Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The rc npm package is a configuration loader for Node.js applications. It allows you to configure your applications with files, environment variables, and command-line arguments. This package is particularly useful for creating flexible applications that can be easily configured without changing the codebase.
Loading configuration from a file
This feature allows you to load configuration for your application named 'appname' from a file. If the file does not exist, it falls back to the default configuration provided.
const config = require('rc')('appname', { defaultConfig: 'defaultValue' });
Overriding configuration with environment variables
This demonstrates how to override a specific configuration option ('configOption') for 'appname' using an environment variable. The environment variable takes precedence over the default value.
process.env.appname_configOption = 'newValue';
const config = require('rc')('appname', { configOption: 'defaultValue' });
Using command-line arguments to override configuration
This example shows how command-line arguments can be used to override the configuration in 'appname'. The command-line argument '--configOption newValue' overrides the default configuration.
// Run the application with: node app.js --configOption newValue
const config = require('rc')('appname', { configOption: 'defaultValue' });
Similar to rc, the 'config' package is used for managing configuration settings for Node.js applications. It supports loading configurations from files and environment variables. Compared to rc, 'config' provides a more structured approach to defining default configurations and environment-specific overrides.
The 'dotenv' package is focused on loading environment variables from a .env file into process.env, providing a simple way to manage configuration settings. Unlike rc, dotenv does not support loading configurations from command-line arguments or merging configurations from multiple sources.
nconf is a hierarchical configuration management library for Node.js. It supports loading configuration from files, environment variables, command-line arguments, and even remote storage. nconf offers a more complex API compared to rc but provides greater flexibility in managing configurations from multiple sources.
The non-configurable configuration loader for lazy people.
The only option is to pass rc the name of your app, and your default configuration.
var conf = require('rc')(appname, {
//defaults go here.
port: 2468,
//defaults which are objects will be merged, not replaced
views: {
engine: 'jade'
}
});
rc
will return your configuration options merged with the defaults you specify.
If you pass in a predefined defaults object, it will be mutated:
var conf = {};
require('rc')(appname, conf);
If rc
finds any config files for your app, the returned config object will have
a configs
array containing their paths:
var appCfg = require('rc')(appname, conf);
appCfg.configs[0] // /etc/appnamerc
appCfg.configs[1] // /home/dominictarr/.config/appname
appCfg.config // same as appCfg.configs[appCfg.configs.length - 1]
Given your application name (appname
), rc will look in all the obvious places for configuration.
--foo baz
, also nested: --foo.bar=baz
)${appname}_
appname_foo__bar__baz
=> foo.bar.baz
)--config file
then from that file.${appname}rc
or the first found looking in ./ ../ ../../ ../../../
etc.$HOME/.${appname}rc
$HOME/.${appname}/config
$HOME/.config/${appname}
$HOME/.config/${appname}/config
/etc/${appname}rc
/etc/${appname}/config
All configuration sources that were found will be flattened into one object, so that sources earlier in this list override later ones.
Configuration files (e.g. .appnamerc
) may be in either json or ini format. No file extension (.json
or .ini
) should be used. The example configurations below are equivalent:
ini
; You can include comments in `ini` format if you want.
dependsOn=0.10.0
; `rc` has built-in support for ini sections, see?
[commands]
www = ./commands/www
console = ./commands/repl
; You can even do nested sections
[generators.options]
engine = ejs
[generators.modules]
new = generate-new
engine = generate-backend
json
{
// You can even comment your JSON, if you want
"dependsOn": "0.10.0",
"commands": {
"www": "./commands/www",
"console": "./commands/repl"
},
"generators": {
"options": {
"engine": "ejs"
},
"modules": {
"new": "generate-new",
"backend": "generate-backend"
}
}
}
Comments are stripped from JSON config via strip-json-comments.
Since ini, and env variables do not have a standard for types, your application needs be prepared for strings.
To ensure that string representations of booleans and numbers are always converted into their proper types (especially useful if you intend to do strict ===
comparisons), consider using a module such as parse-strings-in-object to wrap the config object returned from rc.
Assume you have an application like this (notice the hard-coded defaults passed to rc):
const conf = require('rc')('myapp', {
port: 12345,
mode: 'test'
});
console.log(JSON.stringify(conf, null, 2));
You also have a file config.json
, with these contents:
{
"port": 9000,
"foo": "from config json",
"something": "else"
}
And a file .myapprc
in the same folder, with these contents:
{
"port": "3001",
"foo": "bar"
}
Here is the expected output from various commands:
node .
{
"port": "3001",
"mode": "test",
"foo": "bar",
"_": [],
"configs": [
"/Users/stephen/repos/conftest/.myapprc"
],
"config": "/Users/stephen/repos/conftest/.myapprc"
}
Default mode
from hard-coded object is retained, but port is overridden by .myapprc
file (automatically found based on appname match), and foo
is added.
node . --foo baz
{
"port": "3001",
"mode": "test",
"foo": "baz",
"_": [],
"configs": [
"/Users/stephen/repos/conftest/.myapprc"
],
"config": "/Users/stephen/repos/conftest/.myapprc"
}
Same result as above but foo
is overridden because command-line arguments take precedence over .myapprc
file.
node . --foo barbar --config config.json
{
"port": 9000,
"mode": "test",
"foo": "barbar",
"something": "else",
"_": [],
"config": "config.json",
"configs": [
"/Users/stephen/repos/conftest/.myapprc",
"config.json"
]
}
Now the port
comes from the config.json
file specified (overriding the value from .myapprc
), and foo
value is overriden by command-line despite also being specified in the config.json
file.
argv
You may pass in your own argv
as the third argument to rc
. This is in case you want to use your own command-line opts parser.
require('rc')(appname, defaults, customArgvParser);
If you have a special need to use a non-standard parser, you can do so by passing in the parser as the 4th argument. (leave the 3rd as null to get the default args parser)
require('rc')(appname, defaults, null, parser);
This may also be used to force a more strict format, such as strict, valid JSON only.
rc
is running fs.statSync
-- so make sure you don't use it in a hot code path (e.g. a request handler)
Multi-licensed under the two-clause BSD License, MIT License, or Apache License, version 2.0
FAQs
hardwired configuration loader
We found that rc demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.