DEV Community

Cover image for Node.js v20: .env files, import modules, and Permission Model
Axel Navarro for Cloud(x);

Posted on • Edited on

Node.js v20: .env files, import modules, and Permission Model

Node.js v20.6 was released with amazing new features that are part of the LTS versions from October 24th, 2023. Let's see!

The INI configuration files

Say goodbye to the dotenv package, now Node.js can load environment variables from a .env file.

node --env-file path/to/.env index.js
Enter fullscreen mode Exit fullscreen mode

💡 The path to the INI file is required because Node.js didn't choose a default name for the INI file.

🧠 If the INI file does not exist, the node process will not fail; instead, it will start running without the environment variables.

Loading NODE_OPTIONS

You can load Node.js' specific environment variables (like NODE_OPTIONS) using an INI configuration file like the following example:

NODE_NO_WARNINGS=1
NODE_OPTIONS="--experimental-permission --allow-fs-read=*"
TZ=Pacific/Honolulu
UV_THREADPOOL_SIZE=5
Enter fullscreen mode Exit fullscreen mode

You can use this with the same method:

node --env-file .env index.js
Enter fullscreen mode Exit fullscreen mode

Preload ES modules

Preload ES modules at startup using the --import flag, the module will be loaded before any application code runs, even the entry point.

node --import path/to/file.js index.js
Enter fullscreen mode Exit fullscreen mode

This flag is similar to the well known --require flag used to load CommonJS modules.

💡 Modules preloaded with --require will run before modules preloaded with --import.

Permission Model

We have a new mechanism to restrict access to specific resources during the execution of a Node.js process called Permission Model. The API exists behind a flag --experimental-permission which, when enabled, will restrict access to all resources not explicitly allowed.

File System permissions

The --allow-fs-read flag allows all FileSystemRead operations using *, or to specific paths using absolute routes.

node --experimental-permission --allow-fs-read=* index.js
Enter fullscreen mode Exit fullscreen mode

To only allow access to specific paths you should use absolute routes

node --experimental-permission --allow-fs-read=/path/to/index.js --allow-fs-read=/path/to/directory index.js
Enter fullscreen mode Exit fullscreen mode

🧠 The initializer module also needs to be allowed. Otherwise index.js file cannot be loaded by the Node.js process itself.

💡 You can use . to allow access to the working directory, but you can't use it to specify the path to a file (e.g. ./index.js).

node --experimental-permission --allow-fs-read=. index.js
Enter fullscreen mode Exit fullscreen mode

The --allow-fs-write flag allows access to specific paths or the whole file system using *.

node --experimental-permission --allow-fs-read=. --allow-fs-write=/tmp/ index.js
Enter fullscreen mode Exit fullscreen mode

Child Process

When the Permission Model is enabled, the process will not be able to spawn any child process by default, you should use the --allow-child-process to allow this operation. Let's use the following code for the index.js.

const childProcess = require('node:child_process');
childProcess.spawn('node', ['-e', 'require("fs").writeFileSync("./new-file.txt", "Hello, World!")']);
Enter fullscreen mode Exit fullscreen mode

To run this snippet with the Permission Model enabled you should execute index.js using the following command:

node --experimental-permission --allow-fs-read . --allow-child-process index.js
Enter fullscreen mode Exit fullscreen mode

🧠 The child process doesn't inherit the Permission Model by default, that's why the new-file.txt is created successfully.

More options

You can check the --allow-worker flag if you want to create Worker Threads under this Permission Model and --allow-wasi to allow the creation of WASI instances

Conclusion

We have a lot of new tools to load environment variables for our application, a method to import preload ES modules required in our code and a new Permission Model to increase the security of our systems.

Stay tuned to the Node.js' blog, this team is adding awesome features in every version! We have initial TypeScript support and a Network Inspection using the DevTools in v22.6.0.

Top comments (0)