From 5208b44fc673182c47f31053d310cb5fa8f776ad Mon Sep 17 00:00:00 2001
From: Young Yu <youngyu19@gmail.com>
Date: Wed, 17 Jan 2024 19:18:08 -0800
Subject: [PATCH] update readme

---
 CHANGELOG.md |  5 ++++-
 README.md    | 20 +++++++++++++++++++-
 package.json |  2 +-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7ed5eb9..ab9398c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,9 @@
 # Changelog
 
-## 1.1.1 - 1/17/24
+## 1.1.3 - 1/17/24
+Update README.md to notify users about input path validation.
+
+## 1.1.2 - 1/17/24
 Update pipeline with fixed tag and release naming.
 
 ## 1.1.1 - 1/17/24
diff --git a/README.md b/README.md
index 67e8fbb..1487269 100644
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ See the [Config API](#config-api) and [EnvParser API](#envparser-api) sections f
 
 ## Usage
 ### Environment Variables and .env Files
-All environment variables will be loaded into an in-memory cache immediately when the module is loaded. Within environment variables, everything is represented as a string. However, this module provides the ability to convert those strings directly to common datatypes directly into your configuration files, or in your code through the [EnvParser API](#envparser) if you prefer working directly with environment variables. You should be aware of how to represent common data types within your environment variables:
+All environment variables will be loaded into an in-memory cache immediately when the module is loaded. Environment variables from `.env` files using the [dotenv](https://www.npmjs.com/package/dotenv) library. Within environment variables, everything is represented as a string. However, this module provides the ability to convert those strings directly to common datatypes directly into your configuration files, or in your code through the [EnvParser API](#envparser) if you prefer working directly with environment variables. You should be aware of how to represent common data types within your environment variables:
 - The datatypes `string`, `number`, `boolean`, `Date`, and `RegExp` should be represented normally as strings. 
 - Nested datatypes like `object`, `Array`, `Set`, and `Map`  should be represented as JSON strings. Maps and JSON objects are both represented the same way with curly braces as nested JSON structures, but distinction between the two is specified during type conversion. Square brackets are used to represent both sets and arrays, but the distinction is specified during type conversion.
 
@@ -149,6 +149,8 @@ The `--config-dir` command line argument can be set to specify a custom path to
 
 If the path specified by `--config-dir` is invalid, the module will try to load any path set by `CONFIG_DIR`. If the path specified by `CONFIG_DIR` doesn't or isn't set then the default path to the directory containing the `/config` directory will remain the current working directory.
 
+If the target config file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ```bash
 node dist/index.js --config-dir=test/configFiles
 ```
@@ -157,6 +159,9 @@ node dist/index.js --config-dir=test/configFiles
 The `--config-path` command line argument can be set to specify a custom path to the configuration file to use. This will override the custom path set by the `CONFIG_PATH` environment variable. This can be either an absolute path or a relative path. This path is not affected by a directory set by the `--config-dir` command line argument or `CONFIG_DIR` environment variable, so any relative path will always be relative to the current working directory.
 
 If the path specified by `--config-path` is invalid, the module will try to load any path set by `CONFIG_PATH`. If `CONFIG_PATH` is invalid or isn't set, the module will attempt to search the config directory to find the config file matching the environment.
+
+If the target config file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ```bash
 node dist/index.js --config-path=test/config.json
 ```
@@ -179,6 +184,8 @@ The `--env-dir` command line argument can be set to specify a custom directory f
 
 If the path specified by `--env-dir` is invalid, the module will try to load any path set by `ENV_DIR`. If the path specified by `ENV_DIR` is invalid or isn't set then the default path to the directory containing the .env files will remain the current working directory.
 
+If the target `.env` file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ```bash
 node dist/index.js --env-dir=test/envFiles
 ```
@@ -187,6 +194,9 @@ node dist/index.js --env-dir=test/envFiles
 The `--env-path` command line argument can be set to specify a custom path to the `.env` file to use. This will override the custom path set by the `ENV_PATH` environment variable. This can be either an absolute path or a relative path. This path is not affected by a directory set by the `--env-dir` command line argument or `ENV_DIR` environment variable, so any relative path will always be relative to the current working directory.
 
 If the path specified by `--env-path` is invalid, the module will try to load any path set by `ENV_PATH`. If `ENV_PATH` is invalid or isn't set, the module will attempt to search the `.env` directory to find the `.env` file matching the environment.
+
+If the target `.env` file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ```bash
 node dist/index.js --env-path=test/.env.development
 ```
@@ -199,11 +209,15 @@ These special environment variables are optional and can be specified to overrid
 ### CONFIG_DIR
 The `CONFIG_DIR` environment variable can be set to specify a custom path to the `/config` directory. This can be either an absolute path or a relative path. If it is a relative path, it will be relative to the current working directory. If the path specified by `CONFIG_DIR` is invalid, then the default path to the directory containing the `/config` directory will remain the current working directory.
 
+If the target config file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ### CONFIG_PATH
 The `CONFIG_PATH` environment variable can be set to specify a custom path to the configuration file to use. This can be either an absolute path or a relative path. This path is not affected by a directory set by the `--config-dir` command line argument or `CONFIG_DIR` environment variable, so any relative path will always be relative to the current working directory.
 
 If the path specified by `CONFIG_PATH` is invalid, the module will attempt to search the `/config` directory to find the configuration file matching the environment.
 
+If the target config file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ### NODE_ENV
 The `NODE_ENV` environment variable is standard and used to set the current environment of the application. This will override the default environment which is set to `development`.
 
@@ -215,11 +229,15 @@ The `ENV_DIR` environment variable can be set to specify a custom directory for
 
 If the path specified by `ENV_DIR` is invalid, then the default path to the directory containing the .env files will remain the current working directory.
 
+If the target `.env` file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ### ENV_PATH
 The `ENV_PATH` environment variable can be set to specify a custom path to the `.env` file to use. This can be either an absolute path or a relative path. This path is not affected by a directory set by the `--env-dir` command line argument or `ENV_DIR` environment variable, so any relative path will always be relative to the current working directory.
 
 If the path specified by `environment variable` is invalid, the module will attempt to search the `.env` directory to find the `.env` file matching the environment.
 
+If the target `.env` file is determined during runtime is outside of the root of your project, it will be ignored for security reasons. The root is determined using the [app-root-path](https://www.npmjs.com/package/app-root-path) library.
+
 ## Config API
 API reference for the `Config` which is used to retrieve values from the configuration files and convert them to the target type.
 
diff --git a/package.json b/package.json
index 01a4c08..529bd84 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "simple-app-config",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "A simple configuration manager for different environments",
   "license": "MIT",
   "repository": {