registry  /  @dotenvx/dotenvx  /  2.3.2

@dotenvx/dotenvx@2.3.2

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a dotenv management CLI/library with user-invoked env loading, encryption/decryption, Armor sync, extension execution, and optional precommit hook setup.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/calls the library or runs dotenvx CLI commands.
Impact
May read/write .env, .env.keys, local dotenvx config/device stores, and .git/hooks/pre-commit when requested; no unconsented install-time or stealth behavior found.
Mechanism
dotenv parsing/encryption plus optional Armor API and local command/hook workflows
Rationale
Static inspection shows suspicious primitives are package-aligned and user-invoked: dotenv/env secret handling, optional Armor network sync, explicit command execution, and opt-in git hook installation. With no lifecycle hooks or concrete unconsented exfiltration/persistence chain, this should be marked clean.
Evidence
package.jsonsrc/cli/dotenvx.jssrc/lib/main.jssrc/db/session.jssrc/db/device.jssrc/lib/helpers/executeDynamic.jssrc/lib/helpers/executeExtension.jssrc/lib/helpers/installPrecommitHook.jssrc/lib/api/postArmorPush.jssrc/cli/examples.js.env.env.keys.git/hooks/pre-commitdotenvx config .env.device-key
Network endpoints4
armor.dotenvx.comdotenvx.sh/VERSIONdotenvx.comgithub.com/dotenvx/dotenvx

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/lib/main.js reads process.env, parses .env data, decrypts DOTENV_PRIVATE_KEY-protected values, and can write .env/.env.keys via set().
  • src/lib/api/postArmorPush.js and postArmorUp.js can POST private keys to an Armor host when Armor workflows are enabled.
  • src/lib/helpers/executeDynamic.js and executeExtension.js spawn dotenvx-* extension binaries from PATH for user-supplied CLI subcommands.
  • src/lib/helpers/installPrecommitHook.js can write .git/hooks/pre-commit, but only via explicit dotenvx precommit --install.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts; no install-time execution found.
  • src/cli/dotenvx.js exposes user-invoked commander actions; sensitive flows require CLI/API invocation and options/session state.
  • Default network hosts are package-aligned: https://armor.dotenvx.com and https://dotenvx.sh/VERSION for Armor/update features.
  • src/cli/examples.js secret-looking text is documentation example content, not an active credential.
  • No credential harvesting, stealth persistence, destructive behavior, dependency confusion, or AI-agent control-surface mutation found.
  • Child process use supports dotenvx run, git checks, keychain/native commands, and explicit extension commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 139 file(s), 225 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

Source & flagged code

3 flagged · loading source
src/cli/examples.jsView file
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/cli/examples.jsView on unpkg · L86
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Secret Pattern

OpenSSH private key in src/cli/examples.js

src/cli/examples.jsView on unpkg · L86
src/shared/logger.jsView file
1const packageJson = require('../lib/helpers/packageJson') L2: const Errors = require('../lib/helpers/errors')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/shared/logger.jsView on unpkg · L1

Findings

2 Critical3 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
MediumDynamic Requiresrc/shared/logger.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings