registry  /  @dotenvx/dotenvx  /  2.3.0

@dotenvx/dotenvx@2.3.0

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface by static inspection. Risky primitives are dotenv CLI features: env loading, explicit command execution, explicit Armor API sync, and explicit git hook setup.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes CLI/API commands such as dotenvx run, armor push/login, ext command, or ext precommit --install
Impact
Expected package behavior; no unconsented install-time execution, stealth persistence, or credential exfiltration confirmed
Mechanism
User-invoked dotenv/env encryption and command orchestration
Rationale
The suspicious scanner hits map to expected dotenvx functionality: user-invoked command spawning, explicit Armor network operations, examples, and dotenv/env file handling. With no lifecycle hooks, hidden import-time payload, broad agent-control mutation, or covert exfiltration path, this should be marked clean.
Evidence
package.jsonsrc/lib/main.jssrc/cli/dotenvx.jssrc/lib/helpers/executeDynamic.jssrc/lib/helpers/executeExtension.jssrc/lib/helpers/http.jssrc/lib/api/postArmorPush.jssrc/db/session.jssrc/lib/helpers/installPrecommitHook.jssrc/cli/examples.js.env.env.keys.git/hooks/pre-commit.gitignore.dockerignore.npmignore.vercelignore
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/lib/helpers/executeDynamic.js spawns user-selected dotenvx-* binaries only after CLI dynamic command invocation
  • src/lib/helpers/executeExtension.js spawns user-selected dotenvx-ext-* binaries only for explicit ext commands
  • src/lib/api/postArmorPush.js can send private keys to configured Armor host during explicit armor push/up flows
  • src/db/session.js stores Armor token/config and fetches https://dotenvx.sh/VERSION for update notification when a store exists
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • src/lib/main.js import path only parses .env files and writes to process.env; file writes are in explicit set/encrypt/decrypt APIs
  • Network calls are package-aligned Armor/OAuth/update endpoints, not hidden telemetry or arbitrary exfiltration
  • src/cli/examples.js secret-looking value is documentation example text, not active credential use
  • No AI-agent control-surface writes or prompt/reviewer manipulation found
  • Git hook mutation is explicit dotenvx ext precommit --install, not install-time persistence
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 139 file(s), 225 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

Source & flagged code

4 flagged · loading source
src/cli/examples.jsView file
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/cli/examples.jsView on unpkg · L86
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Secret Pattern

OpenSSH private key in src/cli/examples.js

src/cli/examples.jsView on unpkg · L86
src/shared/logger.jsView file
1const packageJson = require('../lib/helpers/packageJson') L2: const Errors = require('../lib/helpers/errors')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/shared/logger.jsView on unpkg · L1
src/lib/helpers/executeDynamic.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @dotenvx/dotenvx@2.1.3 matchedIdentity = npm:QGRvdGVudngvZG90ZW52eA:2.1.3 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/lib/helpers/executeDynamic.jsView on unpkg

Findings

2 Critical1 High3 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
HighPrevious Version Dangerous Deltasrc/lib/helpers/executeDynamic.js
MediumDynamic Requiresrc/shared/logger.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings