cryptoenv - npm Package Compare versions

Comparing version 0.1.2 to 0.1.3

package.json

 {
   "name": "cryptoenv",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Manage encrypted env variables",
@@ -5,0 +5,0 @@ "homepage": "https://github.com/secrez/cryptoenv#readme",

README.md

@@ -7,3 +7,3 @@ # CryptoEnv
 
-Many tools uses env variable to manage critical processes. Take for example [Hardhat](https://github.com/NomicFoundation/hardhat). To deploy a smart contract to Ethereum, most likely you have to put your private key in an `.env` file. That file is git-ignored, of course. Still, mistakes are behind the corner and the approach is very risky. We created [Hardhood](github.com/secrez/hardhood), a wrapper around Hardhat, to solve this specific issue, but that solution has some problem, and it is maybe too specific. CryptoEnv uses part of the code written for Hardhood, to manage a more generic process.
+Many tools use env variable to manage critical processes. Take for example [Hardhat](https://github.com/NomicFoundation/hardhat). To deploy a smart contract to Ethereum, most likely you have to put your private key in an `.env` file. That file is git-ignored, of course. Still, mistakes are behind the corner and the approach is very risky. For this reason, I created [Hardhood](github.com/secrez/hardhood), a wrapper around Hardhat, to solve this specific issue, but that solution has some problem, and it is maybe too specific. CryptoEnv uses part of the code written for Hardhood, to manage a more generic process.
 
@@ -17,3 +17,3 @@ ## Usage
 ```
-npm i -g envcrypto
+npm i -g cryptoenv
 ```
@@ -34,3 +34,3 @@
 
-In the case above, in you `.env` file you will have something like
+In the case above, in your `.env` file you will have something like
 
@@ -49,3 +49,4 @@ ```
 
-Let's do the case of Hardhat. You have a conf file called `hardhat.config.js`. At the beginning of that file you can read the env variable with, for example Dotenv, and after requiring CryptoEnv, like here:
+Let's do the case of Hardhat.  
+You have a conf file called `hardhat.config.js`. At the beginning of that file you can read the env variables with, for example Dotenv, and after requiring CryptoEnv, like here:
 
@@ -73,3 +74,3 @@ ```javascript
 
-To avoid that Hardhat gives you an error when you skip the decryption, you can set up a variable OWNER_KEY in the `.env` file, with a testing key. When you will use CryptoEnv, the variable will be overwritten.
+To avoid that Hardhat gives you an error when you skip the decryption, you can set up a variable OWNER_KEY in the `.env` file, with a testing key. When you use CryptoEnv, the variable will be overwritten.
 
@@ -86,4 +87,11 @@ Notice that after saving the first encrypted key, for all the others you must use the same password.
 
-and take only the variables that start with "hardhat". In a more general way, you can also pass a function that returns a boolean. For example, if you want to skip the decryption when testing the contracts with Hardhat, you could require it as:
+and take only the variables that start with "hardhat".  
+You can also pass a function that returns a boolean, like:
+```javascript
+const words = ["home", "office", "street"];
+require("cryptoenv").parse(e => words.includes(e));
+```
 
+For example, if you want to skip the decryption when testing the contracts with Hardhat, you could require it as:
+
 ```javascript
@@ -94,2 +102,3 @@ require("cryptoenv").parse(() => {
 ```
+(notice that Hardhat does not set the NODE_ENV variable during tests)
 
@@ -96,0 +105,0 @@ ## About security

src/CryptoEnv.js

@@ -131,2 +131,5 @@ const path = require("path");
   ) {
+    if (process.env.__decryptionAlreadyDone__) {
+      return;
+    }
     this.keys = {};
@@ -142,4 +145,6 @@ for (let key in process.env) {
           !filter ||
-          ((typeof filter === "function" && filter(key)) ||
-            (Object.prototype.toString.call(filter) && filter.test && filter.test(key)))
+          (typeof filter === "function" && filter(key)) ||
+          (Object.prototype.toString.call(filter) &&
+            filter.test &&
+            filter.test(key))
         ) {
@@ -152,6 +157,8 @@ this.keys[key] = value;
       console.info(chalk.grey(`CryptoEnv > no encrypted keys found`));
+      process.env.__decryptionAlreadyDone__ = "TRUE";
+      return;
     }
     if (!password) {
       const prompt = require("prompt-sync")({});
-      console.log(
+      console.info(
         chalk.green(
@@ -163,3 +170,5 @@ "CryptoEnv > Type your password to decrypt the env, or press enter to skip it"
       if (!password) {
-        return console.log(chalk.grey("CryptoEnv > decryption skipped"));
+        console.info(chalk.grey("CryptoEnv > decryption skipped"));
+        process.env.__decryptionAlreadyDone__ = "TRUE";
+        return;
       }
@@ -180,3 +189,3 @@ }
       } catch (e) {
-        console.log(chalk.red("Wrong password"));
+        console.info(chalk.red("Wrong password"));
         process.exit(1);
@@ -192,2 +201,3 @@ }
     }
+    process.env.__decryptionAlreadyDone__ = "TRUE";
   }
@@ -194,0 +204,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

26415

increased by1.78%

Lines of code

383

increased by2.68%

Number of lines in readme file

135

increased by7.14%

Worsened metrics

Number of low supply chain risk alerts

23

increased by21.05%

No dependency changes