@corpus-core/colibri-stateless";

async function main() {

    // Initialize the client with the default configuration and RPCs
    const client = new Colibri({prover:['https://mainnet.colibri-proof.tech']});

    // Use Colibri client as the EIP-1193 provider for web3.js
    const web3 = new Web3(client);

    // Fetch the latest block using the web3.js provider
    const block = await web3.eth.getBlock('latest');
    console.log("Block fetched via web3.js:", block);
}

main().catch(console.error);

Viem

import { createPublicClient, custom } from 'viem';
import { mainnet } from 'viem/chains';
import Colibri from "@corpus-core/colibri-stateless";

async function main() {

    // Initialize the Colibri client
    const colibriClient = new Colibri({prover:['https://mainnet.colibri-proof.tech']});

    // Create a viem Public Client using Colibri as a custom EIP-1193 transport
    const viemClient = createPublicClient({
        chain: mainnet, // Specify the chain
        transport: custom(colibriClient) // Wrap Colibri client
    });

    // Fetch the latest block using the viem client
    const block = await viemClient.getBlock({ blockTag: 'latest' });
    console.log("Block fetched via viem:", block);
}

main().catch(console.error);

Secure Transaction Verification

Protect your dApp from NPM supply-chain attacks and transaction manipulation:

import { BrowserProvider } from "ethers";
import Colibri from "@corpus-core/colibri-stateless";

// 🛡️ Secure transactions with built-in verification
const client = new Colibri({
    fallback_provider: window.ethereum, // MetaMask as Signer
    verifyTransactions: true            // Prevents transaction manipulation
});

const provider = new BrowserProvider(client);

// Send transaction - automatically verified before broadcast
const tx = await provider.getSigner().sendTransaction({
    to: "0x742d35cc6633C0532925a3b8D8C9C4e2F9",
    value: "0x16345785d8a0000", // 0.1 ETH
    gasLimit: "0x5208"
});

console.log("✅ Verified transaction:", tx.hash);

Building proofs in you app.

If you don't want to use a remote Service building the proofs, you can also use Colibri directly to build the proof or to verify. A Proof is juzst a UInt8Array or just bytes. You write it in a file or package it in your application and verify whenever it is needed:

import Colibri from "@corpus-core/colibri-stateless";

async function main() {
    const method = "eth_getTransactionByHash";
    const args = ['0x2af8e0202a3d4887781b4da03e6238f49f3a176835bc8c98525768d43af4aa24'];


    // Initialize the client with the default configuration and RPCs
    const client = new Colibri();

    // Create a proof for the given method and arguments as UInt8Array
    const proof = await client.createProof(method, args);

    // Verify the proof against requested method and arguments
    const result = await client.verifyProof(method, args, proof);

    // the result will be the expected json
    console.log(result);
}

main().then(console.log).catch(console.error);

Configuration

The constructor of the colibri client accepts a configuration-object, which may configure the client. The following parameters are accepted:

  • chainId - the chain to be used (default is 1, whoich is mainnet).

    new Colibri({ chainId: 0x7})

  • beacon_apis - urls for the beacon apis
    An array of endpoints for accessing the beacon chain using the official Eth Beacon Node API. The Array may contain more than one url, and if one API is not responding the next URL will work as fallback. This beacon API is currently used eitehr when building proofs directly or even if you are using a remote prover, the LightClientUpdates (every 27h) will be fetched directly from the beacon API.

    new Colibri({ beacon_apis: [ 'https://lodestar-mainnet.chainsafe.io' ]})

  • checkpointz - urls for checkpoint servers (Checkpointz or Beacon API)
    An array of server endpoints for fetching finalized checkpoint data and weak subjectivity validation. Supports both dedicated Checkpointz servers and standard Beacon API nodes, as the verifier uses the Beacon-API-compatible endpoint /eth/v1/beacon/states/head/finality_checkpoints. These servers provide finalized beacon block roots used for secure initialization and periodic validation. Multiple URLs enable automatic fallback. Defaults to public Checkpointz servers for mainnet, but you can also use your own Beacon node for maximum trust.

    // Using public Checkpointz servers (default)
new Colibri({ checkpointz: [ 'https://sync-mainnet.beaconcha.in', 'https://beaconstate.info' ]})
  
// Or using your own Beacon node
new Colibri({ checkpointz: [ 'http://localhost:5052' ]})

  • rpcs - RPCs for the executionlayer
    a array of rpc-endpoints for accessing the execution layer. If you are using the remote prover, you may not need it at all. But creating your proofs locally will require to access data from the execution layer. Having more than one rpc-url allows to use fallbacks in case one is not available.

    new Colibri({ beacon_apis: [
   "https://nameless-sly-reel.quiknode.pro/<APIKEY>/",
   "https://eth-mainnet.g.alchemy.com/v2/<APIKEY>",
   "https://rpc.ankr.com/eth/<APIKEY>" ]})

  • prover - urls for remove prover a array of endpoints for remote prover. This allows to generate the proof in the backend, where caches can speed up the process.

    new Colibri({ prover: ["https://mainnet.colibri-proof.tech" ]})

  • zk_proof - use remote ZK sync proof for bootstrap (default: false) If true, the verifier will bootstrap the initial sync committee using the ZK proof (ZKSyncData) provided by the remote prover, instead of initializing via checkpointz / trusted checkpoints.

    new Colibri({ prover: ["https://mainnet.colibri-proof.tech"], zk_proof: true })

  • checkpoint_witness_keys - optional checkpoint signer addresses when using zk_proof (default: null) A list of Ethereum addresses (20 bytes each). The current format is a single hex string where multiple addresses are concatenated (no separator).

    Example (one signer, corpus-core):

    new Colibri({
  prover: ["https://mainnet.colibri-proof.tech"],
  zk_proof: true,
  checkpoint_witness_keys: "0x07f50c1d17cb84a656692ddfd577c09756cb305b"
})

    Example (two signers concatenated):

    new Colibri({
  zk_proof: true,
  checkpoint_witness_keys: "0x<addr1_40hex><addr2_40hex>"
})

  • trusted_checkpoint - optional beacon block hash used as trusted anchor
    This single blockhash will be used as anchor for fetching the keys for the sync committee. So instead of starting with the genesis you can define a starting block, where you know the blockhash. If no trusted checkpoint is set, the verifier will automatically fetch the latest finalized checkpoint from a Checkpointz server, making initialization secure and convenient. Providing an explicit trusted checkpoint is recommended for maximum security control but is no longer required.

    new Colibri({ trusted_checkpoint: "0x4232db57354ddacec40adda0a502f7732ede19ba0687482a1e15ad20e5e7d1e7" })

  • cache - cache impl for rpc-requests
    you can provide your own implementation to cache JSON-RPC requests. those function will be used before a request is send, also allowing mock handlers to cache responses for tests.

    new Colibri({ cache: {
    cacheable(req: DataRequest) { 
        return req.payload && req.payload.method!='eth_blockNumber' 
    },
    get(req: DataRequest) {
        try {
            return fs.readFileSync(`${cache_dir}/${req.url}`);
        }
        catch (e) {
            return null
        }
    },
    set(req: DataRequest, data: Uint8Array) {
        fs.writeFileSync(`${cache_dir}/${req.url}`, data);
    }
}})

  • debug - if true you will see debug output on the console

    new Colibri({ debug:  true})

  • include_code- if true the code of the contracts will be included when creating proofs. this is only relevant when creating your own proofs for eth_call. (default: false)

    new Colibri({ include_code:  true})

  • privacy_mode - PAP (Pragmatic Adaptive Privacy) mode: "none" (default) or "basic". With "basic", the verifier may use cached storage for optimistic execution and verify afterwards; method type can depend on params.

    new Colibri({ privacy_mode: "basic" })

  • verify- a function to decide which request should be verified and which should be fetched from the default RPC-Provider. It allows you to speed up performance for requests which are not critical.

    new Colibri({ verify:  (method, args) => method != 'eth_blockNumber' })

  • proofStrategy- a strategy function used to determine how to handle proofs. Currently there are 3 default-implementations.

    • Strategy.VerifiedOnly - throws an exception if verifaction fails or a non verifieable function is called.
    • Strategy.VerifyIfPossible - Verifies only verifiable rpc methods and uses the fallbackhandler or rpcs if the method is not verifiable, but throws an exception if verifaction fails.
    • Strategy.WarningWithFallback - Always use the defaultprovider or rpcs to fetch the response and in parallel verifiy the response if possible. If the Verification fails, the warningHandler is called ( which still could throw an exception ). If it fails the response from the rpc-provider is used.
    new Colibri({ proofStrategy: Strategy.VerifyIfPossible })

  • warningHandler- a function to be called in case the warning-strategy is used and a verification-error happens. If not set, the default will simply use console.warn to log the error.

    new Colibri({ warningHandler:  (req, error) => console.warn(`Verification Error: ${error}`) })

  • fallback_provider- a EIP 1193 Provider used as fallback for all requests which are not verifieable, like eth_sendTransaction. Also used for signing transactions when verifyTransactions is enabled.

    new Colibri({ fallback_provider: window.ethereum  })

  • verifyTransactions- if true, all eth_sendTransaction calls will be verified before broadcast to prevent transaction manipulation attacks. Requires fallback_provider to be set. (default: false)

    new Colibri({ 
    fallback_provider: window.ethereum,
    verifyTransactions: true 
})

Building

In order to build the Javascript bindings from source, you need to have emscripten installed and the EMSDK environment variable pointing to its installation directory.

The Colibri JS-Binding has been tested with Version 4.0.3. Using latest or other versions may result in unexpected issues. For example Version 4.0.7 is not working. So make sure you select the right version when installing!

Recommended Method: Using CMake Presets

This project includes a CMakePresets.json file for easier configuration.

  1. Set Environment Variable: Ensure the EMSDK environment variable points to your Emscripten SDK directory.
    export EMSDK=/path/to/your/emsdk
  2. Configure using Preset: Use the wasm preset.
    • In VS Code/Cursor: Select the [wasm] configure preset via the status bar or command palette (CMake: Select Configure Preset).
    • On the Command Line:
      # Configure (from the project root)
cmake --preset wasm -S . 
# The binary directory (e.g., build/wasm) is defined in the preset
  3. Build:
    • In VS Code/Cursor: Use the build button or the command palette (CMake: Build). Make sure the [wasm] build preset is selected.
    • On the Command Line:
      # Build (using the build directory from the preset)
cmake --build build/wasm -j

This preset automatically sets -DWASM=true, -DCURL=false, and the correct toolchain file based on your EMSDK variable. You can create custom presets in CMakeUserPresets.json if you need different CMake flags (e.g., -DETH_ACCOUNT=1).

Alternative Method: Manual emcmake

If you prefer not to use presets or your environment doesn't support them well:

  1. Set Environment Variable: Ensure EMSDK is set and the Emscripten environment is active (e.g., via source ./emsdk_env.sh).
  2. Configure and Build:
    git clone https://github.com/corpus-core/colibri-stateless.git && cd colibri-stateless
mkdir build/wasm-manual && cd build/wasm-manual # Use a dedicated build dir
# Ensure EMSDK is set correctly before running emcmake
emcmake cmake -DWASM=true -DCURL=false <other_flags> ../..
make -j
    Replace <other_flags> with any additional CMake options you need (like -DETH_ACCOUNT=1).

After a successful build (using either method), the JS/WASM module will be in the configured build directory's emscripten subfolder (e.g., build/wasm/emscripten).

Debugging WASM

When tracking down bugs in the C core running as WASM, there are two approaches depending on the level of detail you need.

Source-level C debugging in the browser (recommended)

The wasm-debug CMake preset produces a WASM build with full DWARF debug info. Combined with the Chrome extension C/C++ DevTools Support (DWARF), this allows setting breakpoints in C source files, inspecting variables and structs, and stepping through C code directly in Chrome DevTools.

  1. Install the Chrome extension C/C++ DevTools Support (DWARF).

  2. Build with the debug preset:

    cmake --preset wasm-debug
cmake --build build/wasm-debug

  3. Serve the project root (so both build output and source files are accessible):

    python3 -m http.server 8080

  4. Open the debug test harness in Chrome:

    http://localhost:8080/bindings/emscripten/test/debug.html

  5. Open DevTools (F12), go to the Sources tab. After the WASM module loads, your C source files appear in the file tree. Set breakpoints, select a test case, and click Run.

Note: The DWARF extension only works in browser tabs, not in Node.js inspect sessions. For C-level debugging, always use the browser approach.

The debug build uses -O1 instead of -O0 to keep crypto operations (BLS, SHA256) at a reasonable speed while preserving most debug information. If you need full variable visibility at the cost of performance, change -O1 to -O0 in bindings/emscripten/CMakeLists.txt.

Node.js test debugging (JS-level)

For debugging the JavaScript/TypeScript layer or seeing C function names in stack traces without full source mapping:

cd bindings/emscripten
node --inspect-brk --test test/rpc.test.mjs

Then open chrome://inspect in Chrome and click "inspect" on the Node.js target. You can set breakpoints in the JS/TS files and see readable C function names in call stacks (via --profiling-funcs), but C source stepping is not available in this mode.

There is also a VS Code / Cursor launch configuration "WASM Node Test (inspect)" that starts the debugger automatically.

Concept

The idea behind C4 is to create a ultra light client or better verifier which can be used in Websites, Mobile applications, but especially in embedded systems. The Prover is a library which can used within you mobile app or in the backend to create Proof that the given data is valid. The Verifier is a library which can be used within the embedded system to verify this Proof.

The verifier itself is almost stateless and only needs to store the state of the sync committee, which changes every 27h. But with the latest sync committee the verifier is able to verify any proof with the signatures matching the previously verified public keys of the sync committee. This allows independent Verification and security on any devices without the need to process every blockheader (as light clients usually would do).

More Details can be found on github

License

MIT