npm-vulnerable-env-check

🤠 Warning: this package logs the names of your environment variables locally. Only use if you're ok with that.

Introduction

The modularity of the npm ecosystem is great, but it means that often when you install a harmless looking package, that package could itself depend on a harmful package that is out of your control. This is made worse by the fact that scripts like preinstall are executed automatically.

At best you end up with a large bitmap image of Guy Fieri in your node_modules directory. At worst your execution environment may be compromised, with env variable values exposed and arbitrary scripts executed.

Checking your environment

Just install the package via npm...

npm install npm-vulnerable-env-check

Found 15 secure env vars containing 'key' or 'token':
S3_KEY_PREFIX
BROWSERSTACK_KEY
GOOGLE_API_KEY
AWS_ACCESS_KEY
AWS_SECRET_ACCESS_TOKEN
...

Found 187 other env vars:
npm_config_save_dev
npm_config_legacy_bundling
npm_config_dry_run
npm_package_dependencies_request

And then check the log output in your CLI.

Developing locally

git clone https://github.com/bengummer/npm-vulnerable-env-check.git
cd npm-vulnerable-env-check
yarn