SEC012errorFree tier

node-env-security-gate

Security checks should not be gated behind NODE_ENV conditions

Applies to: JavaScript, TypeScript

Why this matters

Wrapping security checks in `if (NODE_ENV === 'production')` means they are skipped in development, staging, and test environments. Attackers can exploit staging/preview deployments where NODE_ENV isn't 'production', and developers never test the security code path locally. Security checks should always run.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC012 includedstablestack explain SEC012

False positive in your codebase? Suppress a single line with # noqa: SEC012