Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
dotenv-haphap
Advanced tools
Inspired by dotenv, but allows loading multiple dotenv files.
Instead of a path for a single dotenv file, you can call config with a coma separated list of paths.
npm install dotenv-haphap
As early as possible in your application, require and configure dotenv-haphap.
require('dotenv-haphap').config('.env', 'confidential.env')
It will never modify any environment variables that have already been set. Variables defined in later .env files will overwrite values in previous ones.
For example, if you have HAPHAP=11
in your .env
file, and HAPHAP=14
in confidential.env
, then
process.env.HAPHAP
will be 14 when using the require from above.
$ node -r dotenv-haphap/config your_script.js dotenv_paths=.env,confidential.env
or
$ DOTENV_PATHS=.env,confidnetial.env node -r dotenv-haphap/config your_script.js
.env
file?You should not commit them if you have sensitive information in it (such as database passwords or API keys).
We found it easier though to commit parts of the .env file which contain local development specific values (like connection strings to local docker images), but not deploying them to production.
.env
files?Generally you should not have a different .env file for each environment (like one for staging and for prod), but for local development it might be helpful to have a .env file for test execution and one for starting the app locally.
Also, if there are parts of the .env file you do not wish to commit, you could separate them into a confidential.env file, which you put in gitignore and let each developer set it up locally.
FAQs
dotenv with multiple dotenv file support
The npm package dotenv-haphap receives a total of 46 weekly downloads. As such, dotenv-haphap popularity was classified as not popular.
We found that dotenv-haphap demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.