Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
The 'conf' npm package is a simple yet powerful configuration management tool for Node.js applications. It allows you to easily store and retrieve configuration data, manage defaults, and handle schema validation. The data is stored in a JSON file, making it easy to read and modify.
Store and Retrieve Configuration Data
This feature allows you to store and retrieve configuration data easily. The data is stored in a JSON file, and you can set and get values using simple methods.
const Conf = require('conf');
const config = new Conf();
// Set a value
config.set('unicorn', '🦄');
// Get a value
console.log(config.get('unicorn'));
//=> '🦄'
Manage Default Values
You can define default values for your configuration settings. If a key is not set, the default value will be returned.
const Conf = require('conf');
const config = new Conf({
defaults: {
foo: 'bar'
}
});
console.log(config.get('foo'));
//=> 'bar'
Schema Validation
You can define a schema for your configuration to ensure that the data meets certain criteria. This helps in maintaining data integrity and consistency.
const Conf = require('conf');
const schema = {
type: 'object',
properties: {
foo: {
type: 'string'
},
bar: {
type: 'number',
minimum: 0
}
}
};
const config = new Conf({ schema });
config.set('foo', 'baz');
config.set('bar', 42);
console.log(config.get('foo'));
//=> 'baz'
console.log(config.get('bar'));
//=> 42
Configstore is another package for managing configuration data in Node.js applications. It provides similar functionality to 'conf', such as storing and retrieving data, managing defaults, and handling schema validation. However, 'conf' offers a more modern API and better TypeScript support.
Node-persist is a simple, zero-dependency, key-value storage library for Node.js. It provides persistent storage for configuration data, similar to 'conf'. However, 'conf' offers more advanced features like schema validation and default values management.
Nconf is a hierarchical configuration manager for Node.js. It supports multiple configuration sources such as command-line arguments, environment variables, and JSON files. While 'nconf' is more flexible in terms of configuration sources, 'conf' is simpler and easier to use for most use cases.
Simple config handling for your app or module
All you have to care about is what to persist. This module will handle all the dull details like where and how.
If you need this for Electron, check out electron-store
instead.
$ npm install conf
const Conf = require('conf');
const config = new Conf();
config.set('unicorn', '🦄');
console.log(config.get('unicorn'));
//=> '🦄'
// Use dot-notation to access nested properties
config.set('foo.bar', true);
console.log(config.get('foo'));
//=> {bar: true}
config.delete('unicorn');
console.log(config.get('unicorn'));
//=> undefined
Changes are written to disk atomically, so if the process crashes during a write, it will not corrupt the existing config.
Returns a new instance.
Type: object
Type: object
Default values for the config items.
Note: The values in defaults
will overwrite the default
key in the schema
option.
Type: object
JSON Schema to validate your config data.
Under the hood, the JSON Schema validator ajv is used to validate your config. We use JSON Schema draft-07 and support all validation keywords and formats.
You should define your schema as an object where each key is the name of your data's property and each value is a JSON schema used to validate that property. See more here.
Example:
const Conf = require('conf');
const schema = {
foo: {
type: 'number',
maximum: 100,
minimum: 1,
default: 50
},
bar: {
type: 'string',
format: 'url'
}
};
const config = new Conf({schema});
console.log(config.get('foo'));
//=> 50
config.set('foo', '1');
// [Error: Config schema violation: `foo` should be number]
Note: The default
value will be overwritten by the defaults
option if set.
Type: object
You can use migrations to perform operations to the store whenever a project version is upgraded.
The migrations
object should consist of a key-value pair of 'version': handler
. The version
can also be a semver range.
Example:
const Conf = require('conf');
const store = new Conf({
migrations: {
'0.0.1': store => {
store.set('debugPhase', true);
},
'1.0.0': store => {
store.delete('debugPhase');
store.set('phase', '1.0.0');
},
'1.0.2': store => {
store.set('phase', '1.0.2');
},
'>=2.0.0': store => {
store.set('phase', '>=2.0.0');
}
}
});
Note: The version the migrations use refers to the project version by default. If you want to change this behavior, specify the
projectVersion
option.
Type: string
Default: 'config'
Name of the config file (without extension).
Useful if you need multiple config files for your app or module. For example, different config files between two major versions.
Type: string
Default: The name
field in the package.json closest to where conf
is imported.
You only need to specify this if you don't have a package.json file in your project or if it doesn't have a name defined within it.
Type: string
Default: The version
field in the package.json closest to where conf
is imported.
You only need to specify this if you don't have a package.json file in your project or if it doesn't have a version defined within it.
Type: string
Default: System default user config directory
You most likely don't need this. Please don't use it unless you really have to. By default, it will pick the optimal location by adhering to system conventions. You are very likely to get this wrong and annoy users.
Overrides projectName
.
The only use-case I can think of is having the config located in the app directory or on some external storage.
Type: string | Buffer | TypedArray | DataView
Default: undefined
This can be used to secure sensitive data if the encryption key is stored in a secure manner (not plain-text) in the Node.js app. For example, by using node-keytar
to store the encryption key securely, or asking the encryption key from the user (a password) and then storing it in a variable.
In addition to security, this could be used for obscurity. If a user looks through the config directory and finds the config file, since it's just a JSON file, they may be tempted to modify it. By providing an encryption key, the file will be obfuscated, which should hopefully deter any users from doing so.
It also has the added bonus of ensuring the config file's integrity. If the file is changed in any way, the decryption will not work, in which case the store will just reset back to its default state.
When specified, the store will be encrypted using the aes-256-cbc
encryption algorithm.
Type: string
Default: 'json'
Extension of the config file.
You would usually not need this, but could be useful if you want to interact with a file with a custom file extension that can be associated with your app. These might be simple save/export/preference files that are intended to be shareable or saved outside of the app.
Type: boolean
Default: true
The config is cleared if reading the config file causes a SyntaxError
. This is a good default, as the config file is not intended to be hand-edited, so it usually means the config is corrupt and there's nothing the user can do about it anyway. However, if you let the user edit the config file directly, mistakes might happen and it could be more useful to throw an error when the config is invalid instead of clearing. Disabling this option will make it throw a SyntaxError
on invalid config instead of clearing.
Type: Function
Default: value => JSON.stringify(value, null, '\t')
Function to serialize the config object to a UTF-8 string when writing the config file.
You would usually not need this, but it could be useful if you want to use a format other than JSON.
Type: Function
Default: JSON.parse
Function to deserialize the config object from a UTF-8 string when reading the config file.
You would usually not need this, but it could be useful if you want to use a format other than JSON.
Type: string
Default: 'nodejs'
You most likely don't need this. Please don't use it unless you really have to.
Suffix appended to projectName
during config file creation to avoid name conflicts with native apps.
You can pass an empty string to remove the suffix.
For example, on macOS, the config file will be stored in the ~/Library/Preferences/foo-nodejs
directory, where foo
is the projectName
.
Type: boolean
Default: true
Accessing nested properties by dot notation. For example:
const Conf = require('conf');
const config = new Conf();
config.set({
foo: {
bar: {
foobar: '🦄'
}
}
});
console.log(config.get('foo.bar.foobar'));
//=> '🦄'
Alternatively, you can set this option to false
so the whole string would be treated as one key.
const Conf = require('conf');
const config = new Conf({accessPropertiesByDotNotation: false});
config.set({
`foo.bar.foobar`: '🦄'
});
console.log(config.get('foo.bar.foobar'));
//=> '🦄'
type: boolean
Default: false
Watch for any changes in the config file and call the callback for onDidChange
if set. This is useful if there are multiple processes changing the same config file.
Currently this option doesn't work on Node.js 8 on macOS.
You can use dot-notation in a key
to access nested properties.
The instance is iterable
so you can use it directly in a for…of
loop.
Set an item.
The value
must be JSON serializable. Trying to set the type undefined
, function
, or symbol
will result in a TypeError.
Set multiple items at once.
Get an item or defaultValue
if the item does not exist.
Reset items to their default values, as defined by the defaults
or schema
option.
Check if an item exists.
Delete an item.
Delete all items.
callback
: (newValue, oldValue) => {}
Watches the given key
, calling callback
on any changes.
When a key is first set oldValue
will be undefined
, and when a key is deleted newValue
will be undefined
.
Returns a function which you can use to unsubscribe:
const unsubscribe = conf.onDidChange(key, callback);
unsubscribe();
callback
: (newValue, oldValue) => {}
Watches the whole config object, calling callback
on any changes.
oldValue
and newValue
will be the config object before and after the change, respectively. You must compare oldValue
to newValue
to find out what changed.
Returns a function which you can use to unsubscribe:
const unsubscribe = conf.onDidAnyChange(key, callback);
unsubscribe();
Get the item count.
Get all the config as an object or replace the current config with an object:
conf.store = {
hello: 'world'
};
Get the path to the config file.
configstore
?I'm also the author of configstore
. While it's pretty good, I did make some mistakes early on that are hard to change at this point. This module is the result of everything I learned from making configstore
. Mainly where the config is stored. In configstore
, the config is stored in ~/.config
(which is mainly a Linux convention) on all systems, while conf
stores config in the system default user config directory. The ~/.config
directory, it turns out, often have an incorrect permission on macOS and Windows, which has caused a lot of grief for users.
The serialize
and deserialize
options can be used to customize the format of the config file, as long as the representation is compatible with utf8
encoding.
Example using YAML:
const Conf = require('conf');
const yaml = require('js-yaml');
const config = new Conf({
fileExtension: 'yaml',
serialize: yaml.safeDump,
deserialize: yaml.safeLoad
});
FAQs
Simple config handling for your app or module
We found that conf demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.