Bunches

Bunches allows you to open up most of your application, whilst keeping your secret sauce secret. Bunches provides conventions for installing node modules without adding dependencies to your package.json. This enables you to inject code which needs to remain secret—code which is proprietary or contains core business logic—within both your local and cloud environments.

Bunches defines the bunches script which has the flags --mixin-secret-plugins and --remove-secret-plugins, which when used in conjunction around your npm install step install your secret dependencies without modifying your package.json.

Installation

npm install bunches

Usage

Add the following setup and teardown scripts to your package.json.

"preinstall": "bunches --mixin-secret-plugins", "postinstall": "bunches --remove-secret-plugins",

Then, add a bunches dependencies object to your .env file.

For example, the following declaration will install bananaphone 0.0.5.

BUNCHES_DEPENDENCIES="{"bananaphone":"0.0.5"}"

Use JSON.stringify to convert a JavaScript object into a string and assign it to BUNCHES_DEPENDENCIES. The example above was generated with JSON.stringify({ bananaphone: "0.0.5" }) which returns the string "{"bananaphone":"0.0.5"}".

When requiring a secret dependency you may be relying on a secure remote git repo. Take whatever URI your service provides for cloning and ensure its protocol begins with git. If it's protocol is ssh, replace it with git+ssh, if it's protocol is https, replace it with git+https.

NOTE: Bunches will modify the package-lock.json for the project which you are installing optional dependencies, indicating that those modules are installed. Only commit this file if you want to expose optional dependencies.