now-playing icon indicating copy to clipboard operation
now-playing copied to clipboard

Published 20 hours ago verified publisher icon teaminkling

Stop using env.json and start using .env

Open paced opened this issue 3 years ago • 1 comments

Please explain the problem/why you would want to see a change and any workarounds you might have in place.

dotenv has >10M weekly pulls as of writing and I find it sketchy using require to read in a JSON file. Admittedly, I need to read more about how Electron will package the information it needs, but it seems very insecure.

paced avatar May 26 '21 07:05 paced

I've learned that it is at least moderately secure. I ran a Wireshark session and tried to listen to what the app was saying. Package contents seem fine, and I couldn't easily decompile the app to retrieve secrets. I'm going to close this as wontfix but first I need to:

  • [ ] Remove .env and .env.example.
  • [ ] Rename .env.json to .secrets.json or something similar?

paced avatar Aug 19 '21 01:08 paced