Mark Stosberg

Validating inputs is a best practice.

I'm not sure how to fix it, as the cryptographically secure API returns random bytes, not a random number: https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback I guess you could do something like: - Convert random...

@typingduck: Cleaner than one or two lines of code? Do you have a proposed improvement?

There are a couple layers of environment variables to consider here. First are the ones that are likely for exclusive use of `node-config`: - NODE_CONFIG_DIR - NODE_CONFIG - ALLOW_CONFIG_MUTATIONS -...

That all sounds good, thanks for the feedback.

Thanks for interest, @willsr We're happy to consider a PR if you are motivated to work on one.

@lorenwest the security benefit of this is weaker than I first realized, after finding the that the complete environment used to launch the process is available in `/proc/$pid/environ` on Linux....

@gtramontina No. The benefits are are less clear, since `/proc/$pid/environ` still contains the original environment. Perhaps is some container contexts this file isn't made available, so there could still be...

Related: #602 proposing masking sensitive values.

Since we already supports JSON-with-comments because we support JSON5, A PR which adds support for the `.jsonc` extension would be accepted.