Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@adonisjs/env
Advanced tools
Environment variables parser and validator used by the AdonisJS.
Note: This package is framework agnostic and can also be used outside of AdonisJS.
The @adonisjs/env
package encapsulates the workflow around loading, parsing, and validating environment variables.
Install the package from the npm packages registry as follows.
npm i @adonisjs/env
The EnvLoader
class is responsible for loading the environment variable files from the disk and returning their contents as a string.
import { EnvLoader } from '@adonisjs/env'
const lookupPath = new URL('./', import.meta.url)
const loader = new EnvLoader(lookupPath)
const envFiles = await loader.load()
The return value is an array of objects with following properties.
path
: The path to the loaded dot-env file.contents
: The contents of the file.Following is the list of loaded files. The array is ordered by the priority of the files. The first file has the highest priority and must override the variables from the last file.
Priority | File name | Environment | Should I .gitignore it | Notes |
---|---|---|---|---|
1st | .env.[NODE_ENV].local | Current environment | Yes | Loaded when NODE_ENV is set |
2nd | .env.local | All | Yes | Loaded in all the environments except test or testing environments |
3rd | .env.[NODE_ENV] | Current environment | No | Loaded when NODE_ENV is set |
4th | .env | All | Depends | Loaded in all the environments. You should .gitignore it when storing secrets in this file |
The EnvParser
class is responsible for parsing the contents of the .env
file(s) and converting them into an object.
import { EnvParser } from '@adonisjs/env'
const envParser = new EnvParser(`
PORT=3000
HOST=localhost
`)
console.log(await envParser.parse()) // { PORT: '3000', HOST: 'localhost' }
The return value of parser.parse
is an object with key-value pair. The parser also has support for interpolation.
By default, the parser prefers existing process.env
values when they exist. However, you can instruct the parser to ignore existing process.env
files as follows.
new EnvParser(envContents, { ignoreProcessEnv: true })
You can define an "identifier" to be used for interpolation. The identifier is a string that prefix the environment variable value and let you customize the value resolution.
import { readFile } from 'node:fs/promises'
import { EnvParser } from '@adonisjs/env'
EnvParser.identifier('file', (value) => {
return readFile(value, 'utf-8')
})
const envParser = new EnvParser(`
DB_PASSWORD=file:/run/secret/db_password
`)
console.log(await envParser.parse()) // { DB_PASSWORD: 'Value from file /run/secret/db_password' }
This can be useful when you are using secrets manager like Docker Secret
, HashiCorp Vault
, Google Secrets Manager
and others to manage your secrets.
Once you have the parsed objects, you can optionally validate them against a pre-defined schema. We recommend validation for the following reasons.
import { Env } from '@adonisjs/env'
const validator = Env.rules({
PORT: Env.schema.number(),
HOST: Env.schema.string({ format: 'host' })
})
The Env.schema
is a reference to the @poppinss/validator-lite schema
object. Make sure to go through the package README to view all the available methods and options.
The Env.rules
method returns an instance of the validator to validate the environment variables. The return value is the validated object with type information inferred from the schema.
validator.validate(process.env)
Following is a complete example of loading dot-env files and validating them in one go.
Note: Existing
process.env
variables have the top most priority over the variables defined in any of the files.
import { Env } from '@adonisjs/env'
const env = await Env.create(new URL('./', import.meta.url), {
PORT: Env.schema.number(),
HOST: Env.schema.string({ format: 'host' })
})
env.get('PORT') // is a number
env.get('HOST') // is a string
env.get('NODE_ENV') // is unknown, hence a string or undefined
The Env editor can be used to edit dot-env files and persist changes on disk. Only the .env
and .env.example
files are updated (if exists).
import { EnvEditor } from '@adonisjs/env/editor'
const editor = await EnvEditor.create(new URL('./', import.meta.url))
editor.add('PORT', 3000)
editor.add('HOST', 'localhost')
// Write changes on disk
await editor.save()
You can also insert an empty value for the .env.example
file by setting the last argument to true
.
editor.add('SECRET_VARIABLE', 'secret-value', true)
This will add the following line to the .env.example
file.
SECRET_VARIABLE=
The exception is raised during environment variables validation exception. The exception is raised with Validation failed for one or more environment variables
message.
You can access the detailed error messages using the error.cause
property.
try {
validate(envValues)
} catch (error) {
console.log(error.cause)
}
FAQs
Environment variable manager for Node.js
We found that @adonisjs/env demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.