registry  /  @dotenvx/dotenvx  /  2.0.0

@dotenvx/dotenvx@2.0.0

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Sensitive operations are dotenvx-aligned and require explicit CLI/API use rather than install-time execution.

Static reason
One or more suspicious static signals were detected.
Trigger
User-invoked CLI/API commands such as dotenvx run, set, login, armor, or precommit --install.
Impact
Loads or writes project env files and may contact Dotenvx Armor when the user opts into armor/login flows; no stealth exfiltration or lifecycle persistence found.
Mechanism
dotenv parsing/encryption, optional Armor API calls, and user-requested command execution
Rationale
Static inspection found a legitimate dotenv CLI/library with no lifecycle hooks, no import-time network execution, and no AI-agent control-surface mutation. Network, child_process, env access, and hook-writing primitives are package-aligned and user-invoked.
Evidence
package.jsonsrc/lib/main.jssrc/cli/dotenvx.jssrc/cli/actions/run.jssrc/lib/api/postArmorUp.jssrc/lib/helpers/installPrecommitHook.js.env.env.keys.git/hooks/pre-commitdotenvx config .env.device-key
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle hooks; main is src/lib/main.js and bin is src/cli/dotenvx.js.
    • src/lib/main.js loads/parses .env files and writes .env/.env.keys only through explicit set/config APIs.
    • src/cli/actions/run.js executes a user-supplied command after env injection, not install/import-time code.
    • src/lib/api/*.js sends package-aligned armor/login requests to configured Dotenvx Armor endpoints.
    • src/lib/helpers/installPrecommitHook.js writes .git/hooks/pre-commit only when user runs precommit --install.
    • src/cli/examples.js and src/lib/helpers/kits/sample.js contain placeholder/example secrets, not live credentials.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 122 file(s), 192 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

    Source & flagged code

    3 flagged · loading source
    src/cli/examples.jsView file
    86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    src/cli/examples.jsView on unpkg · L86
    86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
    Critical
    Secret Pattern

    OpenSSH private key in src/cli/examples.js

    src/cli/examples.jsView on unpkg · L86
    src/shared/logger.jsView file
    1const packageJson = require('../lib/helpers/packageJson') L2: const Errors = require('../lib/helpers/errors')
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/shared/logger.jsView on unpkg · L1

    Findings

    2 Critical3 Medium4 Low
    CriticalCritical Secretsrc/cli/examples.js
    CriticalSecret Patternsrc/cli/examples.js
    MediumDynamic Requiresrc/shared/logger.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings