Skip to content

Latest commit

Β 

History

History
3192 lines (2380 loc) Β· 87.2 KB

cli.md

File metadata and controls

3192 lines (2380 loc) Β· 87.2 KB

Command-line API

Node.js comes with a variety of CLI options. These options expose built-in debugging, multiple ways to execute scripts, and other helpful runtime options.

To view this documentation as a manual page in a terminal, run man node.

Synopsis

node [options] [V8 options] [<program-entry-point> | -e "script" | -] [--] [arguments]

node inspect [<program-entry-point> | -e "script" | <host>:<port>] …

node --v8-options

Execute without arguments to start the REPL.

For more info about node inspect, see the debugger documentation.

Program entry point

The program entry point is a specifier-like string. If the string is not an absolute path, it's resolved as a relative path from the current working directory. That path is then resolved by CommonJS module loader, or by the ES module loader if --experimental-default-type=module is passed. If no corresponding file is found, an error is thrown.

If a file is found, its path will be passed to the ES module loader under any of the following conditions:

  • The program was started with a command-line flag that forces the entry point to be loaded with ECMAScript module loader, such as --import or --experimental-default-type=module.
  • The file has an .mjs extension.
  • The file does not have a .cjs extension, and the nearest parent package.json file contains a top-level "type" field with a value of "module".

Otherwise, the file is loaded using the CommonJS module loader. See Modules loaders for more details.

ECMAScript modules loader entry point caveat

When loading, the ES module loader loads the program entry point, the node command will accept as input only files with .js, .mjs, or .cjs extensions; with .wasm extensions when --experimental-wasm-modules is enabled; and with no extension when --experimental-default-type=module is passed.

Options

All options, including V8 options, allow words to be separated by both dashes (-) or underscores (_). For example, --pending-deprecation is equivalent to --pending_deprecation.

If an option that takes a single value (such as --max-http-header-size) is passed more than once, then the last passed value is used. Options from the command line take precedence over options passed through the NODE_OPTIONS environment variable.

-

Alias for stdin. Analogous to the use of - in other command-line utilities, meaning that the script is read from stdin, and the rest of the options are passed to that script.

--

Indicate the end of node options. Pass the rest of the arguments to the script. If no script filename or eval/print script is supplied prior to this, then the next argument is used as a script filename.

--abort-on-uncaught-exception

Aborting instead of exiting causes a core file to be generated for post-mortem analysis using a debugger (such as lldb, gdb, and mdb).

If this flag is passed, the behavior can still be set to not abort through process.setUncaughtExceptionCaptureCallback() (and through usage of the node:domain module that uses it).

--allow-addons

Stability: 1.1 - Active development

When using the Permission Model, the process will not be able to use native addons by default. Attempts to do so will throw an ERR_DLOPEN_DISABLED unless the user explicitly passes the --allow-addons flag when starting Node.js.

Example:

// Attempt to require an native addon
require('nodejs-addon-example');
$ node --experimental-permission --allow-fs-read=* index.js
node:internal/modules/cjs/loader:1319
  return process.dlopen(module, path.toNamespacedPath(filename));
                 ^

Error: Cannot load native addon because loading addons is disabled.
    at Module._extensions..node (node:internal/modules/cjs/loader:1319:18)
    at Module.load (node:internal/modules/cjs/loader:1091:32)
    at Module._load (node:internal/modules/cjs/loader:938:12)
    at Module.require (node:internal/modules/cjs/loader:1115:19)
    at require (node:internal/modules/helpers:130:18)
    at Object.<anonymous> (/home/index.js:1:15)
    at Module._compile (node:internal/modules/cjs/loader:1233:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1287:10)
    at Module.load (node:internal/modules/cjs/loader:1091:32)
    at Module._load (node:internal/modules/cjs/loader:938:12) {
  code: 'ERR_DLOPEN_DISABLED'
}

--allow-child-process

Stability: 1.1 - Active development

When using the Permission Model, the process will not be able to spawn any child process by default. Attempts to do so will throw an ERR_ACCESS_DENIED unless the user explicitly passes the --allow-child-process flag when starting Node.js.

Example:

const childProcess = require('node:child_process');
// Attempt to bypass the permission
childProcess.spawn('node', ['-e', 'require("fs").writeFileSync("/new-file", "example")']);
$ node --experimental-permission --allow-fs-read=* index.js
node:internal/child_process:388
  const err = this._handle.spawn(options);
                           ^
Error: Access to this API has been restricted
    at ChildProcess.spawn (node:internal/child_process:388:28)
    at Object.spawn (node:child_process:723:9)
    at Object.<anonymous> (/home/index.js:3:14)
    at Module._compile (node:internal/modules/cjs/loader:1120:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1174:10)
    at Module.load (node:internal/modules/cjs/loader:998:32)
    at Module._load (node:internal/modules/cjs/loader:839:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:17:47 {
  code: 'ERR_ACCESS_DENIED',
  permission: 'ChildProcess'
}

--allow-fs-read

Stability: 1.1 - Active development

This flag configures file system read permissions using the Permission Model.

The valid arguments for the --allow-fs-read flag are:

  • * - To allow all FileSystemRead operations.
  • Multiple paths can be allowed using multiple --allow-fs-read flags. Example --allow-fs-read=/folder1/ --allow-fs-read=/folder1/

Paths delimited by comma (,) are no longer allowed. When passing a single flag with a comma a warning will be displayed.

Examples can be found in the File System Permissions documentation.

Relative paths are NOT yet supported by the CLI flag.

The initializer module also needs to be allowed. Consider the following example:

$ node --experimental-permission t.js
node:internal/modules/cjs/loader:162
  const result = internalModuleStat(filename);
                 ^

Error: Access to this API has been restricted
    at stat (node:internal/modules/cjs/loader:162:18)
    at Module._findPath (node:internal/modules/cjs/loader:640:16)
    at resolveMainPath (node:internal/modules/run_main:15:25)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:53:24)
    at node:internal/main/run_main_module:23:47 {
  code: 'ERR_ACCESS_DENIED',
  permission: 'FileSystemRead',
  resource: '/Users/rafaelgss/repos/os/node/t.js'
}

The process needs to have access to the index.js module:

node --experimental-permission --allow-fs-read=/path/to/index.js index.js

--allow-fs-write

Stability: 1.1 - Active development

This flag configures file system write permissions using the Permission Model.

The valid arguments for the --allow-fs-write flag are:

  • * - To allow all FileSystemWrite operations.
  • Multiple paths can be allowed using multiple --allow-fs-read flags. Example --allow-fs-read=/folder1/ --allow-fs-read=/folder1/

Paths delimited by comma (,) are no longer allowed. When passing a single flag with a comma a warning will be displayed.

Examples can be found in the File System Permissions documentation.

Relative paths are NOT supported through the CLI flag.

--allow-worker

Stability: 1.1 - Active development

When using the Permission Model, the process will not be able to create any worker threads by default. For security reasons, the call will throw an ERR_ACCESS_DENIED unless the user explicitly pass the flag --allow-worker in the main Node.js process.

Example:

const { Worker } = require('node:worker_threads');
// Attempt to bypass the permission
new Worker(__filename);
$ node --experimental-permission --allow-fs-read=* index.js
node:internal/worker:188
    this[kHandle] = new WorkerImpl(url,
                    ^

Error: Access to this API has been restricted
    at new Worker (node:internal/worker:188:21)
    at Object.<anonymous> (/home/index.js.js:3:1)
    at Module._compile (node:internal/modules/cjs/loader:1120:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1174:10)
    at Module.load (node:internal/modules/cjs/loader:998:32)
    at Module._load (node:internal/modules/cjs/loader:839:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:17:47 {
  code: 'ERR_ACCESS_DENIED',
  permission: 'WorkerThreads'
}

--build-snapshot

Stability: 1 - Experimental

Generates a snapshot blob when the process exits and writes it to disk, which can be loaded later with --snapshot-blob.

When building the snapshot, if --snapshot-blob is not specified, the generated blob will be written, by default, to snapshot.blob in the current working directory. Otherwise it will be written to the path specified by --snapshot-blob.

$ echo "globalThis.foo = 'I am from the snapshot'" > snapshot.js

# Run snapshot.js to initialize the application and snapshot the
# state of it into snapshot.blob.
$ node --snapshot-blob snapshot.blob --build-snapshot snapshot.js

$ echo "console.log(globalThis.foo)" > index.js

# Load the generated snapshot and start the application from index.js.
$ node --snapshot-blob snapshot.blob index.js
I am from the snapshot

The v8.startupSnapshot API can be used to specify an entry point at snapshot building time, thus avoiding the need of an additional entry script at deserialization time:

$ echo "require('v8').startupSnapshot.setDeserializeMainFunction(() => console.log('I am from the snapshot'))" > snapshot.js
$ node --snapshot-blob snapshot.blob --build-snapshot snapshot.js
$ node --snapshot-blob snapshot.blob
I am from the snapshot

For more information, check out the v8.startupSnapshot API documentation.

Currently the support for run-time snapshot is experimental in that:

  1. User-land modules are not yet supported in the snapshot, so only one single file can be snapshotted. Users can bundle their applications into a single script with their bundler of choice before building a snapshot, however.
  2. Only a subset of the built-in modules work in the snapshot, though the Node.js core test suite checks that a few fairly complex applications can be snapshotted. Support for more modules are being added. If any crashes or buggy behaviors occur when building a snapshot, please file a report in the Node.js issue tracker and link to it in the tracking issue for user-land snapshots.

--build-snapshot-config

Stability: 1 - Experimental

Specifies the path to a JSON configuration file which configures snapshot creation behavior.

The following options are currently supported:

  • builder {string} Required. Provides the name to the script that is executed before building the snapshot, as if --build-snapshot had been passed with builder as the main script name.
  • withoutCodeCache {boolean} Optional. Including the code cache reduces the time spent on compiling functions included in the snapshot at the expense of a bigger snapshot size and potentially breaking portability of the snapshot.

When using this flag, additional script files provided on the command line will not be executed and instead be interpreted as regular command line arguments.

-c, --check

Syntax check the script without executing.

--completion-bash

Print source-able bash completion script for Node.js.

node --completion-bash > node_bash_completion
source node_bash_completion

-C condition, --conditions=condition

Stability: 1 - Experimental

Enable experimental support for custom conditional exports resolution conditions.

Any number of custom string condition names are permitted.

The default Node.js conditions of "node", "default", "import", and "require" will always apply as defined.

For example, to run a module with "development" resolutions:

node -C development app.js

--cpu-prof

Stability: 1 - Experimental

Starts the V8 CPU profiler on start up, and writes the CPU profile to disk before exit.

If --cpu-prof-dir is not specified, the generated profile is placed in the current working directory.

If --cpu-prof-name is not specified, the generated profile is named CPU.${yyyymmdd}.${hhmmss}.${pid}.${tid}.${seq}.cpuprofile.

$ node --cpu-prof index.js
$ ls *.cpuprofile
CPU.20190409.202950.15293.0.0.cpuprofile

--cpu-prof-dir

Stability: 1 - Experimental

Specify the directory where the CPU profiles generated by --cpu-prof will be placed.

The default value is controlled by the --diagnostic-dir command-line option.

--cpu-prof-interval

Stability: 1 - Experimental

Specify the sampling interval in microseconds for the CPU profiles generated by --cpu-prof. The default is 1000 microseconds.

--cpu-prof-name

Stability: 1 - Experimental

Specify the file name of the CPU profile generated by --cpu-prof.

--diagnostic-dir=directory

Set the directory to which all diagnostic output files are written. Defaults to current working directory.

Affects the default output directory of:

--disable-warning=code-or-type

Stability: 1.1 - Active development

Disable specific process warnings by code or type.

Warnings emitted from process.emitWarning() may contain a code and a type. This option will not-emit warnings that have a matching code or type.

List of deprecation warnings.

The Node.js core warning types are: DeprecationWarning and ExperimentalWarning

For example, the following script will not emit DEP0025 require('node:sys') when executed with node --disable-warning=DEP0025:

import sys from 'node:sys';
const sys = require('node:sys');

For example, the following script will emit the DEP0025 require('node:sys'), but not any Experimental Warnings (such as ExperimentalWarning: vm.measureMemory is an experimental feature in <=v21) when executed with node --disable-warning=ExperimentalWarning:

import sys from 'node:sys';
import vm from 'node:vm';

vm.measureMemory();
const sys = require('node:sys');
const vm = require('node:vm');

vm.measureMemory();

--disable-proto=mode

Disable the Object.prototype.__proto__ property. If mode is delete, the property is removed entirely. If mode is throw, accesses to the property throw an exception with the code ERR_PROTO_ACCESS.

--disallow-code-generation-from-strings

Make built-in language features like eval and new Function that generate code from strings throw an exception instead. This does not affect the Node.js node:vm module.

--dns-result-order=order

Set the default value of verbatim in dns.lookup() and dnsPromises.lookup(). The value could be:

  • ipv4first: sets default verbatim false.
  • verbatim: sets default verbatim true.

The default is verbatim and dns.setDefaultResultOrder() have higher priority than --dns-result-order.

--enable-fips

Enable FIPS-compliant crypto at startup. (Requires Node.js to be built against FIPS-compatible OpenSSL.)

--enable-network-family-autoselection

Enables the family autoselection algorithm unless connection options explicitly disables it.

--enable-source-maps

Enable Source Map v3 support for stack traces.

When using a transpiler, such as TypeScript, stack traces thrown by an application reference the transpiled code, not the original source position. --enable-source-maps enables caching of Source Maps and makes a best effort to report stack traces relative to the original source file.

Overriding Error.prepareStackTrace may prevent --enable-source-maps from modifying the stack trace. Call and return the results of the original Error.prepareStackTrace in the overriding function to modify the stack trace with source maps.

const originalPrepareStackTrace = Error.prepareStackTrace;
Error.prepareStackTrace = (error, trace) => {
  // Modify error and trace and format stack trace with
  // original Error.prepareStackTrace.
  return originalPrepareStackTrace(error, trace);
};

Note, enabling source maps can introduce latency to your application when Error.stack is accessed. If you access Error.stack frequently in your application, take into account the performance implications of --enable-source-maps.

--env-file=config

Stability: 1.1 - Active development

Loads environment variables from a file relative to the current directory, making them available to applications on process.env. The environment variables which configure Node.js, such as NODE_OPTIONS, are parsed and applied. If the same variable is defined in the environment and in the file, the value from the environment takes precedence.

You can pass multiple --env-file arguments. Subsequent files override pre-existing variables defined in previous files.

node --env-file=.env --env-file=.development.env index.js

The format of the file should be one line per key-value pair of environment variable name and value separated by =:

PORT=3000

Any text after a # is treated as a comment:

# This is a comment
PORT=3000 # This is also a comment

Values can start and end with the following quotes: `, " or '. They are omitted from the values.

USERNAME="nodejs" # will result in `nodejs` as the value.

Multi-line values are supported:

MULTI_LINE="THIS IS
A MULTILINE"
# will result in `THIS IS\nA MULTILINE` as the value.

Export keyword before a key is ignored:

export USERNAME="nodejs" # will result in `nodejs` as the value.

-e, --eval "script"

Evaluate the following argument as JavaScript. The modules which are predefined in the REPL can also be used in script.

On Windows, using cmd.exe a single quote will not work correctly because it only recognizes double " for quoting. In Powershell or Git bash, both ' and " are usable.

--experimental-default-type=type

Stability: 1.0 - Early development

Define which module system, module or commonjs, to use for the following:

  • String input provided via --eval or STDIN, if --input-type is unspecified.

  • Files ending in .js or with no extension, if there is no package.json file present in the same folder or any parent folder.

  • Files ending in .js or with no extension, if the nearest parent package.json field lacks a "type" field; unless the package.json folder or any parent folder is inside a node_modules folder.

In other words, --experimental-default-type=module flips all the places where Node.js currently defaults to CommonJS to instead default to ECMAScript modules, with the exception of folders and subfolders below node_modules, for backward compatibility.

Under --experimental-default-type=module and --experimental-wasm-modules, files with no extension will be treated as WebAssembly if they begin with the WebAssembly magic number (\0asm); otherwise they will be treated as ES module JavaScript.

--experimental-detect-module

Stability: 1.1 - Active development

Node.js will inspect the source code of ambiguous input to determine whether it contains ES module syntax; if such syntax is detected, the input will be treated as an ES module.

Ambiguous input is defined as:

  • Files with a .js extension or no extension; and either no controlling package.json file or one that lacks a type field; and --experimental-default-type is not specified.
  • String input (--eval or STDIN) when neither --input-type nor --experimental-default-type are specified.

ES module syntax is defined as syntax that would throw when evaluated as CommonJS. This includes the following:

  • import statements (but not import() expressions, which are valid in CommonJS).
  • export statements.
  • import.meta references.
  • await at the top level of a module.
  • Lexical redeclarations of the CommonJS wrapper variables (require, module, exports, __dirname, __filename).

--experimental-import-meta-resolve

Enable experimental import.meta.resolve() parent URL support, which allows passing a second parentURL argument for contextual resolution.

Previously gated the entire import.meta.resolve feature.

--experimental-loader=module

This flag is discouraged and may be removed in a future version of Node.js. Please use --import with register() instead.

Specify the module containing exported module customization hooks. module may be any string accepted as an import specifier.

--experimental-network-imports

Stability: 1 - Experimental

Enable experimental support for the https: protocol in import specifiers.

--experimental-permission

Stability: 1.1 - Active development

Enable the Permission Model for current process. When enabled, the following permissions are restricted:

--experimental-policy

Use the specified file as a security policy.

--experimental-require-module

Stability: 1.1 - Active Developement

Supports loading a synchronous ES module graph in require().

See Loading ECMAScript modules using require().

--experimental-sea-config

Stability: 1 - Experimental

Use this flag to generate a blob that can be injected into the Node.js binary to produce a single executable application. See the documentation about this configuration for details.

--experimental-shadow-realm

Use this flag to enable ShadowRealm support.

--experimental-test-coverage

When used in conjunction with the node:test module, a code coverage report is generated as part of the test runner output. If no tests are run, a coverage report is not generated. See the documentation on collecting code coverage from tests for more details.

--experimental-vm-modules

Enable experimental ES Module support in the node:vm module.

--experimental-wasi-unstable-preview1

Enable experimental WebAssembly System Interface (WASI) support.

--experimental-wasm-modules

Enable experimental WebAssembly module support.

--force-context-aware

Disable loading native addons that are not context-aware.

--force-fips

Force FIPS-compliant crypto on startup. (Cannot be disabled from script code.) (Same requirements as --enable-fips.)

--force-node-api-uncaught-exceptions-policy

Enforces uncaughtException event on Node-API asynchronous callbacks.

To prevent from an existing add-on from crashing the process, this flag is not enabled by default. In the future, this flag will be enabled by default to enforce the correct behavior.

--frozen-intrinsics

Stability: 1 - Experimental

Enable experimental frozen intrinsics like Array and Object.

Only the root context is supported. There is no guarantee that globalThis.Array is indeed the default intrinsic reference. Code may break under this flag.

To allow polyfills to be added, --require and --import both run before freezing intrinsics.

--heap-prof

Stability: 1 - Experimental

Starts the V8 heap profiler on start up, and writes the heap profile to disk before exit.

If --heap-prof-dir is not specified, the generated profile is placed in the current working directory.

If --heap-prof-name is not specified, the generated profile is named Heap.${yyyymmdd}.${hhmmss}.${pid}.${tid}.${seq}.heapprofile.

$ node --heap-prof index.js
$ ls *.heapprofile
Heap.20190409.202950.15293.0.001.heapprofile

--heap-prof-dir

Stability: 1 - Experimental

Specify the directory where the heap profiles generated by --heap-prof will be placed.

The default value is controlled by the --diagnostic-dir command-line option.

--heap-prof-interval

Stability: 1 - Experimental

Specify the average sampling interval in bytes for the heap profiles generated by --heap-prof. The default is 512 * 1024 bytes.

--heap-prof-name

Stability: 1 - Experimental

Specify the file name of the heap profile generated by --heap-prof.

--heapsnapshot-near-heap-limit=max_count

Stability: 1 - Experimental

Writes a V8 heap snapshot to disk when the V8 heap usage is approaching the heap limit. count should be a non-negative integer (in which case Node.js will write no more than max_count snapshots to disk).

When generating snapshots, garbage collection may be triggered and bring the heap usage down. Therefore multiple snapshots may be written to disk before the Node.js instance finally runs out of memory. These heap snapshots can be compared to determine what objects are being allocated during the time consecutive snapshots are taken. It's not guaranteed that Node.js will write exactly max_count snapshots to disk, but it will try its best to generate at least one and up to max_count snapshots before the Node.js instance runs out of memory when max_count is greater than 0.

Generating V8 snapshots takes time and memory (both memory managed by the V8 heap and native memory outside the V8 heap). The bigger the heap is, the more resources it needs. Node.js will adjust the V8 heap to accommodate the additional V8 heap memory overhead, and try its best to avoid using up all the memory available to the process. When the process uses more memory than the system deems appropriate, the process may be terminated abruptly by the system, depending on the system configuration.

$ node --max-old-space-size=100 --heapsnapshot-near-heap-limit=3 index.js
Wrote snapshot to Heap.20200430.100036.49580.0.001.heapsnapshot
Wrote snapshot to Heap.20200430.100037.49580.0.002.heapsnapshot
Wrote snapshot to Heap.20200430.100038.49580.0.003.heapsnapshot

<--- Last few GCs --->

[49580:0x110000000]     4826 ms: Mark-sweep 130.6 (147.8) -> 130.5 (147.8) MB, 27.4 / 0.0 ms  (average mu = 0.126, current mu = 0.034) allocation failure scavenge might not succeed
[49580:0x110000000]     4845 ms: Mark-sweep 130.6 (147.8) -> 130.6 (147.8) MB, 18.8 / 0.0 ms  (average mu = 0.088, current mu = 0.031) allocation failure scavenge might not succeed


<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
....

--heapsnapshot-signal=signal

Enables a signal handler that causes the Node.js process to write a heap dump when the specified signal is received. signal must be a valid signal name. Disabled by default.

$ node --heapsnapshot-signal=SIGUSR2 index.js &
$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
node         1  5.5  6.1 787252 247004 ?       Ssl  16:43   0:02 node --heapsnapshot-signal=SIGUSR2 index.js
$ kill -USR2 1
$ ls
Heap.20190718.133405.15554.0.001.heapsnapshot

-h, --help

Print node command-line options. The output of this option is less detailed than this document.

--icu-data-dir=file

Specify ICU data load path. (Overrides NODE_ICU_DATA.)

--import=module

Stability: 1 - Experimental

Preload the specified module at startup. If the flag is provided several times, each module will be executed sequentially in the order they appear, starting with the ones provided in NODE_OPTIONS.

Follows ECMAScript module resolution rules. Use --require to load a CommonJS module. Modules preloaded with --require will run before modules preloaded with --import.

--input-type=type

This configures Node.js to interpret --eval or STDIN input as CommonJS or as an ES module. Valid values are "commonjs" or "module". The default is "commonjs" unless --experimental-default-type=module is used.

The REPL does not support this option. Usage of --input-type=module with --print will throw an error, as --print does not support ES module syntax.

--insecure-http-parser

Enable leniency flags on the HTTP parser. This may allow interoperability with non-conformant HTTP implementations.

When enabled, the parser will accept the following:

  • Invalid HTTP headers values.
  • Invalid HTTP versions.
  • Allow message containing both Transfer-Encoding and Content-Length headers.
  • Allow extra data after message when Connection: close is present.
  • Allow extra transfer encodings after chunked has been provided.
  • Allow \n to be used as token separator instead of \r\n.
  • Allow \r\n not to be provided after a chunk.
  • Allow spaces to be present after a chunk size and before \r\n.

All the above will expose your application to request smuggling or poisoning attack. Avoid using this option.

--inspect[=[host:]port]

Activate inspector on host:port. Default is 127.0.0.1:9229.

V8 inspector integration allows tools such as Chrome DevTools and IDEs to debug and profile Node.js instances. The tools attach to Node.js instances via a tcp port and communicate using the Chrome DevTools Protocol.

Warning: binding inspector to a public IP:port combination is insecure

Binding the inspector to a public IP (including 0.0.0.0) with an open port is insecure, as it allows external hosts to connect to the inspector and perform a remote code execution attack.

If specifying a host, make sure that either:

  • The host is not accessible from public networks.
  • A firewall disallows unwanted connections on the port.

More specifically, --inspect=0.0.0.0 is insecure if the port (9229 by default) is not firewall-protected.

See the debugging security implications section for more information.

--inspect-brk[=[host:]port]

Activate inspector on host:port and break at start of user script. Default host:port is 127.0.0.1:9229.

--inspect-port=[host:]port

Set the host:port to be used when the inspector is activated. Useful when activating the inspector by sending the SIGUSR1 signal.

Default host is 127.0.0.1.

See the security warning below regarding the host parameter usage.

--inspect-publish-uid=stderr,http

Specify ways of the inspector web socket url exposure.

By default inspector websocket url is available in stderr and under /json/list endpoint on http://host:port/json/list.

-i, --interactive

Opens the REPL even if stdin does not appear to be a terminal.

--jitless

Stability: 1 - Experimental. This flag is inherited from V8 and is subject to change upstream.

Disable runtime allocation of executable memory. This may be required on some platforms for security reasons. It can also reduce attack surface on other platforms, but the performance impact may be severe.

--max-http-header-size=size

Specify the maximum size, in bytes, of HTTP headers. Defaults to 16 KiB.

--napi-modules

This option is a no-op. It is kept for compatibility.

--no-addons

Disable the node-addons exports condition as well as disable loading native addons. When --no-addons is specified, calling process.dlopen or requiring a native C++ addon will fail and throw an exception.

--no-deprecation

Silence deprecation warnings.

--no-experimental-fetch

Disable exposition of Fetch API on the global scope.

--no-experimental-global-customevent

Disable exposition of CustomEvent Web API on the global scope.

--no-experimental-global-navigator

Stability: 1 - Experimental

Disable exposition of Navigator API on the global scope.

--no-experimental-global-webcrypto

Disable exposition of Web Crypto API on the global scope.

--no-experimental-repl-await

Use this flag to disable top-level await in REPL.

--no-experimental-websocket

Use this flag to disable experimental WebSocket support.

--no-extra-info-on-fatal-exception

Hide extra information on fatal exception that causes exit.

--no-force-async-hooks-checks

Disables runtime checks for async_hooks. These will still be enabled dynamically when async_hooks is enabled.

--no-global-search-paths

Do not search modules from global paths like $HOME/.node_modules and $NODE_PATH.

--no-network-family-autoselection

Disables the family autoselection algorithm unless connection options explicitly enables it.

--no-warnings

Silence all process warnings (including deprecations).

--node-memory-debug

Enable extra debug checks for memory leaks in Node.js internals. This is usually only useful for developers debugging Node.js itself.

--openssl-config=file

Load an OpenSSL configuration file on startup. Among other uses, this can be used to enable FIPS-compliant crypto if Node.js is built against FIPS-enabled OpenSSL.

--openssl-legacy-provider

Enable OpenSSL 3.0 legacy provider. For more information please see OSSL_PROVIDER-legacy.

--openssl-shared-config

Enable OpenSSL default configuration section, openssl_conf to be read from the OpenSSL configuration file. The default configuration file is named openssl.cnf but this can be changed using the environment variable OPENSSL_CONF, or by using the command line option --openssl-config. The location of the default OpenSSL configuration file depends on how OpenSSL is being linked to Node.js. Sharing the OpenSSL configuration may have unwanted implications and it is recommended to use a configuration section specific to Node.js which is nodejs_conf and is default when this option is not used.

--pending-deprecation

Emit pending deprecation warnings.

Pending deprecations are generally identical to a runtime deprecation with the notable exception that they are turned off by default and will not be emitted unless either the --pending-deprecation command-line flag, or the NODE_PENDING_DEPRECATION=1 environment variable, is set. Pending deprecations are used to provide a kind of selective "early warning" mechanism that developers may leverage to detect deprecated API usage.

--policy-integrity=sri

Stability: 1 - Experimental

Instructs Node.js to error prior to running any code if the policy does not have the specified integrity. It expects a Subresource Integrity string as a parameter.

--preserve-symlinks

Instructs the module loader to preserve symbolic links when resolving and caching modules.

By default, when Node.js loads a module from a path that is symbolically linked to a different on-disk location, Node.js will dereference the link and use the actual on-disk "real path" of the module as both an identifier and as a root path to locate other dependency modules. In most cases, this default behavior is acceptable. However, when using symbolically linked peer dependencies, as illustrated in the example below, the default behavior causes an exception to be thrown if moduleA attempts to require moduleB as a peer dependency:

{appDir}
 β”œβ”€β”€ app
 β”‚   β”œβ”€β”€ index.js
 β”‚   └── node_modules
 β”‚       β”œβ”€β”€ moduleA -> {appDir}/moduleA
 β”‚       └── moduleB
 β”‚           β”œβ”€β”€ index.js
 β”‚           └── package.json
 └── moduleA
     β”œβ”€β”€ index.js
     └── package.json

The --preserve-symlinks command-line flag instructs Node.js to use the symlink path for modules as opposed to the real path, allowing symbolically linked peer dependencies to be found.

Note, however, that using --preserve-symlinks can have other side effects. Specifically, symbolically linked native modules can fail to load if those are linked from more than one location in the dependency tree (Node.js would see those as two separate modules and would attempt to load the module multiple times, causing an exception to be thrown).

The --preserve-symlinks flag does not apply to the main module, which allows node --preserve-symlinks node_module/.bin/<foo> to work. To apply the same behavior for the main module, also use --preserve-symlinks-main.

--preserve-symlinks-main

Instructs the module loader to preserve symbolic links when resolving and caching the main module (require.main).

This flag exists so that the main module can be opted-in to the same behavior that --preserve-symlinks gives to all other imports; they are separate flags, however, for backward compatibility with older Node.js versions.

--preserve-symlinks-main does not imply --preserve-symlinks; use --preserve-symlinks-main in addition to --preserve-symlinks when it is not desirable to follow symlinks before resolving relative paths.

See --preserve-symlinks for more information.

-p, --print "script"

Identical to -e but prints the result.

--experimental-print-required-tla

This flag is only useful when --experimental-require-module is enabled.

If the ES module being require()'d contains top-level await, this flag allows Node.js to evaluate the module, try to locate the top-level awaits, and print their location to help users find them.

--prof

Generate V8 profiler output.

--prof-process

Process V8 profiler output generated using the V8 option --prof.

--redirect-warnings=file

Write process warnings to the given file instead of printing to stderr. The file will be created if it does not exist, and will be appended to if it does. If an error occurs while attempting to write the warning to the file, the warning will be written to stderr instead.

The file name may be an absolute path. If it is not, the default directory it will be written to is controlled by the --diagnostic-dir command-line option.

--report-compact

Write reports in a compact format, single-line JSON, more easily consumable by log processing systems than the default multi-line format designed for human consumption.

--report-dir=directory, report-directory=directory

Location at which the report will be generated.

--report-filename=filename

Name of the file to which the report will be written.

If the filename is set to 'stdout' or 'stderr', the report is written to the stdout or stderr of the process respectively.

--report-on-fatalerror

Enables the report to be triggered on fatal errors (internal errors within the Node.js runtime such as out of memory) that lead to termination of the application. Useful to inspect various diagnostic data elements such as heap, stack, event loop state, resource consumption etc. to reason about the fatal error.

--report-on-signal

Enables report to be generated upon receiving the specified (or predefined) signal to the running Node.js process. The signal to trigger the report is specified through --report-signal.

--report-signal=signal

Sets or resets the signal for report generation (not supported on Windows). Default signal is SIGUSR2.

--report-uncaught-exception

Enables report to be generated when the process exits due to an uncaught exception. Useful when inspecting the JavaScript stack in conjunction with native stack and other runtime environment data.

--report-exclude-network

Exclude header.networkInterfaces from the diagnostic report. By default this is not set and the network interfaces are included.

-r, --require module

Preload the specified module at startup.

Follows require()'s module resolution rules. module may be either a path to a file, or a node module name.

Only CommonJS modules are supported. Use --import to preload an ECMAScript module. Modules preloaded with --require will run before modules preloaded with --import.

--run

Stability: 1.1 - Active development

This runs a specified command from a package.json's "scripts" object. If no "command" is provided, it will list the available scripts.

--run prepends ./node_modules/.bin, relative to the current working directory, to the PATH in order to execute the binaries from dependencies.

For example, the following command will run the test script of the package.json in the current folder:

$ node --run test

You can also pass arguments to the command. Any argument after -- will be appended to the script:

$ node --run test -- --verbose

Intentional limitations

node --run is not meant to match the behaviors of npm run or of the run commands of other package managers. The Node.js implementation is intentionally more limited, in order to focus on top performance for the most common use cases. Some features of other run implementations that are intentionally excluded are:

  • Searching for package.json files outside the current folder.
  • Prepending the .bin or node_modules/.bin paths of folders outside the current folder.
  • Running pre or post scripts in addition to the specified script.
  • Defining package manager-specific environment variables.

--secure-heap=n

Initializes an OpenSSL secure heap of n bytes. When initialized, the secure heap is used for selected types of allocations within OpenSSL during key generation and other operations. This is useful, for instance, to prevent sensitive information from leaking due to pointer overruns or underruns.

The secure heap is a fixed size and cannot be resized at runtime so, if used, it is important to select a large enough heap to cover all application uses.

The heap size given must be a power of two. Any value less than 2 will disable the secure heap.

The secure heap is disabled by default.

The secure heap is not available on Windows.

See CRYPTO_secure_malloc_init for more details.

--secure-heap-min=n

When using --secure-heap, the --secure-heap-min flag specifies the minimum allocation from the secure heap. The minimum value is 2. The maximum value is the lesser of --secure-heap or 2147483647. The value given must be a power of two.

--snapshot-blob=path

Stability: 1 - Experimental

When used with --build-snapshot, --snapshot-blob specifies the path where the generated snapshot blob is written to. If not specified, the generated blob is written to snapshot.blob in the current working directory.

When used without --build-snapshot, --snapshot-blob specifies the path to the blob that is used to restore the application state.

When loading a snapshot, Node.js checks that:

  1. The version, architecture, and platform of the running Node.js binary are exactly the same as that of the binary that generates the snapshot.
  2. The V8 flags and CPU features are compatible with that of the binary that generates the snapshot.

If they don't match, Node.js refuses to load the snapshot and exits with status code 1.

--test

Starts the Node.js command line test runner. This flag cannot be combined with --watch-path, --check, --eval, --interactive, or the inspector. See the documentation on running tests from the command line for more details.

--test-concurrency

The maximum number of test files that the test runner CLI will execute concurrently. The default value is os.availableParallelism() - 1.

--test-force-exit

Configures the test runner to exit the process once all known tests have finished executing even if the event loop would otherwise remain active.

--test-name-pattern

A regular expression that configures the test runner to only execute tests whose name matches the provided pattern. See the documentation on filtering tests by name for more details.

--test-only

Configures the test runner to only execute top level tests that have the only option set.

--test-reporter

A test reporter to use when running tests. See the documentation on test reporters for more details.

--test-reporter-destination

The destination for the corresponding test reporter. See the documentation on test reporters for more details.

--test-shard

Test suite shard to execute in a format of <index>/<total>, where

index is a positive integer, index of divided parts total is a positive integer, total of divided part This command will divide all tests files into total equal parts, and will run only those that happen to be in an index part.

For example, to split your tests suite into three parts, use this:

node --test --test-shard=1/3
node --test --test-shard=2/3
node --test --test-shard=3/3

--test-timeout

A number of milliseconds the test execution will fail after. If unspecified, subtests inherit this value from their parent. The default value is Infinity.

--throw-deprecation

Throw errors for deprecations.

--title=title

Set process.title on startup.

--tls-cipher-list=list

Specify an alternative default TLS cipher list. Requires Node.js to be built with crypto support (default).

--tls-keylog=file

Log TLS key material to a file. The key material is in NSS SSLKEYLOGFILE format and can be used by software (such as Wireshark) to decrypt the TLS traffic.

--tls-max-v1.2

Set tls.DEFAULT_MAX_VERSION to 'TLSv1.2'. Use to disable support for TLSv1.3.

--tls-max-v1.3

Set default tls.DEFAULT_MAX_VERSION to 'TLSv1.3'. Use to enable support for TLSv1.3.

--tls-min-v1.0

Set default tls.DEFAULT_MIN_VERSION to 'TLSv1'. Use for compatibility with old TLS clients or servers.

--tls-min-v1.1

Set default tls.DEFAULT_MIN_VERSION to 'TLSv1.1'. Use for compatibility with old TLS clients or servers.

--tls-min-v1.2

Set default tls.DEFAULT_MIN_VERSION to 'TLSv1.2'. This is the default for 12.x and later, but the option is supported for compatibility with older Node.js versions.

--tls-min-v1.3

Set default tls.DEFAULT_MIN_VERSION to 'TLSv1.3'. Use to disable support for TLSv1.2, which is not as secure as TLSv1.3.

--trace-atomics-wait

Stability: 0 - Deprecated

Print short summaries of calls to Atomics.wait() to stderr. The output could look like this:

(node:15701) [Thread 0] Atomics.wait(&lt;address> + 0, 1, inf) started
(node:15701) [Thread 0] Atomics.wait(&lt;address> + 0, 1, inf) did not wait because the values mismatched
(node:15701) [Thread 0] Atomics.wait(&lt;address> + 0, 0, 10) started
(node:15701) [Thread 0] Atomics.wait(&lt;address> + 0, 0, 10) timed out
(node:15701) [Thread 0] Atomics.wait(&lt;address> + 4, 0, inf) started
(node:15701) [Thread 1] Atomics.wait(&lt;address> + 4, -1, inf) started
(node:15701) [Thread 0] Atomics.wait(&lt;address> + 4, 0, inf) was woken up by another thread
(node:15701) [Thread 1] Atomics.wait(&lt;address> + 4, -1, inf) was woken up by another thread

The fields here correspond to:

  • The thread id as given by worker_threads.threadId
  • The base address of the SharedArrayBuffer in question, as well as the byte offset corresponding to the index passed to Atomics.wait()
  • The expected value that was passed to Atomics.wait()
  • The timeout passed to Atomics.wait

--trace-deprecation

Print stack traces for deprecations.

--trace-event-categories

A comma separated list of categories that should be traced when trace event tracing is enabled using --trace-events-enabled.

--trace-event-file-pattern

Template string specifying the filepath for the trace event data, it supports ${rotation} and ${pid}.

--trace-events-enabled

Enables the collection of trace event tracing information.

--trace-exit

Prints a stack trace whenever an environment is exited proactively, i.e. invoking process.exit().

--trace-sigint

Prints a stack trace on SIGINT.

--trace-sync-io

Prints a stack trace whenever synchronous I/O is detected after the first turn of the event loop.

--trace-tls

Prints TLS packet trace information to stderr. This can be used to debug TLS connection problems.

--trace-uncaught

Print stack traces for uncaught exceptions; usually, the stack trace associated with the creation of an Error is printed, whereas this makes Node.js also print the stack trace associated with throwing the value (which does not need to be an Error instance).

Enabling this option may affect garbage collection behavior negatively.

--trace-warnings

Print stack traces for process warnings (including deprecations).

--track-heap-objects

Track heap object allocations for heap snapshots.

--unhandled-rejections=mode

Using this flag allows to change what should happen when an unhandled rejection occurs. One of the following modes can be chosen:

  • throw: Emit unhandledRejection. If this hook is not set, raise the unhandled rejection as an uncaught exception. This is the default.
  • strict: Raise the unhandled rejection as an uncaught exception. If the exception is handled, unhandledRejection is emitted.
  • warn: Always trigger a warning, no matter if the unhandledRejection hook is set or not but do not print the deprecation warning.
  • warn-with-error-code: Emit unhandledRejection. If this hook is not set, trigger a warning, and set the process exit code to 1.
  • none: Silence all warnings.

If a rejection happens during the command line entry point's ES module static loading phase, it will always raise it as an uncaught exception.

--use-bundled-ca, --use-openssl-ca

Use bundled Mozilla CA store as supplied by current Node.js version or use OpenSSL's default CA store. The default store is selectable at build-time.

The bundled CA store, as supplied by Node.js, is a snapshot of Mozilla CA store that is fixed at release time. It is identical on all supported platforms.

Using OpenSSL store allows for external modifications of the store. For most Linux and BSD distributions, this store is maintained by the distribution maintainers and system administrators. OpenSSL CA store location is dependent on configuration of the OpenSSL library but this can be altered at runtime using environment variables.

See SSL_CERT_DIR and SSL_CERT_FILE.

--use-largepages=mode

Re-map the Node.js static code to large memory pages at startup. If supported on the target system, this will cause the Node.js static code to be moved onto 2 MiB pages instead of 4 KiB pages.

The following values are valid for mode:

  • off: No mapping will be attempted. This is the default.
  • on: If supported by the OS, mapping will be attempted. Failure to map will be ignored and a message will be printed to standard error.
  • silent: If supported by the OS, mapping will be attempted. Failure to map will be ignored and will not be reported.

--v8-options

Print V8 command-line options.

--v8-pool-size=num

Set V8's thread pool size which will be used to allocate background jobs.

If set to 0 then Node.js will choose an appropriate size of the thread pool based on an estimate of the amount of parallelism.

The amount of parallelism refers to the number of computations that can be carried out simultaneously in a given machine. In general, it's the same as the amount of CPUs, but it may diverge in environments such as VMs or containers.

-v, --version

Print node's version.

--watch

Stability: 2 - Stable

Starts Node.js in watch mode. When in watch mode, changes in the watched files cause the Node.js process to restart. By default, watch mode will watch the entry point and any required or imported module. Use --watch-path to specify what paths to watch.

This flag cannot be combined with --check, --eval, --interactive, or the REPL.

node --watch index.js

--watch-path

Stability: 2 - Stable

Starts Node.js in watch mode and specifies what paths to watch. When in watch mode, changes in the watched paths cause the Node.js process to restart. This will turn off watching of required or imported modules, even when used in combination with --watch.

This flag cannot be combined with --check, --eval, --interactive, --test, or the REPL.

node --watch-path=./src --watch-path=./tests index.js

This option is only supported on macOS and Windows. An ERR_FEATURE_UNAVAILABLE_ON_PLATFORM exception will be thrown when the option is used on a platform that does not support it.

--watch-preserve-output

Disable the clearing of the console when watch mode restarts the process.

node --watch --watch-preserve-output test.js

--zero-fill-buffers

Automatically zero-fills all newly allocated Buffer and SlowBuffer instances.

Environment variables

FORCE_COLOR=[1, 2, 3]

The FORCE_COLOR environment variable is used to enable ANSI colorized output. The value may be:

  • 1, true, or the empty string '' indicate 16-color support,
  • 2 to indicate 256-color support, or
  • 3 to indicate 16 million-color support.

When FORCE_COLOR is used and set to a supported value, both the NO_COLOR, and NODE_DISABLE_COLORS environment variables are ignored.

Any other value will result in colorized output being disabled.

NO_COLOR=<any>

NO_COLOR is an alias for NODE_DISABLE_COLORS. The value of the environment variable is arbitrary.

NODE_DEBUG=module[,…]

','-separated list of core modules that should print debug information.

NODE_DEBUG_NATIVE=module[,…]

','-separated list of core C++ modules that should print debug information.

NODE_DISABLE_COLORS=1

When set, colors will not be used in the REPL.

NODE_EXTRA_CA_CERTS=file

When set, the well known "root" CAs (like VeriSign) will be extended with the extra certificates in file. The file should consist of one or more trusted certificates in PEM format. A message will be emitted (once) with process.emitWarning() if the file is missing or malformed, but any errors are otherwise ignored.

Neither the well known nor extra certificates are used when the ca options property is explicitly specified for a TLS or HTTPS client or server.

This environment variable is ignored when node runs as setuid root or has Linux file capabilities set.

The NODE_EXTRA_CA_CERTS environment variable is only read when the Node.js process is first launched. Changing the value at runtime using process.env.NODE_EXTRA_CA_CERTS has no effect on the current process.

NODE_ICU_DATA=file

Data path for ICU (Intl object) data. Will extend linked-in data when compiled with small-icu support.

NODE_NO_WARNINGS=1

When set to 1, process warnings are silenced.

NODE_OPTIONS=options...

A space-separated list of command-line options. options... are interpreted before command-line options, so command-line options will override or compound after anything in options.... Node.js will exit with an error if an option that is not allowed in the environment is used, such as -p or a script file.

If an option value contains a space, it can be escaped using double quotes:

NODE_OPTIONS='--require "./my path/file.js"'

A singleton flag passed as a command-line option will override the same flag passed into NODE_OPTIONS:

# The inspector will be available on port 5555
NODE_OPTIONS='--inspect=localhost:4444' node --inspect=localhost:5555

A flag that can be passed multiple times will be treated as if its NODE_OPTIONS instances were passed first, and then its command-line instances afterwards:

NODE_OPTIONS='--require "./a.js"' node --require "./b.js"
# is equivalent to:
node --require "./a.js" --require "./b.js"

Node.js options that are allowed are in the following list. If an option supports both --XX and --no-XX variants, they are both supported but only one is included in the list below.

  • --allow-addons
  • --allow-child-process
  • --allow-fs-read
  • --allow-fs-write
  • --allow-worker
  • --conditions, -C
  • --diagnostic-dir
  • --disable-proto
  • --disable-warning
  • --dns-result-order
  • --enable-fips
  • --enable-network-family-autoselection
  • --enable-source-maps
  • --experimental-abortcontroller
  • --experimental-default-type
  • --experimental-detect-module
  • --experimental-import-meta-resolve
  • --experimental-json-modules
  • --experimental-loader
  • --experimental-modules
  • --experimental-network-imports
  • --experimental-permission
  • --experimental-policy
  • --experimental-print-required-tla
  • --experimental-require-module
  • --experimental-shadow-realm
  • --experimental-specifier-resolution
  • --experimental-top-level-await
  • --experimental-vm-modules
  • --experimental-wasi-unstable-preview1
  • --experimental-wasm-modules
  • --force-context-aware
  • --force-fips
  • --force-node-api-uncaught-exceptions-policy
  • --frozen-intrinsics
  • --heapsnapshot-near-heap-limit
  • --heapsnapshot-signal
  • --http-parser
  • --icu-data-dir
  • --import
  • --input-type
  • --insecure-http-parser
  • --inspect-brk
  • --inspect-port, --debug-port
  • --inspect-publish-uid
  • --inspect
  • --max-http-header-size
  • --napi-modules
  • --no-addons
  • --no-deprecation
  • --no-experimental-fetch
  • --no-experimental-global-customevent
  • --no-experimental-global-navigator
  • --no-experimental-global-webcrypto
  • --no-experimental-repl-await
  • --no-experimental-websocket
  • --no-extra-info-on-fatal-exception
  • --no-force-async-hooks-checks
  • --no-global-search-paths
  • --no-network-family-autoselection
  • --no-warnings
  • --node-memory-debug
  • --openssl-config
  • --openssl-legacy-provider
  • --openssl-shared-config
  • --pending-deprecation
  • --policy-integrity
  • --preserve-symlinks-main
  • --preserve-symlinks
  • --prof-process
  • --redirect-warnings
  • --report-compact
  • --report-dir, --report-directory
  • --report-exclude-network
  • --report-filename
  • --report-on-fatalerror
  • --report-on-signal
  • --report-signal
  • --report-uncaught-exception
  • --require, -r
  • --secure-heap-min
  • --secure-heap
  • --snapshot-blob
  • --test-only
  • --test-reporter-destination
  • --test-reporter
  • --test-shard
  • --throw-deprecation
  • --title
  • --tls-cipher-list
  • --tls-keylog
  • --tls-max-v1.2
  • --tls-max-v1.3
  • --tls-min-v1.0
  • --tls-min-v1.1
  • --tls-min-v1.2
  • --tls-min-v1.3
  • --trace-atomics-wait
  • --trace-deprecation
  • --trace-event-categories
  • --trace-event-file-pattern
  • --trace-events-enabled
  • --trace-exit
  • --trace-sigint
  • --trace-sync-io
  • --trace-tls
  • --trace-uncaught
  • --trace-warnings
  • --track-heap-objects
  • --unhandled-rejections
  • --use-bundled-ca
  • --use-largepages
  • --use-openssl-ca
  • --v8-pool-size
  • --watch-path
  • --watch-preserve-output
  • --watch
  • --zero-fill-buffers

V8 options that are allowed are:

  • --abort-on-uncaught-exception
  • --disallow-code-generation-from-strings
  • --enable-etw-stack-walking
  • --huge-max-old-generation-size
  • --interpreted-frames-native-stack
  • --jitless
  • --max-old-space-size
  • --max-semi-space-size
  • --perf-basic-prof-only-functions
  • --perf-basic-prof
  • --perf-prof-unwinding-info
  • --perf-prof
  • --stack-trace-limit

--perf-basic-prof-only-functions, --perf-basic-prof, --perf-prof-unwinding-info, and --perf-prof are only available on Linux.

--enable-etw-stack-walking is only available on Windows.

NODE_PATH=path[:…]

':'-separated list of directories prefixed to the module search path.

On Windows, this is a ';'-separated list instead.

NODE_PENDING_DEPRECATION=1

When set to 1, emit pending deprecation warnings.

Pending deprecations are generally identical to a runtime deprecation with the notable exception that they are turned off by default and will not be emitted unless either the --pending-deprecation command-line flag, or the NODE_PENDING_DEPRECATION=1 environment variable, is set. Pending deprecations are used to provide a kind of selective "early warning" mechanism that developers may leverage to detect deprecated API usage.

NODE_PENDING_PIPE_INSTANCES=instances

Set the number of pending pipe instance handles when the pipe server is waiting for connections. This setting applies to Windows only.

NODE_PRESERVE_SYMLINKS=1

When set to 1, instructs the module loader to preserve symbolic links when resolving and caching modules.

NODE_REDIRECT_WARNINGS=file

When set, process warnings will be emitted to the given file instead of printing to stderr. The file will be created if it does not exist, and will be appended to if it does. If an error occurs while attempting to write the warning to the file, the warning will be written to stderr instead. This is equivalent to using the --redirect-warnings=file command-line flag.

NODE_REPL_EXTERNAL_MODULE=file

Path to a Node.js module which will be loaded in place of the built-in REPL. Overriding this value to an empty string ('') will use the built-in REPL.

NODE_REPL_HISTORY=file

Path to the file used to store the persistent REPL history. The default path is ~/.node_repl_history, which is overridden by this variable. Setting the value to an empty string ('' or ' ') disables persistent REPL history.

NODE_SKIP_PLATFORM_CHECK=value

If value equals '1', the check for a supported platform is skipped during Node.js startup. Node.js might not execute correctly. Any issues encountered on unsupported platforms will not be fixed.

NODE_TEST_CONTEXT=value

If value equals 'child', test reporter options will be overridden and test output will be sent to stdout in the TAP format. If any other value is provided, Node.js makes no guarantees about the reporter format used or its stability.

NODE_TLS_REJECT_UNAUTHORIZED=value

If value equals '0', certificate validation is disabled for TLS connections. This makes TLS, and HTTPS by extension, insecure. The use of this environment variable is strongly discouraged.

NODE_V8_COVERAGE=dir

When set, Node.js will begin outputting V8 JavaScript code coverage and Source Map data to the directory provided as an argument (coverage information is written as JSON to files with a coverage prefix).

NODE_V8_COVERAGE will automatically propagate to subprocesses, making it easier to instrument applications that call the child_process.spawn() family of functions. NODE_V8_COVERAGE can be set to an empty string, to prevent propagation.

Coverage output

Coverage is output as an array of ScriptCoverage objects on the top-level key result:

{
  "result": [
    {
      "scriptId": "67",
      "url": "internal/tty.js",
      "functions": []
    }
  ]
}

Source map cache

Stability: 1 - Experimental

If found, source map data is appended to the top-level key source-map-cache on the JSON coverage object.

source-map-cache is an object with keys representing the files source maps were extracted from, and values which include the raw source-map URL (in the key url), the parsed Source Map v3 information (in the key data), and the line lengths of the source file (in the key lineLengths).

{
  "result": [
    {
      "scriptId": "68",
      "url": "file:///absolute/path/to/source.js",
      "functions": []
    }
  ],
  "source-map-cache": {
    "file:///absolute/path/to/source.js": {
      "url": "./path-to-map.json",
      "data": {
        "version": 3,
        "sources": [
          "file:///absolute/path/to/original.js"
        ],
        "names": [
          "Foo",
          "console",
          "info"
        ],
        "mappings": "MAAMA,IACJC,YAAaC",
        "sourceRoot": "./"
      },
      "lineLengths": [
        13,
        62,
        38,
        27
      ]
    }
  }
}

OPENSSL_CONF=file

Load an OpenSSL configuration file on startup. Among other uses, this can be used to enable FIPS-compliant crypto if Node.js is built with ./configure --openssl-fips.

If the --openssl-config command-line option is used, the environment variable is ignored.

SSL_CERT_DIR=dir

If --use-openssl-ca is enabled, this overrides and sets OpenSSL's directory containing trusted certificates.

Be aware that unless the child environment is explicitly set, this environment variable will be inherited by any child processes, and if they use OpenSSL, it may cause them to trust the same CAs as node.

SSL_CERT_FILE=file

If --use-openssl-ca is enabled, this overrides and sets OpenSSL's file containing trusted certificates.

Be aware that unless the child environment is explicitly set, this environment variable will be inherited by any child processes, and if they use OpenSSL, it may cause them to trust the same CAs as node.

TZ

The TZ environment variable is used to specify the timezone configuration.

While Node.js does not support all of the various ways that TZ is handled in other environments, it does support basic timezone IDs (such as 'Etc/UTC', 'Europe/Paris', or 'America/New_York'). It may support a few other abbreviations or aliases, but these are strongly discouraged and not guaranteed.

$ TZ=Europe/Dublin node -pe "new Date().toString()"
Wed May 12 2021 20:30:48 GMT+0100 (Irish Standard Time)

UV_THREADPOOL_SIZE=size

Set the number of threads used in libuv's threadpool to size threads.

Asynchronous system APIs are used by Node.js whenever possible, but where they do not exist, libuv's threadpool is used to create asynchronous node APIs based on synchronous system APIs. Node.js APIs that use the threadpool are:

  • all fs APIs, other than the file watcher APIs and those that are explicitly synchronous
  • asynchronous crypto APIs such as crypto.pbkdf2(), crypto.scrypt(), crypto.randomBytes(), crypto.randomFill(), crypto.generateKeyPair()
  • dns.lookup()
  • all zlib APIs, other than those that are explicitly synchronous

Because libuv's threadpool has a fixed size, it means that if for whatever reason any of these APIs takes a long time, other (seemingly unrelated) APIs that run in libuv's threadpool will experience degraded performance. In order to mitigate this issue, one potential solution is to increase the size of libuv's threadpool by setting the 'UV_THREADPOOL_SIZE' environment variable to a value greater than 4 (its current default value). For more information, see the libuv threadpool documentation.

UV_USE_IO_URING=value

Enable or disable libuv's use of io_uring on supported platforms.

On supported platforms, io_uring can significantly improve the performance of various asynchronous I/O operations.

io_uring is disabled by default due to security concerns. When io_uring is enabled, applications must not change the user identity of the process at runtime. In this case, JavaScript functions such as process.setuid() are unavailable, and native addons must not invoke system functions such as setuid(2).

This environment variable is implemented by a dependency of Node.js and may be removed in future versions of Node.js. No stability guarantees are provided for the behavior of this environment variable.

Useful V8 options

V8 has its own set of CLI options. Any V8 CLI option that is provided to node will be passed on to V8 to handle. V8's options have no stability guarantee. The V8 team themselves don't consider them to be part of their formal API, and reserve the right to change them at any time. Likewise, they are not covered by the Node.js stability guarantees. Many of the V8 options are of interest only to V8 developers. Despite this, there is a small set of V8 options that are widely applicable to Node.js, and they are documented here:

--abort-on-uncaught-exception

--disallow-code-generation-from-strings

--enable-etw-stack-walking

--harmony-shadow-realm

--huge-max-old-generation-size

--jitless

--interpreted-frames-native-stack

--prof

--perf-basic-prof

--perf-basic-prof-only-functions

--perf-prof

--perf-prof-unwinding-info

--max-old-space-size=SIZE (in megabytes)

Sets the max memory size of V8's old memory section. As memory consumption approaches the limit, V8 will spend more time on garbage collection in an effort to free unused memory.

On a machine with 2 GiB of memory, consider setting this to 1536 (1.5 GiB) to leave some memory for other uses and avoid swapping.

node --max-old-space-size=1536 index.js

--max-semi-space-size=SIZE (in megabytes)

Sets the maximum semi-space size for V8's scavenge garbage collector in MiB (megabytes). Increasing the max size of a semi-space may improve throughput for Node.js at the cost of more memory consumption.

Since the young generation size of the V8 heap is three times (see YoungGenerationSizeFromSemiSpaceSize in V8) the size of the semi-space, an increase of 1 MiB to semi-space applies to each of the three individual semi-spaces and causes the heap size to increase by 3 MiB. The throughput improvement depends on your workload (see #42511).

The default value is 16 MiB for 64-bit systems and 8 MiB for 32-bit systems. To get the best configuration for your application, you should try different max-semi-space-size values when running benchmarks for your application.

For example, benchmark on a 64-bit systems:

for MiB in 16 32 64 128; do
    node --max-semi-space-size=$MiB index.js
done

--security-revert

--stack-trace-limit=limit

The maximum number of stack frames to collect in an error's stack trace. Setting it to 0 disables stack trace collection. The default value is 10.

node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12