npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@envlock/cli

v0.4.0

Published

CLI health checks for .env files – spot missing vars, risks, and AI leaks. Powered by EnvLock.io

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

j_timej_time

Keywords

clidotenvenvironment-variablessecurityhealth-checkenvnodejavascripttypescriptpythonlintingvalidation

Readme

EnvLock CLI

Version

A comprehensive CLI tool for .env file health checks. Scan your environment variables for missing values, security risks, syntax issues, Git history problems, logging detection, naming consistency, and more.

Installation

npm install -g @envlock/cli

Requirements

  • Node.js >= 18.0.0
  • Dependencies: chalk (~5), commander (~14), dotenv (~17), glob (~13), ora (~9), simple-git (~3)

Usage

# Scan current directory
envlock health

# Scan specific directory
envlock health /path/to/project

# Auto-fix missing variables with placeholders in all .env files
envlock health --fix

# Auto-create .env files if missing
envlock health --fix --yes

# Enable experimental auto-discovery of env vars from node_modules
envlock health --discover-deps

# Compare two env files
envlock compare .env .env.production

# Control output
envlock health --no-show-unused --no-show-stats

# Show detailed dependency tree
envlock health --details

# Strict mode (warnings as errors)
envlock health --strict

# Custom file patterns
envlock health --include-files "shared/**/*.js" --exclude-files "node_modules/**"

Example Output

[SCAN] EnvLock Health Check - my-project
- Phase 1: Loading environment files and scanning code...
✔ Loaded 5 variables from .env files, 3 from examples; found 6 variables referenced in code
- Phase 2: Analyzing dependencies and checking variables...
✔ Analyzed dependencies (2 required by 1 packages); found 2 missing, 1 unused variables; identified 1 security risks
- Phase 3: Detecting issues and reviewing history...
✔ Detected 0 logged variables, 1 syntax issues; found 0 Git history flags
- Phase 4: Validating metadata and consistency...
✔ Validated metadata (found 0 expired variables); checked naming (0 inconsistencies) and frameworks (0 warnings)
- Phase 5: Finalizing analysis...
✔ Analysis complete

- Missing Variables
API_KEY
DATABASE_URL (Required by: prisma@^5.0.0)

! Security Risks
AWS_SECRET_KEY - potential secret based on naming pattern

- Syntax Issues
.env:5 - Unquoted value with spaces

- Unused Variables
DEBUG

Actions needed: 4 fixes

✓ Health check completed!

For repos with many issues, sections show up to 10 items with "... and X more" indicators to prevent overwhelming output. The clean UI uses minimal, meaningful symbols for scannability while maintaining professional appearance.

Features

  • Missing Variables: Detects env vars used in code but not defined in .env/.env.example files
  • Unused Variables: Finds env vars defined in .env but not referenced in code or examples
  • Security Risks: Flags potential secrets based on naming patterns and actual secret values in examples
  • Logging Detection: Identifies when sensitive env vars are logged in code
  • Naming Consistency: Warns about inconsistent naming conventions (snake_case vs camelCase)
  • Expiration Metadata: Parses @expire comments and warns about expired variables
  • Framework Warnings: Enforces prefix conventions for Vite, React, Vue, etc.
  • Dependency Tracking: Detects env vars required by 3rd-party packages (87+ packages, Node.js/Python)
  • Auto-Discovery: Experimental mode to scan node_modules for undocumented env vars
  • File Comparison: Compare two .env files with detailed diffs
  • Syntax Validation: Checks for .env file syntax errors (invalid lines, unquoted spaces)
  • Git History: Scans commits for AI-generated changes and flags commits that modified .env files
  • Action Summary: Shows total number of fixes needed
  • Auto-Fix: Adds placeholder values to all .env files (.env, .env.local, .env.example, .env.example.local)
  • Output Controls: Hide unused vars or stats, strict mode for CI/CD
  • Monorepo Support: Custom include/exclude patterns for shared configs
  • Ignores: Automatically skips common directories with customizable patterns

Dependency Tracking

EnvLock automatically detects environment variables required by your 3rd-party packages:

  • Node.js: Parses package.json dependencies (ignores devDependencies)
  • Python: Parses requirements.txt or Pipfile
  • Monorepos: Supports workspaces in package.json
  • Built-in Map: 87+ popular packages mapped to required env vars (e.g., DATABASE_URL for Prisma)
  • Auto-Discovery: Experimental --discover-deps flag scans node_modules READMEs for undocumented env vars
  • Output Integration: Missing/unused vars show "Required by: package@version"
  • Priority: Missing dep-required vars are highlighted prominently in output
  • Details View: Use --details to see full dependency tree table

License

MIT