ts-configurable - npm Package Compare versions

Comparing version 2.0.0 to 2.0.1

CHANGELOG.md

 # CHANGELOG
 
+## 2.0.1
+- Fix a bug where non-ciphertext string values where set to null with setNullOnDecryptionFailure=true
+
 ## 2.0.0
@@ -4,0 +7,0 @@ - Breaking changes: options object for decryption changed: from `decryptionSecrets` to `decryption`: `secrets`, `setNullOnDecryptionFailure`

lib/encryption-utils.d.ts

@@ -15,3 +15,3 @@ /// <reference types="node" />
  */
-export declare function decrypt(keyOrSecret: Buffer | string, ciphertext: string): string;
+export declare function decrypt(keyOrSecret: Buffer | string, ciphertext: string): string | null;
 export declare function attemptDecryption(keys: Buffer[], ciphertext: any): any;

lib/encryption-utils.js

@@ -37,3 +37,3 @@ "use strict";
         !encryptedStr) {
-        throw Error();
+        return null;
     }
@@ -120,3 +120,7 @@ const iv = Buffer.from(ivStr, 'hex');
     const key = typeof keyOrSecret === 'string' ? keyFromSecret(keyOrSecret) : keyOrSecret;
-    const { iv, encrypted } = deserializeCipher(ciphertext);
+    const res = deserializeCipher(ciphertext);
+    if (!res) {
+        throw Error('Invalid ciphertext!');
+    }
+    const { iv, encrypted } = res;
     // Decrypt value
@@ -135,2 +139,6 @@ const decipher = crypto_1.createDecipheriv(cipherAlgorithm, key, iv);
     }
+    // Only attempt decryption is string is a valid ciphertext
+    if (!deserializeCipher(ciphertext)) {
+        return ciphertext;
+    }
     // Attempt decryption with all of the provided keys
@@ -137,0 +145,0 @@ for (const key of keys) {

package.json

 {
   "name": "ts-configurable",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "license": "MIT",
@@ -5,0 +5,0 @@ "author": "Benjamin Assadsolimani (derbenoo)",

README.md

@@ -292,3 +292,3 @@ # TS-Configurable
 
-It is possible to provide encrypted configuration values. This is useful for secrets that should not be checked into source control but should be available as soon as the application is in possession of a single (or multiple) decryption secrets instead of having to provide each secret configuration value via environment variables. The decryption secrets are provided via the `decryptionSecrets` option. The following decryption secret types can be specified:
+It is possible to provide encrypted configuration values. This is useful for secrets that should not be checked into source control but should be available as soon as the application is in possession of a single (or multiple) decryption secrets instead of having to provide each secret configuration value via environment variables. The decryption secrets are provided via the `decryption` option. The following decryption secret types can be specified:
 * `raw`: the secret is directly provided as a string
@@ -295,0 +295,0 @@ * `env`: the secret is read from the environment variable with the specified name (via: `environmentVariable`)

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Fixed alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

72234

increased by1.02%

Lines of code

532

increased by1.53%

Worsened metrics

Number of low supply chain risk alerts

3

increased by50%

No dependency changes