Research
/Security News
Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
Miasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.
By Socket Research Team - Jun 26, 2026
🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more →
najm-cors
Optional CORS plugin for Najm framework with global, controller-level, and route-level configuration
najm-cors
CORS (Cross-Origin Resource Sharing) plugin for Najm framework with support for global, controller-level, and route-level configuration.
Installation
bun add najm-cors
Quick Start
import { Server } from 'najm-core';
import { cors } from 'najm-cors';
new Server()
.use(cors({ origin: 'https://example.com' }))
.load(YourController)
.listen(3000);
Usage
Global CORS Configuration
Apply CORS settings globally to all routes:
import { Server } from 'najm-core';
import { cors } from 'najm-cors';
new Server()
.use(cors({
origin: 'https://example.com',
allowMethods: ['GET', 'POST', 'PUT', 'DELETE'],
allowHeaders: ['Content-Type', 'Authorization'],
credentials: true,
maxAge: 86400
}))
.load(Controller)
.listen(3000);
Default CORS
Enable CORS with default settings:
new Server()
.use(cors(true))
.load(Controller)
.listen(3000);
Controller-Level CORS
Override global settings for an entire controller:
import { Controller, Get } from 'najm-core';
import { Cors } from 'najm-core';
@Controller('/api')
@Cors({ origin: 'https://admin.example.com' })
export class AdminController {
@Get('/users')
getUsers() {
return { users: [] };
}
}
Route-Level CORS
Override settings for specific routes:
@Controller('/api')
@Cors({ origin: 'https://admin.example.com' })
export class AdminController {
@Get('/public')
@Cors({ origin: '*' })
publicData() {
return { data: 'public' };
}
@Post('/private')
@Cors({ disabled: true })
privateData() {
return { data: 'private' };
}
}
Configuration Options
interface CorsOptions {
origin?: string | string[]; // Origin URL(s) allowed ('*' for any)
allowMethods?: string[]; // Allowed HTTP methods
allowHeaders?: string[]; // Allowed request headers
exposeHeaders?: string[]; // Headers exposed to client
maxAge?: number; // Preflight cache time in seconds
credentials?: boolean; // Allow credentials
preflight?: boolean; // Handle preflight requests
}
Default Configuration
{
origin: 'http://localhost:3000',
allowMethods: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'],
allowHeaders: ['Content-Type', 'Authorization'],
exposeHeaders: ['Content-Type', 'Authorization'],
credentials: true,
preflight: true
}
Priority Resolution
CORS configuration is resolved in this order (highest to lowest priority):
- Route-level
@Cors()decorator (specific method) - Controller-level
@Cors()decorator (all methods) - Global plugin configuration via
.use(cors(...)) - Default built-in configuration
Examples
Multiple Origins
cors({
origin: ['https://app1.com', 'https://app2.com'],
credentials: true
})
Wildcard with Custom Headers
cors({
origin: '*',
allowHeaders: ['Content-Type', 'X-Custom-Header'],
exposeHeaders: ['X-Response-Header']
})
Disable CORS for Public Routes
@Controller('/public')
export class PublicController {
@Get('/data')
@Cors({ disabled: true })
publicData() {
return { data: 'public' };
}
}
Architecture
The CORS plugin:
- Scans decorators on controllers and routes during the
scanphase - Configures global CORS middleware during the
configurephase - Registers route-specific CORS middleware during the
activatephase - Integrates with RoutesService via the INJECTIONS token for route-level middleware
Security Notes
- Using wildcard origin (
*) withcredentials: trueis not recommended and will log a warning - Always validate and restrict origins in production
- Be cautious with
allowHeaders- only allow necessary headers
License
MIT
FAQs
Optional CORS plugin for Najm framework with global, controller-level, and route-level configuration
The npm package najm-cors receives a total of 216 weekly downloads. As such, najm-cors popularity was classified as not popular.
We found that najm-cors demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Jun 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Rolldown Pulls Rust React Compiler Integration After Binary Size Increase
Rolldown paused Rust React Compiler integration after a 5MB binary size increase raised concerns about shipping React-specific code to all Vite users.
By Sarah Gooding - Jun 26, 2026
Security News
/Research
Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
Mini Shai-Hulud expands into the Go ecosystem after hitting LeoPlatform npm packages and targeting GitHub Actions workflows.
By Socket Research Team - Jun 25, 2026