You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

github.com/hashicorp/go-envparse

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/hashicorp/go-envparse

v0.1.0
Source
Go
Version published
Created
Source

Run CI Tests Go Reference

go-envparse

A minimal Go environment variable parser. It's intended to be used to parse .env style files similar to godotenv or rubydotenv, but perform minimal allocations, handle more complex quoting, and be better tested.

Parsing a line does 2 allocations regardless of line length or complexity.

The parser supports JSON strings which allows for cross-language/platform encoding of arbitrarily complex data.

For example if you are parsing environment variables from a templated file, the template can JSON encode data that may contain newlines:

FOO={{ some_template_function | toJSON }}

...would be templated to:

FOO="The template value\nmay have included\nsome newlines!\n\ud83d\udd25"

...and envparse.Parse() would return:

map[string]string{
	"FOO": "The template value\nmay have included\nsome newlines!\n🔥",
}

Minimal

The following common features are intentionally missing:

  • Full shell quoting semantics
  • Full shell escape sequence support
    • Only JSON escape sequences are supported (see below)
  • Variable interpolation
  • Anything YAML related
    • No

However, comments, unquoted, single quoted, and double quoted text may all be used within a single value:

SOME_KEY = normal unquoted \text 'plus single quoted\' "\"double quoted " # EOL

...parses to:

map[string]string{
	"SOME_KEY": `normal unquoted \text plus single quoted\ "double quoted `
}

(Note the trailing space inside the double quote is kept, but the space between the final " and # is trimmed.)

Format

  • Keys should be of the form: [A-Za-z_][A-Za-z0-9_]?
    • Keys may be prefixed with export which will be ignored
    • Whitespace around keys will be trimmed
  • Values should be valid ASCII or UTF-8 encoded.
  • Newlines are always treated as delimiters, so newlines within values must be escaped.
  • Values may use one of more quoting styles:
    • Unquoted - FOO=bar baz
      • No escape sequences
      • Ends at #, ", ', or newline
      • Preceeding and trailing whitespace will be trimmed
    • Double Quotes - FOO="bar baz"
      • Supports JSON escape sequences: \uXXXX, \r, \n, \t, \\, and \"
      • Ends at unescaped "
      • No whitespace trimming
    • Single Quotes - FOO='bar baz'
      • No escape sequences
      • Ends at '
      • No whitespace trimming

See envparse_test.go for examples of valid and invalid data.

FAQs

Package last updated on 09 Sep 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Introducing Scala and Kotlin Support in Socket

Product

Introducing Scala and Kotlin Support in Socket

Socket now supports Scala and Kotlin, bringing AI-powered threat detection to JVM projects with easy manifest generation and fast, accurate scans.

By Peter van der Zee, Eli Insua  -  Jul 28, 2025
AI + a16z Podcast: Vibe Coding, Security Risks, and the Path to Progress

Application Security

/

Security News

AI + a16z Podcast: Vibe Coding, Security Risks, and the Path to Progress

Socket CEO Feross Aboukhadijeh and a16z partner Joel de la Garza discuss vibe coding, AI-driven software development, and how the rise of LLMs, despite their risks, still points toward a more secure and innovative future.

By Sarah Gooding  -  Jul 25, 2025