Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@humanwhocodes/env
Advanced tools
If you find this useful, please consider supporting my work with a donation.
A utility for verifying that environment variables are present in Node.js and Deno. The main use case is to easily throw an error when an environment variable is missing. This is most useful immediately after a Node.js or Deno program has been initiated, to fail fast and let you know that environment variables haven't been setup correctly.
npm install @humanwhocodes/env --save
# or
yarn add @humanwhocodes/env
Import into your Node.js project:
// CommonJS
const { Env } = require("@humanwhocodes/env");
// ESM
import { Env } from "@humanwhocodes/env";
By default, an Env
instance will read from process.env
.
Import into your Deno project:
import { Env } from "https://unpkg.com/@humanwhocodes/env/dist/env.js";
By default, an Env
instance will read from Deno.env()
.
It's recommended to import the minified version to save bandwidth:
import { Env } from "https://unpkg.com/@humanwhocodes/env/dist/env.min.js";
However, you can also import the unminified version for debugging purposes:
import { Env } from "https://unpkg.com/@humanwhocodes/env/dist/env.js";
By default, an Env
instance will read from an empty object.
After importing, create a new instance of Env
to start reading environment variables:
const env = new Env();
// read a variable and don't care if it's empty
const username = env.get("USERNAME");
// read a variable and use a default if empty
const username = env.get("USERNAME", "humanwhocodes");
// determine if a variable exists
const username = env.has("USERNAME");
// read the first found variable and use a default is empty
const username = env.first(["USERNAME", "USERNAME2"], "humanwhocodes");
// read a variable and throw an error if it doesn't exist
// or is an empty string
const username = env.require("USERNAME");
To retrieve more than one required environment variable at one time, you can use the required
property with destructuring assignment:
const env = new Env();
// throws if variables are undefined or an empty string
const {
CLIENT_ID,
CLIENT_SECRET
} = env.required;
In this example, an error is thrown if either CLIENT_ID
or CLIENT_SECRET
is missing or an empty string. The required
property is a proxy object that throws an error whenever you attempt to access a property that doesn't exist.
If you don't want to throw an error for environment variables containing an empty string, use the exists
property:
const env = new Env();
// throws only if variables are not defined
const {
CLIENT_ID,
CLIENT_SECRET
} = env.exists;
You can also specify an alternate object to read variables from. This can be useful for testing or in the browser (where there is no environment variable to read from by default):
const env = new Env({
USERNAME: "humanwhocodes"
});
// read a variable and don't care if it's empty
const username = env.get("USERNAME");
// read a variable and throw an error if it doesn't exist
const password = env.require("PASSWORD");
FAQs
A utility to verify that environment variables exist.
The npm package @humanwhocodes/env receives a total of 5,480 weekly downloads. As such, @humanwhocodes/env popularity was classified as popular.
We found that @humanwhocodes/env demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.