Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
A simple configuration management module used for node projects.
$ npm install configly --save
var config = require('configly');
Create a directory in the root of your project called config
.
Every .js
and .json
in that directory will be included in the config object
returned.
For example: if you create a file called lib.json
with these contents...
{
"foo": "bar"
}
...the final config object will look like this...
{
lib: {
foo: 'bar'
}
}
If you use a .js
file instead of a .json
file, then you just need to make
sure you put stuff in the module.exports
object. The above example in .js
form...
module.exports = {
lib: {
foo: 'bar
}
};
If you have a multi-word filename, only use dashes and underscores to separate the words. This is because the filename is converted to camelCase.
For example: if you create a file called user-permissions.json
with these
content...
{
"/": [
"anonymous",
"admin"
],
"/admin": [
"admin"
]
}
...the final config object will look like this...
{
userPermissions: {
'/': [
'anonymous',
'admin'
],
'/admin': [
'admin'
]
}
}
To signify that a config file is an environment config file, use this naming convention:
env.[environment name].js(on)
The environment name
should be the name of the environment you want the config
file to be for.
For example, if it's for a development environment, you should name the config
file env.development.json
or env.development.js
.
To change the environment used, you just need to specify the NODE_ENV
variable
when running your app. E.g. NODE_ENV=production node app
If no NODE_ENV
variable is provided, it will default to development
, so you
should always have an env.development.json
file
Although you can a config file with the same name but have different extentions
(i.e. .js
and .json
), you shouldn't because one of them will not be
included. From the tests that I've done, it takes the .json
version because
it shows up later in the list. At any rate, it seems like it would be bad
practice to have two files with the same name in the same directory.
Your config directory has to be where your process.cwd()
resides. In the
future, I would like this to be configurable, but in the spirit of quick
iterations and getting feedback, I will save that for another day.
FAQs
A developer-friendly lightweight replacement for the 'config' module that works with custom config directories and pluggable parsers
The npm package configly receives a total of 411 weekly downloads. As such, configly popularity was classified as not popular.
We found that configly demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.