npm-vulnerable-env-check
Advanced tools
🤠 Warning: this package logs the names of your environment variables locally. Only use if you're ok with that.
The modularity of the npm ecosystem is great, but it means that often when you install a harmless looking package, that package could itself depend on a harmful package that is out of your control. This is made worse by the fact that scripts like preinstall are executed automatically.
At best you end up with a large bitmap image of Guy Fieri in your node_modules directory. At worst your execution environment may be compromised, with env variable values exposed and arbitrary scripts executed.
Just install the package via npm...
npm install npm-vulnerable-env-check
Found 15 secure env vars containing 'key' or 'token':
S3_KEY_PREFIX
BROWSERSTACK_KEY
GOOGLE_API_KEY
AWS_ACCESS_KEY
AWS_SECRET_ACCESS_TOKEN
...
Found 187 other env vars:
npm_config_save_dev
npm_config_legacy_bundling
npm_config_dry_run
npm_package_dependencies_request
And then check the log output in your CLI.
git clone https://github.com/bengummer/npm-vulnerable-env-check.git
cd npm-vulnerable-env-check
yarn
FAQs
Checks how open your npm install execution environment is
The npm package npm-vulnerable-env-check receives a total of 0 weekly downloads. As such, npm-vulnerable-env-check popularity was classified as not popular.
We found that npm-vulnerable-env-check demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.
Security News
vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.