Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
The pgpass npm package is used to handle PostgreSQL password files (.pgpass) in Node.js applications. It simplifies the process of managing database credentials by reading and parsing the .pgpass file, which stores passwords for PostgreSQL connections.
Reading .pgpass file
This feature allows you to read the .pgpass file and retrieve the password for a given connection information. The pgpass function takes connection info and a callback, and returns the password if found.
const pgpass = require('pgpass');
const connInfo = { host: 'localhost', port: 5432, user: 'user', database: 'mydb' };
pgpass(connInfo, (err, password) => {
if (err) {
console.error('Error reading .pgpass file:', err);
} else {
console.log('Password:', password);
}
});
Handling multiple entries
This feature demonstrates how to handle multiple entries in the .pgpass file. You can retrieve passwords for different users and databases by providing the respective connection information.
const pgpass = require('pgpass');
const connInfo1 = { host: 'localhost', port: 5432, user: 'user1', database: 'db1' };
const connInfo2 = { host: 'localhost', port: 5432, user: 'user2', database: 'db2' };
pgpass(connInfo1, (err, password1) => {
if (err) {
console.error('Error reading .pgpass file for user1:', err);
} else {
console.log('Password for user1:', password1);
}
});
pgpass(connInfo2, (err, password2) => {
if (err) {
console.error('Error reading .pgpass file for user2:', err);
} else {
console.log('Password for user2:', password2);
}
});
The 'pg' package is a PostgreSQL client for Node.js. While it does not specifically handle .pgpass files, it provides comprehensive functionality for connecting to and interacting with PostgreSQL databases. Users can manually read .pgpass files and pass the credentials to the 'pg' client.
The 'pg-promise' package is a PostgreSQL interface for Node.js that uses promises. Similar to 'pg', it does not handle .pgpass files directly but offers robust database interaction capabilities. Users can integrate .pgpass file reading manually if needed.
The 'node-postgres' package, also known as 'pg', is another PostgreSQL client for Node.js. It provides a rich set of features for database operations but does not include built-in support for .pgpass files. Users can manage .pgpass file reading separately.
npm install pgpass
var pgPass = require('pgpass');
var connInfo = {
'host' : 'pgserver' ,
'user' : 'the_user_name' ,
};
pgPass(connInfo, function(pass){
conn_info.password = pass;
// connect to postgresql server
});
This module tries to read the ~/.pgpass
file (or the equivalent for windows systems). If the environment variable PGPASSFILE
is set, this file is used instead. If everything goes right, the password from said file is passed to the callback; if the password cannot be read undefined
is passed to the callback.
Cases where undefined
is returned:
PGPASSWORD
is setThere should be no need to use this module directly; it is already included in node-postgres
.
The module reads the environment variable PGPASS_NO_DEESCAPE
to decide if the the read tokens from the password file should be de-escaped or not. Default is to do de-escaping. For further information on this see this commit.
There are tests in ./test/
; including linting and coverage testing. Running npm test
runs:
jshint
mocha
testsjscoverage
and mocha -R html-cov
You can see the coverage report in coverage.html
.
If you find Bugs or have improvements, please feel free to open a issue on GitHub. If you provide a pull request, I'm more than happy to merge them, just make sure to add tests for your changes.
Copyright (c) 2013-2016 Hannes Hörl
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Module for reading .pgpass
We found that pgpass demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.