npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

env-audit-log

v1.0.0

Published

Silent CCTV camera for process.env access

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

shnrndkshnrndk

Keywords

envsecurityauditlogproxy

Readme

🔐 env-audit-log

A "CCTV Camera" for your application's environment variables.

env-audit-log is a lightweight, live runtime scanner that silently monitors every read access to process.env. It identifies exactly which library, plugin, or file is requesting your sensitive keys (like AWS_SECRET_KEY or DB_PASSWORD) and reports it upon process exit.

🚀 Why use this?

  • Detect Malicious Packages: Spot 3rd-party dependencies trying to steal your secrets.
  • Debug Configuration: See exactly where and when your app reads config.
  • Zero Data Leakage: We NEVER log the value of the key. We only log the Key Name and the Caller File Path.

📦 Installation

npm install env-audit-log

🛠 Usage

You must initialize the logger at the very top of your application's entry file (e.g., index.ts, server.js, app.js).

// 1. Import at the very top
import { init } from 'env-audit-log';

// 2. Initialize immediately
init();

// ... your other imports and application code
import express from 'express';
// ...

How to Test

You can run the included demo to see it in action:

  1. Clone this repo.
  2. Run npm install
  3. Run npm test

Or, simply add the init() call to your own app and stop it (Ctrl+C). You will see the report printed to the console.

📊 Sample Output

When your process exits (via exit, SIGINT, or SIGTERM), a report table is printed:

===============================================================
🔐  ENV AUDIT LOG - Process Exit Report
===============================================================
┌─────────┬──────────────────┬─────────────────────────────────────┬───────────┐
│ (index) │     Variable     │             Accessed By             │ Frequency │
├─────────┼──────────────────┼─────────────────────────────────────┼───────────┤
│    0    │ 'AWS_SECRET_KEY' │ '/Users/dev/app/src/evil-plugin.ts' │     1     │
│    1    │    'DB_HOST'     │   '/Users/dev/app/src/db/conn.ts'   │     4     │
│    2    │ 'STRIPE_API_KEY' │ '/Users/dev/app/src/billing.ts:40'  │     2     │
└─────────┴──────────────────┴─────────────────────────────────────┴───────────┘

🔒 Security Guarantee

  • Live Runtime Scanning: This is not a static analysis tool. It uses a JavaScript Proxy to intercept actual reads in real-time as your code executes.
  • Privacy First: The internal logic strictly logs the access event, but passes the value through without storing or printing it.

📄 License

ISC