npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

llm-envshield

v0.1.4

Published

Encrypt .env files with keys stored outside the project, and run commands with automatic secret redaction — so LLM agents and logs never see your keys.

Readme

llm-envshield

Like dotenvx, but built for the age of AI coding agents: your .env stays encrypted in the project, the key lives outside the project, and command output is automatically redacted so secrets never reach the terminal — or the LLM reading it.

Install

npm install -g llm-envshield   # requires Node >= 22.13; installs the `envshield` command

Quick start

cd my-project
envshield encrypt                  # encrypts values in .env, in place
envshield run -- npm start         # runs with decrypted env, output redacted

Your .env now looks like this — safe to leave in the repo an agent works on:

OPENAI_API_KEY=enc:gcm:Mylncwi/ckLh8qwCvDkcUxdFuiL4EDdT...
DB_PASSWORD="enc:gcm:BLvFH180xMOoA7srcUOn23AGV13qxbNq..."
PORT=8080

And if your app (or an agent) prints a secret, the output is masked — first 90% hidden:

$ envshield run -- node -e "console.log(process.env.OPENAI_API_KEY)"
**************************CD

Commands

| Command | What it does | |---|---| | envshield encrypt [-f <file>] | Encrypt all values (≥ 5 chars) in place | | envshield run [-f <file>] -- <cmd> | Run a command with decrypted env; secrets redacted in stdout/stderr | | envshield decrypt [-f <file>] [--stdout] | Restore plaintext (for humans; --stdout doesn't touch the file) | | envshield keys list | Show which projects have keys (never the keys themselves) | | envshield keys path | Show the keystore location |

Running commands

envshield run spawns your command as a child process with the decrypted env injected, so it works with .cmd/.bat shims on Windows (npm, npx, nodemon, …) too:

envshield run -- nodemon server.js
envshield run -- docker compose up

It cannot, however, work like the shell builtin source — a separate process can't push env vars back into your shell, so envshield source .env && docker compose up is impossible by design (and would defeat output redaction). To chain commands, quote the whole line and let the shell run it under the injected env:

envshield run -- "npm run migrate && docker compose up"

Without quotes, your shell splits on && before envshield sees it, so only the first command gets the secrets.

How it works

  • Each (project directory, env file) pair gets its own AES-256-GCM key, stored in ~/.envshield/keystore.dbnever inside the project (no .env.keys file to steal).
  • envshield run decrypts in memory only, injects the env into your command, and streams its output through a redactor that masks every protected value, even across chunk boundaries.
  • Values shorter than 5 characters (ports, flags like DEBUG=1) are left as-is: not encrypted, not redacted.
  • Comments, ordering, quoting, and line endings in your .env are preserved; encrypt → decrypt restores the file byte-for-byte.

Threat model, honestly

envshield protects against an agent reading project files or reading command output. An agent running unrestricted with your full OS account could still read ~/.envshield/. So deny it: e.g. in Claude Code, add ~/.envshield to the deny list in your permission settings, and never let agents run envshield decrypt.

License

Apache-2.0