npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@yixi/env-doctor

v1.0.1

Published

Diagnose .env file drift and detect committed secrets. A free standalone version of one skill from Claude Operator.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

yixiyixi

Keywords

envdotenvlintersecretsclaude-codeclaude-operator

Readme

env-doctor

Diagnose .env drift and detect committed secrets. Free standalone tool.

A small Node.js CLI that checks your project's environment configuration for the common ways it breaks in production:

  • .env files tracked in git
  • .env files not in .gitignore
  • Env vars used in code but not documented in .env.example
  • Env vars documented in .env.example but not actually read by code
  • Likely-committed secrets (AWS keys, Stripe keys, GitHub tokens, OpenAI/Anthropic keys, PEM private keys, JWTs)
  • Whitespace / quoting smells in .env values that some parsers don't tolerate

Runs in ~1 second on a typical repo. No telemetry. No signups. No dependencies.

Install

# global
npm install -g @yixi/env-doctor

# or just run without install
npx @yixi/env-doctor

Use

# Audit the current directory
env-doctor

# Audit a specific path
env-doctor ~/code/my-app

# Machine-readable output for CI
env-doctor --json

# Exit code only, no output (for CI gates)
env-doctor --quiet

Exit codes

| Code | Meaning | |---|---| | 0 | No issues, or only LOW findings | | 1 | MEDIUM findings present | | 2 | CRITICAL or HIGH findings present |

Use in CI as a soft gate:

# .github/workflows/ci.yml
- name: Check env config
  run: npx -y @yixi/env-doctor --quiet
  continue-on-error: true  # warn but don't block

Or as a hard gate by removing continue-on-error.

What it checks (severities)

| Severity | Check | |---|---| | CRITICAL | .env file tracked in git | | CRITICAL | Pattern matching a known secret format (AWS, Stripe, GitHub, OpenAI, Anthropic, Slack, PEM, JWT) in a tracked file | | HIGH | .env exists but isn't .gitignored | | HIGH | Env var read in code but not documented in any .env.example / .env.sample / .env.template | | MEDIUM | No .env.example exists at all | | MEDIUM | Env var documented in .env.example but never read by code (likely dead) | | LOW | Surrounding whitespace in a .env value | | LOW | Literal quote characters likely included in a .env value |

What it doesn't check

  • Whether your env vars have the right values — only their presence and shape
  • Cross-env-file consistency in detail (e.g., .env.test vs .env.development) — only against the canonical example file
  • Vars set by deployment-time secret stores (AWS Secrets Manager, Vault, Doppler) that don't appear in any local file
  • Vars read via dynamic property access (process.env[someVar]) — pure string access is required to match

Privacy

This tool runs entirely locally. It never makes a network request. It never reads files outside the directory you point it at. It never sends your env values anywhere — values are only used internally for whitespace/quote diagnostics and are never printed to stdout (only variable names and filenames appear in reports).

Origin

This is a free standalone version of one skill from Claude Operator — a production-grade CLAUDE.md and skill pack for senior engineering teams using Claude Code.

The full pack includes 17 more skills like this one, 3 subagents (verifier, context-keeper, safety-officer), 3 slash commands (/ship, /review, /cost), and a hooks/permissions config — all focused on stopping common agent failure modes before they ship.

Pricing: $27 / $69 / $174 for solo / team / lifetime. Lifetime updates within version line.

Paid CLAUDE.md skill pack with deeper LLM-aware tooling — coming soon.

License

MIT.

Contributing

This is a small, focused tool. PRs for the following are welcome:

  • Additional secret patterns (high precision only — please include a unit test showing it doesn't false-positive on normal code)
  • Support for .envrc (direnv) format
  • Additional language env-read patterns (PHP, Elixir, etc.)

PRs for the following will probably be closed:

  • Auto-fix mode (intentional design: report, don't modify)
  • A web UI (out of scope)
  • Sending findings to an external service (privacy is a feature)

Project status

v0.1.0 — initial release. Tested on Node 18, 20, 22, 24.

Sister tools

Part of a small family of zero-dependency static-analysis CLIs:

See also