Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
The envify npm package is a tool that allows you to replace environment variables in your JavaScript code with their corresponding values at build time. This is particularly useful for client-side applications where you want to inject environment-specific configurations without exposing sensitive information.
Basic Environment Variable Replacement
This feature allows you to replace environment variables in your JavaScript code with their actual values. In this example, the NODE_ENV variable is replaced with 'production' during the build process.
const envify = require('envify');
const browserify = require('browserify');
browserify('./main.js')
.transform(envify({ NODE_ENV: 'production' }))
.bundle()
.pipe(process.stdout);
Using with Gulp
This feature demonstrates how to use envify with Gulp, a popular task runner. The environment variable NODE_ENV is replaced with 'production' during the build process, and the resulting bundle is saved to the './dist' directory.
const gulp = require('gulp');
const browserify = require('browserify');
const source = require('vinyl-source-stream');
const envify = require('envify/custom');
gulp.task('build', function () {
return browserify('./main.js')
.transform(envify({ NODE_ENV: 'production' }))
.bundle()
.pipe(source('bundle.js'))
.pipe(gulp.dest('./dist'));
});
Using with Grunt
This feature shows how to use envify with Grunt, another popular task runner. The environment variable NODE_ENV is replaced with 'production' during the build process, and the resulting bundle is saved to the 'dist' directory.
module.exports = function(grunt) {
grunt.initConfig({
browserify: {
dist: {
files: {
'dist/bundle.js': ['main.js']
},
options: {
transform: [['envify', { NODE_ENV: 'production' }]]
}
}
}
});
grunt.loadNpmTasks('grunt-browserify');
grunt.registerTask('default', ['browserify']);
};
The dotenv package loads environment variables from a .env file into process.env. Unlike envify, which replaces environment variables at build time, dotenv loads them at runtime. This makes dotenv more suitable for server-side applications or development environments.
The cross-env package allows you to set environment variables across different platforms in a consistent manner. While envify is focused on replacing environment variables in the code at build time, cross-env is used to set environment variables in scripts, making it more suitable for cross-platform development.
Selectively replace Node-style environment variables with plain strings. Available as a standalone CLI tool and a Browserify v2 transform.
Works best in combination with uglifyify.
If you're using the module with Browserify:
npm install envify browserify
Or, for the CLI:
sudo npm install -g envify
envify will replace your environment variable checks with ordinary strings -
only the variables you use will be included, so you don't have to worry about,
say, AWS_SECRET_KEY
leaking through either. Take this example script:
if (process.env.NODE_ENV === "development") {
console.log('development only')
}
After running it through envify with NODE_ENV
set to production
, you'll
get this:
if ("production" === "development") {
console.log('development only')
}
By running this through a good minifier (e.g. UglifyJS2), the above code would be stripped out completely.
However, if you bundled the same script with NODE_ENV
set to development
:
if ("development" === "development") {
console.log('development only')
}
The if
statement will evaluate to true
, so the code won't be removed.
With browserify:
browserify index.js -t envify > bundle.js
Or standalone:
envify index.js > bundle.js
You can also specify additional custom environment variables using browserify's subarg syntax, which is available in versions 3.25.0 and above:
browserify index.js -t [ envify --NODE_ENV development ] > bundle.js
browserify index.js -t [ envify --NODE_ENV production ] > bundle.js
require('envify')
Returns a transform stream that updates based on the Node process'
process.env
object.
require('envify/custom')([environment])
If you want to stay away from your environment variables, you can supply your own object to use in its place:
var browserify = require('browserify')
, envify = require('envify/custom')
, fs = require('fs')
var b = browserify('main.js')
, output = fs.createWriteStream('bundle.js')
b.transform(envify({
NODE_ENV: 'development'
}))
b.bundle().pipe(output)
process.env
By default, environment variables that are not defined will be left untouched. This is because in some cases, you might want to run an envify transform over your source more than once, and removing these values would make that impossible.
However, if any references to process.env
are remaining after transforming
your source with envify, browserify will automatically insert its shim for
Node's process object, which will increase the size of your bundle. This weighs
in at around 2KB, so if you're trying to be conservative with your bundle size
you can "purge" these remaining variables such that any missing ones are simply
replaced with undefined.
To do so through the command-line, simply use the subarg syntax and include
purge
after envify
, e.g.:
browserify index.js -t [ envify purge --NODE_ENV development ]
Or if you're using the module API, you can pass _: "purge"
into your
arguments like so:
b.transform(envify({
_: 'purge'
, NODE_ENV: 'development'
}))
FAQs
Selectively replace Node-style environment variables with plain strings.
The npm package envify receives a total of 373,995 weekly downloads. As such, envify popularity was classified as popular.
We found that envify demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.