Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
const { setup } = require('hmpo-app');
const { router } = setup();
router.use('/', require('./routes/example'));
const {
setup,
featureFlag,
config,
logger,
redisClient,
linkedFiles
} = require('hmpo-app');
const {
app,
staticRouter,
router,
errorRouter
} = setup({
option: 'value'
});
See example app for more details
setup()
setup(options)
Bootstrap the app. run this as early on as possible to init the logger before it is used.
app
the top-level express appstaticRouter
an express router before session is initialisedrouter
an express router after session is initialisederrorRouter
an express router before the generic error handling used to handle custom errors
Any of these options (except for config
) can also be specified in a config file. The options passed to setup()
override the options loaded from config files.
config
iffalse
no config will be loaded
APP_ROOT
override app root directory detectionfiles
='config/default(.json|.yaml|.yml)'
array of config files to try to load. Missing files will fail silently.envVarName
='HMPO_CONFIG'
environment variable to parse to override config values.commandLineSwitch
='-c'
command line switch to load additional config files.merge
=true
merge new config with config from previous calls to setup.
env
=NODE_ENV
environment variable or'development'
environment.
port
=3000
port to bind to. Iffalse
the app will not listen to a port.host
='0.0.0.0'
host to bind to.
logs
seehmpo-logger
options passed to logger. Seehmpo-logger
for defaults. Iffalse
no logger is initialised.requestLogging
=true
enable request logging (excluding public static files).
redis
iffalse
redis is not initialised
connectionString
connection url used for connecting to a redis instancehost
host name for connecting to a redis instanceport
=6379
port for connection to a redis instance...otherOptions
any other options are passed toredis
- If neither
connectionString
orhost
andport
are specified an in-memory redis is used
errors
iffalse
no error handler is set
startUrl
='/'
url to redirect to if a deep page is accessed as a new browser. Can be afunction(req, res)
.pageNotFoundView
='errors/page-not-found'
view to render for page not found.sessionEndedView
='errors/session-ended'
view to render if session is not found/expired.defaultErrorView
='errors/error'
view to render for other errors.
urls
public
='/public'
base URL for public static assets.publicImages
='/public/images'
base URL for public sttic images.version
='/version'
base URL for version endpoint, orfalse
to disable.healthcheck
='/healthcheck'
base URL for healthcheck endpoint, orfalse
to disable.
publicDirs
=['public']
array of paths to mount on the public route, relative toAPP_ROOT
.publicImagesDirs
=['assets/images']
array of paths to mount on the public images route, relative toAPP_ROOT
.publicOptions
={maxAge: 86400000}
options passed to the express static middleware.
views
='views'
array of view directories relative toAPP_ROOT
.nunjucks
options passed tonunjucks
templatinng contructor, orfalse
to disable
dev
=env==='development'
runnunjucks
in developer mode for more verbose errors.noCache
=env==='development'
don't cache compiled template files.watch
=env==='development'
watch for changes to template files....otherOptions
any other options are passed tonunjucks.configure
locales
='.'
array of locales base directories (containing a'locales'
directory) relative toAPP_ROOT
.translation
options passed tohmpo-i18n
translation library, orfalse
to disable
noCache
=env==='development'
don't cache templated localisation strings.watch
=env==='development'
watch for changes to localisation files.allowedLangs
=['en','cy']
array of allowed languages.fallbackLang
=['en']
array of languages to use if translation not found is current language.cookie
={name: 'lang'}
cookie settings to use to store current language.query
='lang'
query parameter to use to change language, orfalse
to disable....otherOptions
any other options are passed tohmpo-i18n
modelOptions
configuration for model options helper to be used withhmpo-model
sessionIDHeader
='X-SESSION-ID'
session ID request header to pass through to models.scenarioIDHeader
='X-SCENARIO-ID'
stub scenario ID request header to pass through to models.
helmet
configuration for Helmet, orfalse
to only use frameguard and disablex-powered-by
.disableCompression
=false
disable compression middleware.
cookies
configuration for cookie parsing middleware
featureFlag
getFlags(req)
return all session and config feature flagsisEnabled(flag, req)
check if a feature flag is enabled in session or configisDisabled(flag, req)
check if a feature flag is disabled in session or configredirectIfEnabled(flag, url)
middleware to redirect if a flag is enabledredirectIfDisabled(flag, url)
middleware to redirect if a flag is disabledrouteIf(flag, handlerIf, handlerElse)
middleware to run different handler depending on status of a feature flagconst { featureFlag } = require('hmpo-app');
const enabledMiddleware = (req, res, next) => res.send('flag enabled');
const disabledMiddleware = (req, res, next) => res.send('flag disabled');
router.use(featureFlag.routeIf('flagname', enabledMiddleware, disabledMiddleware));
config()
config(path, defaultIfUndefined)
get a value from loaded config by dot separated path, or a default if not found or undefined. Id any part of the path is not found, the default will be returned.const { config } = require('hmpo-app');
const value = config.get('config.path.string', 'default value');
logger()
logger(name)
get a new logger with an optional nameconst { logger } = require('hmpo-app');
const log = logger(':name');
log.info('log message', { req, err, other: 'metedata' });
// or
logger().info('log message', { req, err, other: 'metedata' });
redisClient()
redisClient()
return redis clientconst { redisClient } = require('hmpo-app');
redisClient().set('key', 'value');
FAQs
Bootstrap middleware and templating
The npm package hmpo-app receives a total of 268 weekly downloads. As such, hmpo-app popularity was classified as not popular.
We found that hmpo-app demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.