npm-vulnerable-env-check
v1.1.1
Published
Checks how open your npm install execution environment is
Downloads
3
Readme
npm-vulnerable-env-check
🤠 Warning: this package logs the names of your environment variables locally. Only use if you're ok with that.
Introduction
The modularity of the npm ecosystem is great, but it means that often when you install a harmless looking package, that package could itself depend on a harmful package that is out of your control. This is made worse by the fact that scripts like preinstall
are executed automatically.
At best you end up with a large bitmap image of Guy Fieri in your node_modules
directory. At worst your execution environment may be compromised, with env variable values exposed and arbitrary scripts executed.
Checking your environment
Just install the package via npm...
npm install npm-vulnerable-env-check
Found 15 secure env vars containing 'key' or 'token':
S3_KEY_PREFIX
BROWSERSTACK_KEY
GOOGLE_API_KEY
AWS_ACCESS_KEY
AWS_SECRET_ACCESS_TOKEN
...
Found 187 other env vars:
npm_config_save_dev
npm_config_legacy_bundling
npm_config_dry_run
npm_package_dependencies_request
And then check the log output in your CLI.
Developing locally
git clone https://github.com/bengummer/npm-vulnerable-env-check.git
cd npm-vulnerable-env-check
yarn