Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
A simple configuration management module used for node.js projects.
$ npm install configly --save
After installing the configly
package (see above), Create a directory in
the root of your project called config
.
Put configuration files in your newly created config
directory
-
.json
file or .js
file.js
files should module.exports =
the config objectenv.[environmentName].json
or env.[environmentName].js
.development
.$ NODE_ENV=production node app
replacing production
with the environment you wish be in.
Include the config object in your files:
var config = require('configly');
The config object return will reflect the data put into your configuration files.
Each of the files is a property attached to the config
object. The
property name is a camelCased version of the name (e.g. filename =
foo-bar.json
, config = { fooBar: ... }
see example below).
The environment config gets put in as the env
property.
Imagine a directory structure like this:
project/
├─ config/
│ ├─ env.development.json
│ ├─ env.production.json
│ ├─ user-permissions.json
│ └─ email.js
├─ node_modules/
│ └─ configly/...
├─ package.json
└─ app.js
config/env.development.json
{
"port": "3000",
"cachAge": 0
}
config/env.production.json
{
"port": "80",
"cacheAge": 86000
}
config/user-permissions.json
{
"/": [
"admin",
"anonymous"
],
"/admin": [
"admin"
]
}
config/email.js
'use strict';
var emailConfig = {};
emailConfig.user = 'email@email.com';
emailConfig.password = 'my super secure password';
module.exports = emailConfig;
app.js
'use strict';
var config = require('configly');
console.log(config);
Alright, now with that setup, we run this command:
$ node app
We get this output:
{ email:
{ user: 'email@email.com',
password: 'my super secure password' },
env: { port: '3000', cachAge: 0, name: 'development' },
userPermissions: { '/': [ 'admin', 'anonymous' ], '/admin': [ 'admin' ] } }
But when we run this command:
$ NODE_ENV=production node app
We get this ouput:
{ email:
{ user: 'email@email.com',
password: 'my super secure password' },
env: { port: '80', cacheAge: 86000, name: 'production'},
userPermissions: { '/': [ 'admin', 'anonymous' ], '/admin': [ 'admin' ] } }
Notice the only change was in the environment variable. I don't know about you, but this is super handy, because now deployment becomes a breeze.
Any file you add to the config
directory will automatically be added to the
config object. No need to include it in some master config file.
Also, no 3rd party dependencies. The only core dependencies it has are fs
and
path
.
If there is some behavior that isn't expected, like the config object isn't
in the format you expected, try console.log
on the config object.
If there is no config
directory in what is considered your 'current working
directory' (this can be found by process.cwd()
), then the config object will
be a javascript Error
object.
If there was an error parsing the .json
or .js
, then the property that it
was supposed to be in will be a SyntaxError
object.
Any other issues, please report to this repo's issues on GitHub.
Although you can a config file with the same name but have different extentions
(i.e. .js
and .json
), you shouldn't because one of them will not be
included. From the tests that I've done, it takes the .json
version because
it shows up later in the list. At any rate, it seems like it would be bad
practice to have two files with the same name in the same directory.
Your config directory has to be where your process.cwd()
resides. In the
future, I would like this to be configurable, but in the spirit of quick
iterations and getting feedback, I will save that for another day.
This project uses gulp
for task automation.
$ npm install -g gulp
Here are the three tasks available to use:
gulp hint
: runs all pertinent code against jshint. The rules are the ones
defined in .jshintrc
gulp test
: runs all tests with
mocha
for passing and
instanbul
for code coverage. It
generates html files showing the code coverage.
gulp docs
: builds out all of the documentation using
docco
. Note that you need to have docco
installed (npm install -g docco
). I at one time at docco part of the dev
dependencies, but now I don't. I may be open to putting it back, but I just
wanted to keep the package as small as possible.
You can also run npm test
, and it does basically does the same thing as
gulp test
, but an error will be thrown because it does some more istanbul
stuff to send data to the coverage server. When this project runs through
travis, it also sends coverage data to coveralls.io.
When forking and doing pull requests, work off of the develop
branch. I won't
be super strict on this, but it's what I would prefer. That way we can keep
master
clean.
FAQs
A developer-friendly lightweight replacement for the 'config' module that works with custom config directories and pluggable parsers
The npm package configly receives a total of 411 weekly downloads. As such, configly popularity was classified as not popular.
We found that configly demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.