Security News
Socket Security Analysis Is Now One Click Away on npm
npm now links to Socket's security analysis on every package page. Here's what you'll find when you click through.
By Sarah Gooding - Feb 19, 2026
New: Introducing PHP and Composer Support.Read the Announcement →
embed-react-app-envs
Advanced tools
embed-react-app-envs
Script for embedding environment variable in CRA apps without having to rebuild the on the server.
Safely bundle server's environnement variable into react apps
Motivation
Create react app provides no official way to inject environnement variable from the server into the page.
When you run yarn build create react app do bundle all the variables prefixed by REACT_APP_
and expose them under process.env (see here).
The problem, however is that you likely don't want to build your app on the server.
The CRA team also suggest to introduce placeholders in the public/index.html
and do the substitution on the server before serving the app. This solution involves a lot of hard to maintain scripting.
This module abstract away the burden of managing environnement variable injection as well as providing a type safe way to retrieve them in your code (using TypeScript).
FAQs
Script for embedding environment variable in CRA apps without having to rebuild the on the server.
The npm package embed-react-app-envs receives a total of 15 weekly downloads. As such, embed-react-app-envs popularity was classified as not popular.
We found that embed-react-app-envs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 13 Mar 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Cline CLI npm Package Compromised via Suspected Cache Poisoning Attack
A compromised npm publish token was used to push a malicious postinstall script in cline@2.3.0, affecting the popular AI coding agent CLI with 90k weekly downloads.
By Sarah Gooding - Feb 18, 2026
Product
Socket Brings Supply Chain Security to skills.sh
Socket is now scanning AI agent skills across multiple languages and ecosystems, detecting malicious behavior before developers install, starting with skills.sh's 60,000+ skills.
By Wenxin Jiang, Alexandros Kapravelos - Feb 17, 2026