Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
config-dug
Advanced tools
Config loader with support for AWS Secrets Manager.
yarn | npm |
---|---|
yarn add config-dug | npm install config-dug |
config-dug
looks in several places for your config, including config files in your project, environment variables and AWS Secrets Manager. config-dug
allows you to write your config files in either TypeScript or JavaScript. You are expected to export a default object from your config file:
// config.default.ts
export default {
API_ENDPOINT: 'https://api.example.com/',
};
// config.default.js
module.exports = {
API_ENDPOINT: 'https://api.example.com/',
};
Environment specific config files are loaded based on the value of the APP_ENV
or NODE_ENV
environment variables. If APP_ENV
is present it will take precedence over NODE_ENV
.
Settings from these different sources are merged together into a single config object in the following order:
config.default.{ts|js}
config.${APP_ENV|NODE_ENV}.{ts|js}
config.${APP_ENV|NODE_ENV}.local.{ts|js}
config.local.{ts|js}
By default your config files need to be placed in the root directory of your project. If you want to keep config files in a different directory see Customizing Config Loading.
Import config-dug
anywhere in your code where you want to access your config. All of your settings are available on the imported object:
// app.ts
import config from 'config-dug';
console.log(config.API_ENDPOINT);
// app.js
const config = require('config-dug').default;
console.log(config.API_ENDPOINT);
// https://api.example.com/
:warning: You must use
require('config-dug').default
in JavaScript files. If you exclude.default
Config Dug will not work.
config-dug
will add all your environment variables to the config
object. This can have unintended consequences if one of your config keys has the same name as an existing, unrelated environment variable.
:warning:
config-dug
is only intended to be used on the server. Your server already has access to your full environment inprocess.env
. If you useconfig-dug
in server rendered client applications you risk exposing your server's environment to the client.
In order to use AWS Secrets Manager you have to add a AWS_SECRETS_MANAGER_NAME
or awsSecretsManagerName
setting to your config that specifies the names of the secrets to look up:
// config.default.ts
export default {
AWS_SECRETS_MANAGER_NAME: 'production/myapp/config',
API_ENDPOINT: 'https://api.example.com/',
};
If you need to read from multiple secret buckets, AWS_SECRETS_MANAGER_NAMES
takes a comma separated list to allow connection to multiple secrets in AWS Secrets Manager. Each secret from the list is evaluated in order mean that if a specific key appears in two secrets the value will be overwritten by the last secret in the list.
// config.default.ts
export default {
AWS_SECRETS_MANAGER_NAMES: 'production/myapp/config,production/myapp/another-config',
API_ENDPOINT: 'https://api.example.com/',
};
In addition to specifying the secret name you can also provide a region using the AWS_SECRETS_MANAGER_REGION
or awsSecretsManagerRegion
setting. The connection timeout in milliseconds can also be specified using the AWS_SECRETS_MANAGER_TIMEOUT
or awsSecretsManagerTimeout
setting:
// config.default.ts
export default {
AWS_SECRETS_MANAGER_NAME: 'production/myapp/config',
AWS_SECRETS_MANAGER_REGION: 'us-west-2',
AWS_SECRETS_MANAGER_TIMEOUT: 2000
API_ENDPOINT: 'https://api.example.com'
};
The default region is us-east-1
and the default connection timeout is 5000
ms.
Config Dug will warn if it detects invalid config values. Invalid values include:
This package uses the aws-sdk internally. Refer to their documentation for information about authentication, configuring a default region and configuring access control for AWS Secrets Manager.
If you want to load config files from a directory other than the project root you can import the loadConfig
function and use it directly.
import { loadConfig } from 'config-dug';
loadConfig('config');
This will import your config files from the config
directory. The path you specify must be relative to your project root.
config-dug
uses the debug library. To print debug messages for config-dug
set DEBUG=config-dug
.
npm install
OR npm i
npm run test
package.json
CHANGELOG
entrynpm pack
to see what will be published then delete the .tgz
file that was creatednpm publish
1.0.0
the tag and release name would be v1.0.0
.FAQs
Config loader with support for AWS Secrets Manager
We found that config-dug demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 157 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.