from Hacker News

Ask HN: Why is Cursor IDE accessing all my env vars?

by iyn on 2/21/25, 8:07 PM with 25 comments

• by jimsmart on 2/21/25, 9:38 PM

  > Is this... normal? I don't understand why they might want to serialize/access all of my env vars. Does anyone have a suggestion for that behaviour?

  All processes get a copy of all environment variables [edit for clarity: all environment variables, from the global environment].

  Unless one goes out of one's way to prevent this from happening.

  > the process args included "JSON.stringify(process.env)" part

  And this app choses to receive the env vars in a JSON format. NBD really, in light of the above points.

  Environment variables are not secret at all. Quite the opposite: because all processes get a copy of them. They're just variables that are associated with- / stored in- the environment, instead of e.g. in code itself. They absolutely should not be considered to be secure in any way.

  Managing secrets is always tricky. Even a naive attempt at trying to avoid using env vars generally leaks stuff in some way - shell command history will record secrets passed-in at launch time, plus any running process (with sufficient permissions) can get a list of running processes, and can see the command line used to invoke a process.

  And once one gets past the naive solutions, it usually adds some friction somewhere along the line. There's no easy, transparent, way to do things, as far as I am aware. They all have some cost.

  There are quite a few articles on the web about stuff this topic as a whole. I don't think anything particularly new will come from HN users here, it'll mostly be repeating the same already known/discussed stuff. As I myself am doing here, really.

  You might find it helpful to consider something like Hashicorp's Vault, or similar, for proper management of secrets.

• by seanhunter on 2/21/25, 8:28 PM

  Environment variables exist to share information with processes spawned in that environment. If you don’t want the process to know something, you could look into using something like “env” to spawn the process with a reduced environment, but in general it’s good hygiene not to have anything in the environment that you wouldn’t feel comfortable with a process reading.

• by tsunitsuni on 2/21/25, 9:59 PM

  It seems like the command is from this line of the VSCode source (Cursor is a fork of VSCode): https://github.com/microsoft/vscode/blob/f8b29f8da2c9bfda029...

  GitHub Copilot thinks it does this to capture shell-specific environment variables (like those set up in .zshrc) that you wouldn't necessarily get unless you open the app from a shell yourself. Given it's been like this for at least 4 years, I don't think it's necessarily anything nefarious, and it's likely unchanged in Cursor.

• by marshughes on 2/22/25, 1:15 AM

  The serialization of environment variables when Cursor starts might be for configuring its running environment, like determining plugin loading or server connections, or for diagnostic and debugging purposes to help locate issues. However, this has risks as environment variables may contain sensitive info such as API keys, and could be leaked if the software has vulnerabilities. To handle such software, check the official documentation or community forums for the reason of accessing env vars, use tools to monitor its usage of the vars, and download from official channels. So, what do you think will be the biggest obstacle when implementing these actions?

• by viraptor on 2/21/25, 9:02 PM

  There's not nearly enough context for what that code is doing to say whether this is a typical usage or not. The environment is there to be used. It's a bit weird that it's stringified, not again - not enough information.

• by iyn on 2/21/25, 8:08 PM

  Clickable link to the screenshot: https://i.imgur.com/47UeNAw.png

• by ratg13 on 2/21/25, 10:03 PM

  Use an IP restricted key vault.

  If you’re just trusting everything to .env, someone will hack you eventually.