Comment by internet_points
Comment by internet_points 5 days ago
but if you `cd project && npm install compromised-package` then compromised-package's setup script can still read your env vars, right?
Comment by internet_points 5 days ago
but if you `cd project && npm install compromised-package` then compromised-package's setup script can still read your env vars, right?
Yes, but I guess that is still much better than that it can read all your .env files on your machine