registry  /  @dotenvx/dotenvx  /  2.5.0

@dotenvx/dotenvx@2.5.0

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No install-time or import-time attack behavior is established. Network activity is limited to update checks and explicit authenticated Armor/login commands; file and process operations are user-invoked CLI features.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `dotenvx` CLI commands, including `run`, Armor, and precommit installation.
Impact
Armor commands can transmit selected dotenv private keys to the configured Armor host by design; no covert harvesting, exfiltration, or persistence was found.
Mechanism
Environment-file management, optional encrypted-key synchronization, and user-command execution.
Rationale
Static inspection shows a dotenv CLI with explicit user-invoked process execution, optional keychain/Armor synchronization, and an opt-in Git precommit hook. Scanner signals are package-aligned and do not form a concrete malicious chain.
Evidence
package.jsonsrc/lib/main.jssrc/cli/dotenvx.jssrc/lib/helpers/executeDynamic.jssrc/lib/helpers/executeExtension.jssrc/db/session.jssrc/lib/services/armorPush.jssrc/lib/helpers/installPrecommitHook.jssrc/cli/examples.js.env.env.keys.git/hooks/pre-commitnode_modules/.bin/dotenvx-*
Network endpoints2
dotenvx.sh/VERSIONarmor.dotenvx.com

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall lifecycle hook.
    • `src/lib/main.js` is a dotenv parser/decryptor; no import-time network or command execution was found.
    • `src/cli/dotenvx.js` exposes explicit CLI commands; `run` intentionally spawns the user-supplied command.
    • `src/lib/helpers/executeDynamic.js` only invokes local `node_modules/.bin/dotenvx-*` commands after an explicit unknown CLI command.
    • `src/lib/services/armorPush.js` reads private keys only for explicit Armor upload actions.
    • `src/cli/examples.js` contains an illustrative redacted OpenSSH key, not a credential.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 143 file(s), 234 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

    Source & flagged code

    3 flagged · loading source
    src/cli/examples.jsView file
    86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    src/cli/examples.jsView on unpkg · L86
    86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
    Critical
    Secret Pattern

    OpenSSH private key in src/cli/examples.js

    src/cli/examples.jsView on unpkg · L86
    src/shared/logger.jsView file
    1const packageJson = require('../lib/helpers/packageJson') L2: const Errors = require('../lib/helpers/errors')
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/shared/logger.jsView on unpkg · L1

    Findings

    2 Critical2 Medium4 Low
    CriticalCritical Secretsrc/cli/examples.js
    CriticalSecret Patternsrc/cli/examples.js
    MediumDynamic Requiresrc/shared/logger.js
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings