Leaked Env in Logs

process.env.* leaked inside console.log() calls

warningSecurityleaked-env-in-logs

Why this matters

Logging env vars sends secrets to your log aggregator, CI output, and browser console. Anyone with log access sees your API keys and database URLs.

✗ Bad

console.log("Config:", {
  dbUrl: process.env.DATABASE_URL,
  apiKey: process.env.STRIPE_SECRET_KEY,
});

✓ Good

console.log("Config:", {
  dbUrl: process.env.DATABASE_URL ? "[set]" : "[missing]",
  apiKey: process.env.STRIPE_SECRET_KEY ? "[set]" : "[missing]",
});

How to fix

Never log the value of env vars. Log whether they're set or missing instead. Remove debug console.log calls before shipping.

All rules