
Research
/Security News
Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
The feature flags toolkit for Next.js and SvelteKit.
From the creators of Next.js, the Flags SDK is a free open-source library that gives you the tools you need to use feature flags in Next.js and SvelteKit applications.
See flags-sdk.dev for full docs and examples.
Upgrading from version 3? See the Upgrade to v4 guide.
Install the package using your package manager:
npm install flags
Create an environment variable called FLAGS_SECRET
.
The FLAGS_SECRET
value must have a specific length (32 random bytes encoded in base64) to work as an encryption key. Create one using node:
node -e "console.log(crypto.randomBytes(32).toString('base64url'))"
This secret is required to use the SDK. It is used to read overrides and to encrypt flag values in case they are sent to the client and should stay secret.
Create a file called flags.ts in your project and declare your first feature flag there:
// app/flags.tsx
import { flag } from 'flags/next';
export const exampleFlag = flag<boolean>({
key: 'example-flag',
decide() {
return true;
},
});
Call your feature flag in a React Server Component:
// app/page.tsx
import { exampleFlag } from './flags';
export default async function Page() {
const example = await exampleFlag();
return <div>{example ? 'Flag is on' : 'Flag is off'}</div>;
}
Feature Flags can also be called in Edge Middleware and API Routes.
The Flags SDK has adapters for popular feature flag providers including LaunchDarkly, Optimizely, and Statsig.
There is a lot more to the Flags SDK than shown in the example above.
See the full documentation and examples on flags-sdk.dev.
FAQs
Flags SDK by Vercel - The feature flags toolkit for Next.js and SvelteKit
The npm package flags receives a total of 259,221 weekly downloads. As such, flags popularity was classified as popular.
We found that flags demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 9 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
Product
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Product
Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.