Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@fulminate/config-builder
Advanced tools
Manage your project parameters and sensitive data (e.g. API keys or secket tokens) easily and conveniently.
A simple way to share the code that uses sensitive data like API keys, tokens, secret keys, etc.
without losing code consistency. Heavily inspired by Symfony's parameters.yml
usage logic.
Important! You want to install this package only after initializing package.json
!
npm i --save @fulminate/config-builder
After NPM successfully downloads the package, the script will launch automatically.
It will ask you to provide:
/
.config
.Assuming you've accepted all the default parameters, the config builder creates a config.dist.json
file in the root directory of your project.
It will also add a fill-config
script to your package.json
which is a shortcut to start populating
your config files.
If you want to have more than one config file, feel free to run:
node ./node_modules/@fulminate/config-builder/index.js
and provide the -i
flag to run the initializer script again and generate a new file for you. Bear in mind
that currently creating new script will override the command created in your package.json
so you will have
to manually type it again. This issue will be fixed in future releases.
After installation process is complete, populate the *.dist.*
file with required data and run npm run fill-config
.
E.g.:
# You can use straight-forward key value pairs here
domain: 'example.com'
# You can nest objects
database:
type: 'mysql'
name: 'database'
host: 'localhost'
port: 3306
username: 'root'
password: 'root'
# You can use arrays. In this case the prompter will render
# a list of choices given in the array instead of an input
slackChannel:
- 'general'
- 'api-errors'
- 'client-errors'
The same logic can be applied to dist files of JSON type:
{
"domain": "example.com",
"database": {
"type": "mysql",
"name": "database",
"host": "localhost",
"port": 3306,
"username": "root",
"password": "root"
},
"slackChannel": [
"general",
"api-errors",
"client-errors"
]
}
The script will iterate over each line of dist file and prompt questions for real data you want to use. Each key will be used as both the question and the key in the final config file, whereas the value will be a default input value or a list of choices (in case the value is an array).
The value in the final config file will be either user input or
the default value (the value of the *.dist.*
file or the first item of the value if it is an array).
If you have more than one dist file, you are free to launch the script directly:
node ./node_modules/@fulminate/config-builder/index.js -p --file=./PATH/FILENAME.dist.{json|yml}
populate
(or simply -p
) runs the real config file population. Runs in junction with the --file
flag to specify
which dist file should be used. NOTE: this script creates the config file in the same directory and with the same
extension as the dist file (e.g. having ./cfg/main.dist.yml
the script will create ./cfg/main.yml
config file).init-dist
|-init
(or simply -i
) runs the prompter for creating a new dist file.--file=?
is used to specify what is the dist file and where it is. E.g.: --file=./cfg/main.yml
.--freshRun
is a system flag that is required for the postinstall hook. DO NOT USE IT.Just define an object in your code and parse the contents of the config file into it. Example with Node.js:
JSON:
{
"server": {
"port": 3000
}
}
var fs = require('fs');
var app = require('express');
if (!fs.existsSync('./cfg/main.json')) {
process.stdout.write('Config file not found');
process.exit(1);
}
var cfg = JSON.parse(fs.readFileSync('./cfg/main.json'));
app.listen(cfg.server.port);
YAML:
server:
port: 3000
var fs = require('fs');
var app = require('express');
var YAML = require('yamljs');
if (!fs.existsSync('./cfg/main.yml')) {
process.stdout.write('Config file not found');
process.exit(1);
}
var cfg = YAML.parse(fs.readFileSync('./cfg/main.yml'));
app.listen(cfg.server.port);
In case you decide to use YAML, you will need to install additional package to parse YAML to JS.
In this package I used yamljs
but it is totally up to you to pick the one you like.
.*ignore
package.json
upon creating more than one dist file (instead of overriding the same
script)FAQs
Manage your project parameters and sensitive data (e.g. API keys or secket tokens) easily and conveniently.
The npm package @fulminate/config-builder receives a total of 0 weekly downloads. As such, @fulminate/config-builder popularity was classified as not popular.
We found that @fulminate/config-builder demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.