Comment by internet_points

2 months ago

but if you `cd project && npm install compromised-package` then compromised-package's setup script can still read your env vars, right?

1 comment

internet_points

Yes, but I guess that is still much better than that it can read all your .env files on your machine