Security policies
await configorama('config.yml', {
safeMode: true,
allowedFileRoots: [process.cwd()]
})| Setting | Default | Purpose |
|---|---|---|
safeMode | false | Enables safe inspection and blocking policy. |
allowedFileRoots | config directory in safe mode | Roots for file/text references. |
restrictFileRoots | true in safe mode | Blocks traversal outside allowed roots. |
blockExecutableFiles | true in safe mode | Blocks JS, TS, ESM, and CJS execution. |
blockCustomResolvers | true in safe mode | Blocks user resolver code. |
blockCustomFunctions | true in safe mode | Blocks user function code. |
blockDotEnv | true in safe mode | Blocks dotenv mutation. |
eval(...) and if(...) are sandboxed data-flow expressions, so safe mode does not treat them like executable config. Prefer eval variables for config-time comparisons, arithmetic, ternaries, and boolean checks before reaching for JS or TS files.
See safe inspection, security model, and audit schema.
Last updated on