DEV Community

Cover image for Stop Using dotenv package

Stop Using dotenv package

Manas Mishra on August 22, 2024

Whenever it comes to securing the API keys or something that we don't want to be exposed to the public for our Open Source Project, we always tend ...
Collapse
 
mezieb profile image
Okoro chimezie bright

Nice work so far and thanks for sharing but however your article did not : (1) state the problem as the title suggest . (2) security measures (3) Alternative and best adoptable practice . What you demonstrate is just changinge file name . Keep up the good work we look forward to get more details from you so we all can benefit.

Collapse
 
segin profile image
Kirn Gill

No, the demonstration is that the dotenv middleware package is wholly unnecessary and that Node.js itself implements the desired functionality without having to download and install additional third-party middleware.

Pay attention.

Collapse
 
mezieb profile image
Okoro chimezie bright

ok thanks for the clarification.

Collapse
 
dansasser profile image
dansasser

I like the honest critique.
Feel free to take a look at my latest article and let me know what you think.
dev.to/dansasser/supercharge-your-...

Collapse
 
martinbaun profile image
Martin Baun

.env file is never committed to the repo, thus not exposing your secrets. As far as using variables in prod, it doesn't really matter, you could inject .env file into the container at build time/ssh into the virtual machine and define it if you are solo, you just have to be careful that there is no way that the file could ever leak.

Collapse
 
thomasjunkos profile image
Thomas Junkツ • Edited

I never understood why not including a .env to the repo. For me a .env is a source for a sane default setup. Of course I would agree not to commit any secrets. And if you want to work with local settings you would copy .env to .env.local and set your custom settings there. Or in prod you would have .env.prod (which of course you won't commit either).

Am I doing things wrong?

I can agree on _ not committing secrets_ but that is different from _not commiting .env.

Collapse
 
starkraving profile image
Mike Ritchie

You can start with .env.default and set up your variables there, and commit that to source control. Then make a copy of it with your local values and name it .env, and add that file to .gitignore. The default file acts as a template for the external environment values, and the values are still private. Win win!

Collapse
 
skamansam profile image
Samuel

I use .env.example, .env.development.example, etc. and add those to the repo, with sane defaults in them, or comments on how to get the right variables. This prevents accidental commits.

Thread Thread
 
thomasjunkos profile image
Thomas Junkツ

AFAICS this introduces one extra step: copy .env.example to .env. As .env.example is not loaded by default?

Collapse
 
stretch0 profile image
Andrew McCallum • Edited

Take a look at npmjs.com/package/envalid.

It's a great package for defining your default config which can be committed to source control.

You can then override the config with environment variables.

It makes things easy easier for new devs to get started because they have all the default config they need (except any secrets) and has a centralised place for seeing what config the app requires.

Thread Thread
 
g1itcher profile image
G1itcher

I used to use envalid for everything but honestly found myself a bit frustrated with it recently; Nextjs projects in particular don't seem to be compatible. Very frustrating.

Collapse
 
best_codes profile image
Best Codes

Most projects by default don't commit .env.local to a repo. You can simply edit the .gitignore file to change whether or not your custom file or the .env file is committed.

Collapse
 
dansasser profile image
dansasser

No need for me to it now😁

Collapse
 
cookiemonsterdev profile image
Mykhailo Toporkov 🇺🇦

I would understand if this all was due to some security concerns, but really if someone got access for reading..env file he has access for everything else...
As for me naming files with environment variables is mostly conventional approach.

Collapse
 
joelbonetr profile image
JoelBonetR 🥇

if that's a bold try to obfuscate the existence of API Key values inside a .env by moving them to a different file... let me tell you that if someone has access to your .env they also have access to your package.json and probably to your server processes as well. If it were me I could just ask the node terminal what process.env contains 🤷🏼‍♀️

Collapse
 
manascodes13 profile image
Manas Mishra

This article is not talking about not to use .env file, but not to use dotenv npm package.

Collapse
 
joelbonetr profile image
JoelBonetR 🥇

Sure but it doesn't explain why you shouldn't use it. Have I missed anything?

Collapse
 
lpheller profile image
Lukas Heller • Edited

Well, then the title is just bad - as it contains the word "file"…

Thread Thread
 
mdledoux profile image
Martin Ledoux • Edited

It says "package", not "file"
Maybe he edited it?
The punchline about replacing the package with a CLI arg was in the last paragraph, so I wonder if most people missed it.

Thread Thread
 
joelbonetr profile image
JoelBonetR 🥇

yes it has been edited but anyway.... the recommended way would probably be using dotenvx mostly for the encrypt stuff

Collapse
 
cavo789 profile image
Christophe Avonture

Like the other people, what was the problem using .env as filename ? As someone has told, such file isn't part of the repository and shouldn't contains secrets but just configuration items.

In your suggestion, you've named the file "manas" so, without extra security feature, I will be able to access the file using a URL and see his content.

At least name it .manas, don't you think ?

Collapse
 
manascodes13 profile image
Manas Mishra

This article is not talking about not to use .env file, but not to use dotenv npm package.

Collapse
 
broski profile image
Kirill Toropov

You're basically saying "stop using React, because look, you can do everything React can with pure JS. It's just a trendy library that nobody needs to use."

dotenv offers a lot of additional features such as variable expansion, default values, and multi-line values. There's a reason it's got 29 million weekly downloads.

Clickbait at it's best.

Collapse
 
angeloem profile image
Sanga Manuel

We really need content moderation against these cheap and title defying contents that people write just to add to their resumes that they write content. This is not okah.

Collapse
 
manascodes13 profile image
Manas Mishra

I hope you could have read the article before writing the content.

Collapse
 
angeloem profile image
Sanga Manuel

I read the article multiple times before commenting to ensure I'm not misreading anything.

How in the world does renaming a .env file have to do with dotenv package. Then, you present the ability to use nodejs natively to read the file which is 🦾, but then, you do not specify the constraints.

You have not specified why to use your approach.

My advice
Please try to sit down and learn about content writing. it would benefit a lot.

Thread Thread
 
manascodes13 profile image
Manas Mishra

Can you please share a content that you wrote, so I can learn ?

Thread Thread
 
bigwebdeveloper profile image
Azeez Ishola Oloto

Well i go with his idea. Because most sever technology now have their own variable security, for example vercel.com which will tell you to add each content or variable constant inside .env to their own security guild(i don't know the proper name for it) for proper security. You get me right 👍

Collapse
 
sjeremich23 profile image
Shane Jeremich

Good article, too bad there's too many trolls here that are not discussing the main point of your article. It's in the title people.

Only thing I would add is Node.js began supporting .env files starting with version 20.6.0, so if you're using a version that's anything before that you'll still need to download third party packages like dotenv.

Point is you don't need to install a third party app anymore for a built in supported feature. This article is relevant because still many people are unaware of this.

Collapse
 
Sloan, the sloth mascot
Comment deleted
Collapse
 
manascodes13 profile image
Manas Mishra

This article is not talking about not to use .env file, but not to use dotenv npm package.

Collapse
 
shricodev profile image
Shrijal Acharya

every week, 29k+ developers download a trendy package, dotenv.

I think you meant 29m+

Collapse
 
manascodes13 profile image
Manas Mishra

Yeah, My mistake :)

Collapse
 
viacheslavzyrianov profile image
Zyrianov Viacheslav

So your article is about "Don't use .env, use any other name", correct?

Collapse
 
akshay_trehan_44e50d42c8b profile image
Akshay Trehan

No, Its all about not to use dotenv as a package

Collapse
 
syeo66 profile image
Red Ochsenbein (he/him)

...or take a look at dotenvx...

Collapse
 
erics_nguyn_ab8529f86ad6 profile image
Erics Nguyễn

such a click bait, content is so poor, which diminishes the blog's appeal.

Collapse
 
dotenv profile image
Dotenv

stop using dotenv, but start using dotenvx :)

github.com/dotenvx/dotenvx

Collapse
 
detzam profile image
webstuff

did this happen just to me or its a known bug?
a .env file constants return the values saved in the file on linux but on windows, it gets older values.

Collapse
 
razielrodrigues profile image
Raziel Rodrigues

I love those polemics posts they are the ones which grab more attention

Collapse
 
raymathewdeveloper profile image
Ray Mathew

I don’t get it.. are you saying don’t use dotenv because we can access .env files without the library? That’s true of any library.

Collapse
 
nikko1350 profile image
Nikko • Edited

I don't get it, what problem is this solving?
Don't commit sensitive files to the repo or use GH secrets, Vault etc.
Also you could've given an example with a token or password and not PORT.

Collapse
 
manascodes13 profile image
Manas Mishra

Its not solving a specific problem @nikko1350 , I wrote this article just to aware that dotenv package is not necessary for the node.js. We can call the environment file even without this specific package.

Collapse
 
parmar84 profile image
Gareth Parmar

Judging by the comments, maybe the title should have been "NodeJS: is the dotenv package redundant?"
Tbh, the title makes it sound like there's something wrong with the package and you are about to explain it to us, so I don't have any problems with the content.... But I do feel like I've been tricked into coming here.

I also feel that many node packages have massive package dependencies and trimming down one that is prominent, well supported and (in most cases) actually useful isn't necessary as there's probably a few hundred packages being included in the project that you aren't actively monitoring.

But you aren't wrong, any file containing secrets can be referenced without the dotenv package.

Collapse
 
andyengle profile image
Andy Engle

These "You need to stop using ____" articles are goofy. If something works for you, use it.

Collapse
 
vaishnavprabhakar profile image
vaishnav

.env secrets are stored as plain text right!? And i have something in my mind, that is. Is there any better way to store the .env variables securely, any other option for that along with python.

Collapse
 
fred_lau_bbdaf0fbff760529 profile image
Fred Lau

The obvious thing would be the deterministic nature on what overrides the value... i e. OS runtime env vars will supercede them. Which is normally what you want

Some comments have been hidden by the post's author - find out more