Back

deno #31351

feat: `--secret-env <env-var-name>`

by dsherret · Feb 06, 2026 at 19:37 UTC · scan-6ca85397ec4e143e

View on Github · Download JSON
High Risk (65%)

Get this automatically on every PR

Install the Axiomo GitHub App to get Signals as check runs and PR comments on every pull request.

Install App

Risk Assessment

Risk level: High (65%)

Risk Drivers

  • multiple_concerns: Spans 6 directories
  • missing_tests: Added 405 lines of code but only 0 lines of tests
  • large_addition_no_tests: Large block of added code (358+ consecutive lines) with no test changes
  • api_surface_change: API surface changed in 2 file(s)

Intent

2/3 criteria met

Introduce a feature to handle secret environment variables in fetch requests.

Non-Goals

  • - Handle secrets in all network requests
  • - Provide robust security for all use cases
  • - Encrypt or obfuscate all environment variable values

Acceptance Criteria

  • Allow specifying secret environment variables through CLI

    cli/args/flags.rs adds secret_env option

  • Fetch headers replace placeholders with secret values

    ext/fetch/secrets_replacer.rs implements secrets replacement logic

  • ?
    Secret values do not appear in user-accessible environment

    Main.ts script not shown in diff

Confidence: 90.0% Source: diff analysis AI: openai

Contributors

dsherret PR Author 7 commits + Trusted
Account Age: 5057 days
Prior PRs: 1805
Merged: 1737

Trusted contributor with 1737 merged PRs. maintains 166 public repositories. has 2061 followers. unfamiliar with ext/fetch/secrets_replacer.rs.

Evidence

Evidence Completeness: 30.0%
lint_passing Unavailable
ci_passing Unavailable
build_successful Unavailable
Missing: tests_passing, security_scan_clean, coverage_maintained

Supply Chain

Low Risk
Modifies dependencies
Modifies lockfile
Modifies CI config
Modifies build scripts

Focus Files

Focus on 1 critical file(s)

ext/fetch/secrets_replacer.rs +358

358 lines changed; New file; Source code

critical
cli/args/flags.rs +18

Source code

medium
ext/fetch/lib.rs +11

Source code

medium
cli/args/mod.rs +4

Source code

medium
cli/factory.rs +5

Source code

medium
cli/lib/worker.rs +5

Source code

medium
cli/rt/run.rs +3

Source code

medium
runtime/worker.rs +3

Source code

medium
Cargo.toml +2

Configuration

low
ext/fetch/Cargo.toml +2

Configuration

low

Triage

70

minutes to review

high

effort level

none

staleness risk

Allocate focused review time

Recommendation

COMMENT 47.0% readiness

Some concerns to address before approval

Next Steps

Question

Why is tests_passing missing? Consider adding this check.

Question

Why is security_scan_clean missing? Consider adding this check.

Concern ext/fetch/secrets_replacer.rs

Critical file: 358 lines changed; New file; Source code