Skip to Content
ReferenceSecurity Policies

Security policies

nax loads workflow files and nax.config.* files through Configorama safe mode. This means static config files can still use supported data-flow variables, but JavaScript and TypeScript execution is blocked while workflows are discovered.

The internal loader is equivalent to:

import path from 'node:path' const configPath = path.resolve('flow.yml') await configorama(configPath, { safeMode: true, allowedFileRoots: [path.dirname(configPath)] })
SettingDefaultPurpose
safeModetrueEnables safe inspection and blocking policy while nax loads configs.
allowedFileRootsconfig directoryRoots for file/text references.
restrictFileRootstrueBlocks traversal outside allowed roots.
blockExecutableFilestrueBlocks JavaScript, TypeScript, ESM, and CJS execution.
blockCustomResolverstrueBlocks user resolver code.
blockCustomFunctionstrueBlocks user function code.
blockDotEnvtrueBlocks dotenv mutation.

Use flow.yml, flow.yaml, flow.json, or flow.toml for project workflows. nax.config.yml, nax.config.yaml, nax.config.json, and nax.config.toml are supported for project flow-root discovery.

eval(...) and if(...) are sandboxed data-flow expressions in Configorama, so safe mode does not treat them like executable config. Prefer static workflow files and data-flow expressions for comparisons, arithmetic, ternaries, and boolean checks before reaching for JavaScript or TypeScript files.

See also

Last updated on