@dotenvx/dotenvx
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:eval-usage | AI (semgrep): eval('require') is a documented webpack-compat pattern for dynamic plugin resolution; stable across versions. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Resolves optional dotenvx-pro plugin from project root; documented extension pattern, stable across versions. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same ops.js telemetry spawn as silent-process-exec; documented feature, not malicious. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into child process env is the core functionality of a dotenv CLI tool that injects env vars into subprocesses. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is required for a CLI tool that spawns subprocesses with injected environment variables — core functionality. | ai | |
| typosquat | typosquat.levenshtein:dotenv | AI (typosquat): @dotenvx/dotenvx is the official scoped package from the original dotenv creator (@motdotla); it is not a typosquat of dotenv. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in decryptKeyValue.js is part of ECIES-based .env encryption/decryption — core cryptographic feature of dotenvx. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in decryptKeyValue.js is part of ECIES-based .env encryption/decryption — core cryptographic feature of dotenvx. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): dotenv is explicitly listed as a direct dependency in package.json; this is a false positive from the phantom-deps analyzer. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): child_process.spawn in ops.js is the documented telemetry/ops feature; not malicious. | ai | |
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn in ops.js is dotenvx's documented telemetry/ops feature, disabled via DOTENVX_NO_OPS=true. Not a reverse shell or miner. | ai |
Versions (showing 51 of 65)
| Version | Deps | Published |
|---|---|---|
| 1.65.3 | 10 / 8 | |
| 1.65.2 | 10 / 8 | |
| 1.65.1 | 10 / 8 | |
| 1.65.0 | 10 / 8 | |
| 1.64.0 | 10 / 8 | |
| 1.63.0 | 10 / 8 | |
| 1.62.0 | 10 / 8 | |
| 1.61.6 | 10 / 8 | |
| 1.61.5 | 10 / 8 | |
| 1.61.4 | 10 / 8 | |
| 1.61.3 | 10 / 8 | |
| 1.61.2 | 10 / 8 | |
| 1.61.1 | 10 / 8 | |
| 1.61.0 | 10 / 8 | |
| 1.60.2 | 10 / 8 | |
| 1.60.1 | 10 / 8 | |
| 1.60.0 | 10 / 8 | |
| 1.59.1 | 9 / 8 | |
| 1.59.0 | 9 / 8 | |
| 1.58.0 | 9 / 8 | |
| 1.57.5 | 9 / 8 | |
| 1.57.4 | 9 / 8 | |
| 1.57.3 | 9 / 8 | |
| 1.57.2 | 9 / 8 | |
| 1.57.1 | 9 / 8 | |
| 1.57.0 | 9 / 8 | |
| 1.56.0 | 9 / 8 | |
| 1.55.1 | 9 / 8 | |
| 1.55.0 | 9 / 8 | |
| 1.54.1 | 9 / 8 | |
| 1.53.0 | 9 / 8 | |
| 1.52.0 | 9 / 8 | |
| 1.51.4 | 9 / 8 | |
| 1.51.3 | 9 / 8 | |
| 1.51.2 | 9 / 8 | |
| 1.51.1 | 9 / 8 | |
| 1.51.0 | 9 / 8 | |
| 1.50.1 | 9 / 8 | |
| 1.50.0 | 9 / 8 | |
| 1.49.1 | 9 / 8 | |
| 1.49.0 | 9 / 8 | |
| 1.48.4 | 9 / 8 | |
| 1.48.3 | 9 / 8 | |
| 1.48.2 | 9 / 8 | |
| 1.48.1 | 9 / 8 | |
| 1.48.0 | 9 / 8 | |
| 1.47.7 | 9 / 8 | |
| 1.47.6 | 9 / 8 | |
| 1.47.5 | 9 / 8 | |
| 1.47.4 | 9 / 8 | |
| 1.47.3 | 9 / 8 |
v1.65.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.65.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.65.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.65.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.64.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.63.0
9 findingsPackage name '@dotenvx/dotenvx' is 1 edit(s) away from popular package 'dotenv'.
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/dotenvx/dotenvx/blob/bce1f53d6331c0e34aabd8ba9adbfb147aaa336f/src/lib/extensions/ops.js#L83 81 | const encoded = Buffer.from(JSON.stringify(payload)).toString('base64') 82 | try { > 83 | const subprocess = childProcess.spawn(binary, ['observe', encoded], { 84 | stdio: 'ignore', 85 | detached: true
Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/dotenvx/dotenvx/blob/bce1f53d6331c0e34aabd8ba9adbfb147aaa336f/src/lib/extensions/ops.js#L83 81 | const encoded = Buffer.from(JSON.stringify(payload)).toString('base64') 82 | try { > 83 | const subprocess = childProcess.spawn(binary, ['observe', encoded], { 84 | stdio: 'ignore', 85 | detached: true
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dotenvx/dotenvx/blob/bce1f53d6331c0e34aabd8ba9adbfb147aaa336f/src/lib/helpers/executeCommand.js#L135 133 | child = execute.execa(commandArgs[0], commandArgs.slice(1), { 134 | stdio: 'inherit', > 135 | env: { ...process.env, ...env } 136 | }) 137 |
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dotenvx/dotenvx/blob/bce1f53d6331c0e34aabd8ba9adbfb147aaa336f/src/lib/helpers/executeDynamic.js#L48 46 | const binPath = path.join(process.cwd(), 'node_modules', '.bin') 47 | const newPath = `${binPath}:${process.env.PATH}` > 48 | const env = { ...process.env, PATH: newPath } 49 | 50 | const result = childProcess.spawnSync(`dotenvx-${command}`, forwardedArgs, { stdio: 'inherit', env })
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dotenvx/dotenvx/blob/bce1f53d6331c0e34aabd8ba9adbfb147aaa336f/src/lib/helpers/executeExtension.js#L21 19 | const binPath = path.join(process.cwd(), 'node_modules', '.bin') 20 | const newPath = `${binPath}:${process.env.PATH}` > 21 | const env = { ...process.env, PATH: newPath } 22 | 23 | const result = childProcess.spawnSync(`dotenvx-ext-${command}`, forwardedArgs, { stdio: 'inherit', env })
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dotenvx/dotenvx/blob/bce1f53d6331c0e34aabd8ba9adbfb147aaa336f/src/lib/services/get.js#L16 14 | 15 | runSync () { > 16 | const processEnv = { ...process.env } 17 | const envs = determine(this.envs, processEnv) 18 | const { processedEnvs } = new Run(envs, this.overload, processEnv, this.envKeysFilepath, this.noOps).runSync()
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dotenvx/dotenvx/blob/bce1f53d6331c0e34aabd8ba9adbfb147aaa336f/src/lib/services/get.js#L23 21 | 22 | async run () { > 23 | const processEnv = { ...process.env } 24 | const envs = determine(this.envs, processEnv) 25 | const { processedEnvs } = await new Run(envs, this.overload, processEnv, this.envKeysFilepath, this.noOps).run()
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.62.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.61.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.61.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.61.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.61.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.61.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.61.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.61.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.60.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.60.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.60.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.58.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.56.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.55.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.55.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.54.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.53.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.52.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.51.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.51.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.51.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.51.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.51.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.50.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.50.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.49.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.49.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.48.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.48.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.48.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.48.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.48.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.47.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.47.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.47.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.47.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.47.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.