Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
<app_root>/config.default.js
config.default.json
, which should be a JSON file.config.js
or config.json
<app_root>/config.local.js
config.local.json
or config.local.js
will both work.gitignore
as these are by definition specific to a particular developer or environment and should not be tracked in source control./etc/<package_name>/config.js
<package_name>
is your npm package name from your project's package.json
file/etc/<package_name>/config.json
will also workvar config = require("config3");
require
which looks for .js
first and falls back to .json
otherwise.
config.default.js
OR config.default.json
(NOT both)config.js
OR config.json
(NOT both)config.local.js
OR config.local.json
(NOT both)/etc/<package_name>/config.js
OR /etc/<package_name>/config.json
(NOT both)<app_root>/config.json
{"port": 3000, "dbUrl": "mongodb://localhost/myapp", "fbAppId": "12345"}
<app_root>/config.local.json
{"port": 4500}
/etc/myapp/config.json
{"dbUrl": "mongodb://192.168.1.17/myapp-production", "fbAppId": "REAL_FB_APP_ID"}
This module comes with a command line program also called config3
that takes a property path as the only argument and prints out the corresponding value from your application's configuration. This supports property path notation al la db.connection.poolSize
via the pathval
npm package.
This comes in handy for automating stuff during builds and deployments.
./node_modules/.bin/config3 'emails.admins[0]'
Prints out "one@example.com" given a config of {emails: {admins: ["one@example.com"]}}
#Motivation and Philosophy
There are many similar modules already written and published to the npm registry. Why yet another? I find problems with most of the existing ones as follows:
RAILS_ENV=production
(NODE_ENV for us)
NODE_ENV
. Typically this might be something like enabling a cache in production
but disabling it otherwise.NODE_ENV=staging
on your staging system and use one of the npm config packages that loads a staging.yaml
file. Now your staging server is way out of alignment with production.NODE_ENV
should be removed in favor of explicit options. Packages in npm should assume production-type configuration by default and should allow appropriate changes for development when passed explicit granular options to do development things like enabling source maps, disabling caches, printing debug output, etc.config3
config3 uses the debug package by TJ Holowaychuk. Normally, no debug information is output. To have debug statements written to stdout, set the DEBUG environment variable to config3
or a colon-delimited string containing config3 like express:config3:socket.io
.
DEBUG=config3 node myapp.js
require
can load JSON files directly. Throws exceptions.process.cwd()
.NODE_ENV
1.1.0 (2019-02-28)
<a name="1.0.4"></a>
FAQs
Cascade config files with sensible default, local, deployed files
We found that config3 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.