@neondatabase/mcp-server-neon

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7: export const SERVER_HOST = process.env.SERVER_HOST ?? `http://localhost:${SERVER_PORT}`;
    8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
>>> 9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';
    10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';
    11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    29: });
    30: export const authorizationCodes = createKeyv({
>>> 31:     connectionString: process.env.OAUTH_DATABASE_URL,
    32:     schema: SCHEMA,
    33:     table: 'authorization_codes',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6: export const SERVER_PORT = 3001;
    7: export const SERVER_HOST = process.env.SERVER_HOST ?? `http://localhost:${SERVER_PORT}`;
>>> 8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
    9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';
    10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5: export const IS_DEV = NODE_ENV === 'development';
    6: export const SERVER_PORT = 3001;
>>> 7: export const SERVER_HOST = process.env.SERVER_HOST ?? `http://localhost:${SERVER_PORT}`;
    8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
    9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    2: config();
    3: export const NEON_DEFAULT_DATABASE_NAME = 'neondb';
>>> 4: export const NODE_ENV = (process.env.NODE_ENV ?? 'production');
    5: export const IS_DEV = NODE_ENV === 'development';
    6: export const SERVER_PORT = 3001;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    267: # Testing
    268: 
>>> 269: To run the tests you need to setup the `.env` file according to the `.env.example` file.
    270: 
    271: ```bash

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    13:     // Windows path - using %APPDATA%
    14:     // For Node.js, we access %APPDATA% via process.env.APPDATA
>>> 15:     claudeConfigPath = path.join(process.env.APPDATA || '', 'Claude', 'claude_desktop_config.json');
    16: }
    17: else {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    12: if (platform === 'win32') {
    13:     // Windows path - using %APPDATA%
>>> 14:     // For Node.js, we access %APPDATA% via process.env.APPDATA
    15:     claudeConfigPath = path.join(process.env.APPDATA || '', 'Claude', 'claude_desktop_config.json');
    16: }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
    14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';
>>> 15: export const SENTRY_DSN = process.env.SENTRY_DSN ??
    16:     'https://b3564134667aa2dfeaa3992a12d9c12f@o1373725.ingest.us.sentry.io/4509328350380033';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    21: });
    22: export const refreshTokens = createKeyv({
>>> 23:     connectionString: process.env.OAUTH_DATABASE_URL,
    24:     schema: SCHEMA,
    25:     table: 'refresh_tokens',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    74:         \`\`\`
    75: 
>>> 76:         Copy the above environment variables and place them in  your \`.env.local\` file for Next.js project. Note that variables with \`NEXT_PUBLIC_\` prefix will be available in the client side.
    77:         `,
    78:             },

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';
    13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
>>> 14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';
    15: export const SENTRY_DSN = process.env.SENTRY_DSN ??
    16:     'https://b3564134667aa2dfeaa3992a12d9c12f@o1373725.ingest.us.sentry.io/4509328350380033';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    256:         If you're building an app with Next.js, to set up Neon Auth and Stack Auth, follow these steps:
    257:         1. Provision a Neon Auth project with this tool
>>> 258:         2. Place the returned credentials in project's \`.env.local\` or \`.env\` file
    259:           - \`NEXT_PUBLIC_STACK_PROJECT_ID\`
    260:           - \`NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY\`

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4: init({
    5:     dsn: SENTRY_DSN,
>>> 6:     environment: process.env.NODE_ENV,
    7:     release: getPackageJson().version,
    8:     tracesSampleRate: 1.0,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;
    12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';
>>> 13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
    14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';
    15: export const SENTRY_DSN = process.env.SENTRY_DSN ??

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';
    11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;
>>> 12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';
    13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
    14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
    9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';
>>> 10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';
    11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;
    12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    13: });
    14: export const tokens = createKeyv({
>>> 15:     connectionString: process.env.OAUTH_DATABASE_URL,
    16:     schema: SCHEMA,
    17:     table: 'tokens',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    37: });
    38: export const apiKeys = createKeyv({
>>> 39:     connectionString: process.env.OAUTH_DATABASE_URL,
    40:     schema: SCHEMA,
    41:     table: 'api_keys',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5: const createKeyv = (options) => new Keyv({ store: new KeyvPostgres(options) });
    6: export const clients = createKeyv({
>>> 7:     connectionString: process.env.OAUTH_DATABASE_URL,
    8:     schema: SCHEMA,
    9:     table: 'clients',

Decoded base64 content: ��!���������b

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��!�������'��-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��!��u�?�)ݲ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ���������b�ۭ�܆)�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �Us��3:��e�H4.��C���.�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��!���������b

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ڗ+br�ڝ�r�',

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ޭ�^E�ݢd��)�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {ki�B�'��*�u�퉩l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��^��塿�j)���'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��^��塿�j)���'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��^��塿�j)���'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r����^ �Zm�2(+jب���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r�����7����Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: u�^���7����Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Cj֛jǓi�^���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��/�Ȩ�ר�����Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ҪT�j{rب���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-:��,ڶ*'���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-:��,ڶ*'���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r�����7����Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: u�^���7����Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ҪT�j{rب���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Cj֛jǓi�^���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r����^ �Zm�2(+jب���Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��/�Ȩ�ר�����Ԝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�ޱ��m�kjw!

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: }�\���jx�jب�7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: }�\���jx�jب�7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�ޱ��m�kjw!

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    128: };
    129: export const generateRandomString = (length) => {
>>> 130:     const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    131:     const array = new Uint8Array(length);
    132:     crypto.getRandomValues(array);

High-entropy string (6.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (6.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.9 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    1: async function fetchRawGithubContent(rawPath) {
    2:     const path = rawPath.replace('/blob', '');
>>> 3:     return fetch(`https://raw.githubusercontent.com${path}`).then((res) => res.text());
    4: }
    5: export const NEON_RESOURCES = [

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    2: import { handleDescribeBranch } from './describe-branch.js';
    3: import { generateConsoleUrl, CONSOLE_URLS } from './urls.js';
>>> 4: export async function handleFetch({ id }, neonClient, extra) {
    5:     try {
    6:         // Parse the ID format