New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/artifact-env-leak

A real secret shipped in a browser bundle under a public env prefix (`NEXT_PUBLIC_`, `VITE_`, `REACT_APP_`, `EXPO_PUBLIC_`) is world-readable and must be treated as compromised.

  • Category: Security
  • Severity: error
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: browser artifacts only (generated bundles, .map, public/, dist/assets, .next/static, out/, storybook-static); documentation (.md/.mdx, README/CHANGELOG/etc.) and server build output skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires only in a browser-shipped artifact (generated/minified bundle, .map, or a file under public//dist/assets//.next/static//out//storybook-static/; documentation .md/.mdx is excluded). Two shapes: (1) a public-prefixed env name that names a secret — NEXT_PUBLIC_/VITE_/REACT_APP_/EXPO_PUBLIC_ followed by a token containing SECRET/TOKEN/PASSWORD/PRIVATE/DATABASE_URL/SERVICE_ROLE/AWS_ACCESS_KEY/AWS_SECRET (a server secret mistakenly given a client-published prefix); or (2) a full-env-dump shape — process.env/import.meta.env/window.__ENV__ co-occurring with a known server-secret name like DATABASE_URL/AWS_SECRET_ACCESS_KEY/SESSION_SECRET/COOKIE_SECRET/PRIVATE_KEY/SERVICE_ROLE. FALSE POSITIVE to suppress: already exempted — public-prefixed names that are genuinely client-safe (SENTRY_DSN, *PUBLISHABLE*, *ANON_KEY*, POSTHOG_TOKEN, CLERK_PUBLISHABLE_KEY, ALGOLIA_SEARCH_KEY, and NEXT_PUBLIC_ENABLE_*/DISABLE_*/ALLOW_*/REQUIRE_* feature flags) are skipped; a remaining FP is a secret-looking NAME that holds no real secret value (a documented placeholder).

Fix prompt

Use this once validation confirms the diagnostic is real.

A NEXT_PUBLIC_/VITE_/REACT_APP_/EXPO_PUBLIC_ prefix publishes the value to the browser, so never put a real secret behind one. Rename the variable to an unprefixed, server-only env var, read it only in server code (route handlers, server components, API routes), and rebuild so it leaves the client bundle. Rotate any key that already shipped. For full-env dumps, stop serializing process.env/import.meta.env into client config and allowlist only the public keys you mean to expose.