registry  /  @dotenvx/dotenvx  /  2.4.0

@dotenvx/dotenvx@2.4.0

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No unconsented install-time or import-time attack surface was confirmed. The package provides explicit dotenv key management, optional Armor synchronization, local extension dispatch, and opt-in Git-hook setup.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs dotenvx CLI Armor, extension, or precommit install commands.
Impact
Armor push can transmit a selected dotenv private key to the configured package service; hook and extension execution require explicit user commands.
Mechanism
User-invoked environment-key synchronization and local CLI execution.
Rationale
The suspicious primitives are aligned with documented, explicitly invoked dotenv key-management features. Source inspection found no lifecycle execution, stealth persistence, remote payload loading, or unconsented credential exfiltration.
Evidence
package.jsonsrc/db/session.jssrc/lib/services/armorPush.jssrc/lib/helpers/executeDynamic.jssrc/lib/helpers/executeExtension.jssrc/lib/helpers/installPrecommitHook.js.env.keys.git/hooks/pre-commit
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/lib/services/armorPush.js` reads `.env.keys` private keys and sends them via an Armor API request.
  • `src/lib/helpers/executeDynamic.js` can spawn locally installed `dotenvx-*` command binaries.
  • `src/lib/helpers/installPrecommitHook.js` can modify `.git/hooks/pre-commit`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Armor upload is reached only through explicit CLI Armor commands and uses the configured Armor host/token.
  • Dynamic command execution targets user-invoked local `node_modules/.bin` extensions, not fetched code.
  • Git-hook modification is behind the explicit `--install` option.
  • `src/cli/examples.js` contains only an example `process.env` reference, not a credential value.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 141 file(s), 226 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

Source & flagged code

4 flagged · loading source
src/cli/examples.jsView file
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/cli/examples.jsView on unpkg · L86
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Secret Pattern

OpenSSH private key in src/cli/examples.js

src/cli/examples.jsView on unpkg · L86
src/shared/logger.jsView file
1const packageJson = require('../lib/helpers/packageJson') L2: const Errors = require('../lib/helpers/errors')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/shared/logger.jsView on unpkg · L1
src/db/session.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @dotenvx/dotenvx@2.3.2 matchedIdentity = npm:QGRvdGVudngvZG90ZW52eA:2.3.2 similarity = 0.817 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/db/session.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
HighPrevious Version Dangerous Deltasrc/db/session.js
MediumDynamic Requiresrc/shared/logger.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings