npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

dotenv-exposure-check

v0.1.0

Published

Probe a live URL for accidentally-served secret artifacts — .env, .env.production, .git/config, source maps (.js.map), .DS_Store, backup files — and CONFIRM each hit by fetching the bytes and flagging the real credentials and endpoints found inside. Zero

Downloads

152

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

renzom13renzom13

Keywords

dotenvenvsecuritysecurity-auditsecret-scanningsecrets-detectionexposuresourcemapauditordevsecopsgit-configds-store

Readme

dotenv-exposure-check

Probe any live URL for the secret artifacts that get served by accident — .env, .env.production, the .git/ directory, production source maps (.js.map), .DS_Store, and backup/database dumps — and prove each hit by fetching the bytes and showing the real credentials, remote URLs, and source paths inside. Other scanners read your repo; this checks what your server is actually handing to strangers.

Run it in one line, no install, no token:

npx dotenv-exposure-check --url https://your-app.example.com

🤝 Want it done for you? Fixed-scope audit — $99 / 24h: I verify each exposure live, help you rotate the leaked credentials, and send a written remediation report.

npm downloads license node deps

$ npx dotenv-exposure-check --url https://app.example.com
2 critical, 1 high, 1 medium — 4 CONFIRMED by fetching the bytes
  CRITICAL  /.env            5 vars readable — secret keys: DATABASE_URL, STRIPE_SECRET_KEY, JWT_SECRET
  CRITICAL  /.git/config     repo cloneable — remote https://<credentials-redacted>@github.com/acme/app.git
  HIGH      /main.js.map     12 source files mapped (original source embedded)
  MEDIUM    /.DS_Store       directory listing leaked

Why this exists

Serving a secret file is the single highest-yield mistake on the web, and it happens constantly: researchers catalogued 12M+ exposed .env files in the wild, and Palo Alto Unit 42 documented an extortion campaign that scanned 230M targets and harvested 90,000+ secret variables from misconfigured .env endpoints. Source maps are just as bad — even Claude Code shipped a production .js.map leak in 2026 — and a web-readable .git/ folder lets anyone clone your entire source, remote token included.

The hard part is confirmation. Most single-page apps return 200 OK with index.html for every path, so "got a 200 on /.env" means nothing. dotenv-exposure-check fetches each candidate and inspects the actual bytes: an .env hit must contain real KEY=VALUE assignments, a source map must be valid sourcemap JSON, a .DS_Store must carry the Bud1 magic, a backup must have a real archive/dump signature. You triage facts, not 200s.

What it checks

| Check | Severity | How it's confirmed | |---|---|---| | .env / .env.production / .env.local … served | critical | body parsed for KEY=VALUE lines; secret-looking keys (DB/API/JWT/Stripe/AWS) flagged | | Exposed .git/ directory (repo cloneable) | critical | /.git/config + /.git/HEAD validated as git stanzas; embedded remote credentials detected and redacted | | Production source map (.js.map) exposed | high | parsed as sourcemap JSON (version + mappings); counts mapped sources, flags embedded original source | | Backup / database dump downloadable | high | archive (zip/gzip) or SQL-dump signature in the bytes | | .DS_Store directory listing | medium | Bud1 binary magic at offset 4 |

SPA catch-all (200 + index.html for everything) is explicitly rejected, so the tool does not false-positive on modern frontends.

Usage

# Probe a live site (tries the common filenames for each artifact)
npx dotenv-exposure-check --url https://app.example.com

# Restrict to specific candidate paths
npx dotenv-exposure-check --url https://app.example.com --paths .env,.env.production

# Write a shareable HTML report
npx dotenv-exposure-check --url https://app.example.com --html report.html

# Dry run: list what would be checked, send no requests
npx dotenv-exposure-check --url https://app.example.com --no-probe

Output is JSON on stdout (pipe it into CI) and a one-line summary on stderr. Exit is non-zero only on usage errors — gate your pipeline on the JSON summary.

Install (optional)

npm i -g dotenv-exposure-check
dotenv-exposure-check --url https://app.example.com

Zero dependencies. Read-only and keyless — every request goes straight from the tool to the target you name; nothing is stored, modified, or sent anywhere else. Only scan systems you own or are authorized to test.

Sister tools

Same active-probe philosophy across the stack, all MIT:

supabase-security · pocketbase-security · firebase-security · appwrite-security · nhost-security · strapi-security · directus-security · aws-s3-security · stripe-webhook-security · github-actions-security · web-exposure-mcp

License

MIT © Renzo Madueno