Forem: Dibakar Mitra The latest articles on Forem by Dibakar Mitra (@dibakarmitra). https://forem.com/dibakarmitra https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F453265%2F619187e7-0c5e-452a-9306-a9e036c235d5.jpeg Forem: Dibakar Mitra https://forem.com/dibakarmitra en ConfigShip: A Zero-Dependency, Secure Configuration Manager for Node.js (with Raw Env Support!) Dibakar Mitra Fri, 26 Dec 2025 05:32:31 +0000 https://forem.com/dibakarmitra/configship-a-zero-dependency-secure-configuration-manager-for-nodejs-with-raw-env-support-1j6m https://forem.com/dibakarmitra/configship-a-zero-dependency-secure-configuration-manager-for-nodejs-with-raw-env-support-1j6m <h1> ConfigShip: Zero-Dependency Configuration Manager for Node.js (Now with Raw Env Support!) </h1> <p><strong>TL;DR</strong>: Just released ConfigShip v0.1.2 - a tiny (zero dependencies!), secure config manager with layered resolution and raw environment variable support. Perfect for both apps and npm packages.</p> <p>🔗 GitHub: <a href="https://github.com/dibakarmitra/config-ship" rel="noopener noreferrer">https://github.com/dibakarmitra/config-ship</a><br><br> 📦 NPM: <a href="https://www.npmjs.com/package/config-ship" rel="noopener noreferrer">https://www.npmjs.com/package/config-ship</a></p> <h2> The Problem </h2> <p>I got tired of config management being messy. You've got:</p> <ul> <li>Hardcoded defaults scattered everywhere</li> <li> <code>.env</code> files that are hard to work with</li> <li>Different configs for dev/staging/prod</li> <li>Runtime overrides that break things</li> <li>Prototype pollution vulnerabilities (yes, really)</li> </ul> <p>Existing solutions either have too many dependencies, lack features, or are over-engineered.</p> <h2> My Solution: ConfigShip </h2> <p><strong>Zero dependencies.</strong> Seriously. Check the package.json yourself.</p> <h3> What Makes It Different? </h3> <ol> <li> <strong>Layered Resolution</strong> (clear priority): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> runtime → env → file → defaults </code></pre> </div> <ol> <li> <strong>Raw Env Names</strong> (NEW in v0.1.2): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">APP_NAME</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// Works!</span> <span class="nx">config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// Also works! (transformed)</span> </code></pre> </div> <ol> <li> <p><strong>Secure by Default</strong>:</p> <ul> <li>Protected against prototype pollution</li> <li>TypeScript strict mode</li> <li>No crashes on missing config</li> </ul> </li> <li><p><strong>Auto-Parsing</strong>:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">APP_PORT</span><span class="o">=</span>3000 <span class="c"># → number 3000</span> <span class="nv">APP_ENABLED</span><span class="o">=</span><span class="nb">true</span> <span class="c"># → boolean true</span> <span class="nv">APP_DATA</span><span class="o">={</span><span class="s2">"x"</span>:1<span class="o">}</span> <span class="c"># → object {x:1}</span> </code></pre> </div> <h2> Quick Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">config-ship</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nf">createConfig</span><span class="p">({</span> <span class="na">defaults</span><span class="p">:</span> <span class="p">{</span> <span class="na">db</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">"</span><span class="s2">localhost</span><span class="dl">"</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">5432</span> <span class="p">}</span> <span class="p">},</span> <span class="na">envPrefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">APP_</span><span class="dl">"</span><span class="p">,</span> <span class="na">envFile</span><span class="p">:</span> <span class="dl">"</span><span class="s2">.env</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// Access anywhere</span> <span class="nx">config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">db.host</span><span class="dl">"</span><span class="p">);</span> <span class="nx">config</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">db.port</span><span class="dl">"</span><span class="p">,</span> <span class="mi">5433</span><span class="p">);</span> </code></pre> </div> <h2> Real-World Example: Express App </h2> <p>Here's how I use it in production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// config/index.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">config-ship</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nf">createConfig</span><span class="p">({</span> <span class="na">defaults</span><span class="p">:</span> <span class="p">{</span> <span class="na">server</span><span class="p">:</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3000</span><span class="p">,</span> <span class="na">host</span><span class="p">:</span> <span class="dl">"</span><span class="s2">localhost</span><span class="dl">"</span> <span class="p">},</span> <span class="na">db</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">"</span><span class="s2">localhost</span><span class="dl">"</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">5432</span><span class="p">,</span> <span class="na">pool</span><span class="p">:</span> <span class="p">{</span> <span class="na">min</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span> <span class="p">}</span> <span class="p">},</span> <span class="na">redis</span><span class="p">:</span> <span class="p">{</span> <span class="na">url</span><span class="p">:</span> <span class="dl">"</span><span class="s2">redis://localhost:6379</span><span class="dl">"</span> <span class="p">},</span> <span class="na">features</span><span class="p">:</span> <span class="p">{</span> <span class="na">rateLimiting</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">analytics</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">},</span> <span class="na">envPrefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MYAPP_</span><span class="dl">"</span><span class="p">,</span> <span class="na">envFile</span><span class="p">:</span> <span class="dl">"</span><span class="s2">.env</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// optional auto-loading of process.env</span> <span class="na">rootFile</span><span class="p">:</span> <span class="s2">`config/</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span><span class="p">}</span><span class="s2">.js`</span> <span class="p">});</span> <span class="c1">// app.js</span> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./config/index.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span> <span class="nx">config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">server.port</span><span class="dl">"</span><span class="p">),</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Running on port </span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">server.port</span><span class="dl">"</span><span class="p">)}</span><span class="s2">`</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p><strong>Production .env:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">MYAPP_SERVER__PORT</span><span class="o">=</span>8080 <span class="nv">MYAPP_DB__HOST</span><span class="o">=</span>prod-db.internal <span class="nv">MYAPP_DB__POOL__MAX</span><span class="o">=</span>50 <span class="nv">MYAPP_REDIS__URL</span><span class="o">=</span>redis://prod:6379 </code></pre> </div> <p>Notice the <code>__</code> for nested keys!</p> <h2> Environment Variables Made Easy </h2> <p>The syntax:</p> <ul> <li>Prefix: <code>APP_</code> </li> <li>Single <code>_</code> separates prefix</li> <li>Double <code>__</code> creates nested paths </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">APP_DB__HOST</span><span class="o">=</span>localhost <span class="c"># → db.host</span> <span class="nv">APP_DB__PORT</span><span class="o">=</span>5432 <span class="c"># → db.port (parsed to number)</span> <span class="nv">APP_FEATURE__BETA</span><span class="o">=</span><span class="nb">true</span> <span class="c"># → feature.beta (parsed to boolean)</span> </code></pre> </div> <h2> Use Case: Feature Flags </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nf">createConfig</span><span class="p">({</span> <span class="na">defaults</span><span class="p">:</span> <span class="p">{</span> <span class="na">features</span><span class="p">:</span> <span class="p">{</span> <span class="na">darkMode</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">newUI</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">betaAccess</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">},</span> <span class="na">envPrefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">FEATURES_</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">featureEnabled</span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`features.</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="k">if </span><span class="p">(</span><span class="nf">featureEnabled</span><span class="p">(</span><span class="dl">"</span><span class="s2">darkMode</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nf">applyDarkTheme</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Enable for beta users</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">isBetaTester</span><span class="p">)</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">features.betaAccess</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Use Case: NPM Package Configuration </h2> <p>If you're building an npm package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">config-ship</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createClient</span><span class="p">(</span><span class="nx">userOptions</span> <span class="o">=</span> <span class="p">{})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nf">createConfig</span><span class="p">({</span> <span class="na">defaults</span><span class="p">:</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="na">retries</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">baseURL</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://api.example.com</span><span class="dl">"</span> <span class="p">},</span> <span class="na">envPrefix</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MY_PKG_</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// User options override everything</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">userOptions</span><span class="p">).</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">key</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">config</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">userOptions</span><span class="p">[</span><span class="nx">key</span><span class="p">]);</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">config</span><span class="p">,</span> <span class="c1">// your API</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Users can configure via:</p> <ol> <li>Your defaults</li> <li>Env vars: <code>MY_PKG_TIMEOUT=10000</code> </li> <li>Runtime: <code>createClient({ timeout: 3000 })</code> </li> </ol> <h2> Security: Prototype Pollution Protection </h2> <p>This was a critical fix in v0.1.2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Malicious attempts are blocked ✅</span> <span class="nx">config</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">__proto__.polluted</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">config</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">constructor.prototype.polluted</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">({}.</span><span class="nx">polluted</span><span class="p">);</span> <span class="c1">// undefined (safe!)</span> </code></pre> </div> <p>Tested with comprehensive security tests.</p> <h2> What's New in v0.1.2? </h2> <ul> <li>✨ <strong>Raw env names</strong>: <code>config.get("APP_NAME")</code> now works</li> <li>🔒 <strong>Security</strong>: Fixed prototype pollution vulnerability</li> <li>💪 <strong>TypeScript</strong>: Strict mode enabled</li> <li>📚 <strong>Docs</strong>: Better examples and use cases</li> <li>✅ <strong>Tests</strong>: 37 tests, all passing</li> </ul> <h2> Why Not Just Use...? </h2> <p><strong>dotenv</strong>: Only loads env vars, no layering, no runtime overrides<br><br> <strong>config</strong>: 5+ dependencies, complex setup, no raw env names<br><br> <strong>convict</strong>: Great but heavy, validation overhead </p> <p><strong>ConfigShip</strong>: Zero deps, simple, secure, batteries-included.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>config-ship </code></pre> </div> <h2> Links </h2> <ul> <li>📦 NPM: <a href="https://www.npmjs.com/package/config-ship" rel="noopener noreferrer">https://www.npmjs.com/package/config-ship</a> </li> <li>🐙 GitHub: <a href="https://github.com/dibakarmitra/config-ship" rel="noopener noreferrer">https://github.com/dibakarmitra/config-ship</a> </li> <li>📝 Changelog: <a href="https://github.com/dibakarmitra/config-ship/blob/main/CHANGELOG.md" rel="noopener noreferrer">CHANGELOG.md</a> </li> </ul> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>config-ship </code></pre> </div> <p>Would love your feedback! What config problems are you facing?</p> <p><strong>Edit</strong>: Thanks for all the feedback! Added clarification about env var naming and raw name support.</p> <p><strong>Subreddits to post to:</strong></p> <ul> <li>r/node</li> <li>r/javascript</li> <li>r/typescript</li> <li>r/webdev</li> <li>r/programming (if it gains traction)</li> </ul> config node typescript tooling