Skip to Content
Security policies

Security policies

await configorama('config.yml', { safeMode: true, allowedFileRoots: [process.cwd()] })
SettingDefaultPurpose
safeModefalseEnables safe inspection and blocking policy.
allowedFileRootsconfig directory in safe modeRoots for file/text references.
restrictFileRootstrue in safe modeBlocks traversal outside allowed roots.
blockExecutableFilestrue in safe modeBlocks JS, TS, ESM, and CJS execution.
blockCustomResolverstrue in safe modeBlocks user resolver code.
blockCustomFunctionstrue in safe modeBlocks user function code.
blockDotEnvtrue in safe modeBlocks dotenv mutation.

eval(...) and if(...) are sandboxed data-flow expressions, so safe mode does not treat them like executable config. Prefer eval variables for config-time comparisons, arithmetic, ternaries, and boolean checks before reaching for JS or TS files.

See safe inspection, security model, and audit schema.

Last updated on