registry  /  @dotenvx/dotenvx  /  2.6.0

@dotenvx/dotenvx@2.6.0

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No unconsented install-time or import-time attack surface is established. The package intentionally manages dotenv keys, OS secret stores, and optional Armor synchronization through explicit CLI commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `dotenvx armor`, `dotenvx native`, `dotenvx ext`, or `dotenvx precommit --install`.
Impact
Explicit Armor operations can upload the selected dotenv private key; no covert harvesting, exfiltration, or persistence was found.
Mechanism
User-invoked dotenv encryption, key storage, command forwarding, and Armor API requests.
Rationale
Direct inspection shows expected secret-management functionality activated by explicit user commands, not malicious automatic behavior. Static hints reflect dotenv and key-management features rather than a concrete attack chain.
Evidence
package.jsonsrc/cli/dotenvx.jssrc/lib/api/postArmorPush.jssrc/lib/services/armorUp.jssrc/lib/helpers/executeDynamic.jssrc/lib/helpers/installPrecommitHook.js.env.keys.git/hooks/pre-commitnode_modules/.bin
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/lib/api/postArmorPush.js` can transmit a private key to the configured Armor host.
  • `src/lib/helpers/executeDynamic.js` launches `dotenvx-*` commands from the invoking project's `node_modules/.bin`.
  • `src/lib/helpers/installPrecommitHook.js` can create or append `.git/hooks/pre-commit`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hooks.
  • Network key transfer is only reached through explicit Armor CLI actions such as `dotenvx armor up` or push.
  • Armor requests use the configured/default `https://armor.dotenvx.com` endpoint and bearer token.
  • Dynamic commands and extensions are explicit CLI invocations, not import- or install-time execution.
  • The pre-commit hook is installed only with the explicit `--install` command option.
  • `src/cli/examples.js` secret-like strings are instructional placeholders, not embedded credentials.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 144 file(s), 236 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

Source & flagged code

3 flagged · loading source
src/cli/examples.jsView file
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/cli/examples.jsView on unpkg · L86
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Secret Pattern

OpenSSH private key in src/cli/examples.js

src/cli/examples.jsView on unpkg · L86
src/shared/logger.jsView file
1const packageJson = require('../lib/helpers/packageJson') L2: const Errors = require('../lib/helpers/errors')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/shared/logger.jsView on unpkg · L1

Findings

2 Critical2 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
MediumDynamic Requiresrc/shared/logger.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings