New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
@dotenvx/dotenvx
Advanced tools
@dotenvx/dotenvx - npm Package Compare versions
Comparing version 1.36.0 to 1.37.0
@@ -5,4 +5,12 @@ # Changelog | ||
| [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.36.0...main) | ||
| [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.37.0...main) | ||
| ## [1.37.0](https://github.com/dotenvx/dotenvx/compare/v1.36.0...v1.37.0) | ||
| ### Added | ||
| * add `dotenvx rotate` command 🎉 ([#530](https://github.com/dotenvx/dotenvx/pull/530)) | ||
| also: [our whitepaper](https://dotenvx.com/dotenvx.pdf) is released as a draft. | ||
| ## [1.36.0](https://github.com/dotenvx/dotenvx/compare/v1.35.0...v1.36.0) | ||
@@ -9,0 +17,0 @@ |
| { | ||
| "version": "1.36.0", | ||
| "version": "1.37.0", | ||
| "name": "@dotenvx/dotenvx", | ||
@@ -4,0 +4,0 @@ "description": "a better dotenv–from the creator of `dotenv`", |
128
README.md
@@ -9,3 +9,3 @@ [](https://dotenvx.com) | ||
| [Read the whitepaper](https://dotenvx.com/dotenvx.pdf) | ||
| [Read the whitepaper](https://dotenvx.com/dotenvx.pdf?v=README) | ||
@@ -1689,3 +1689,113 @@ | ||
| </details> | ||
| * <details><summary>`rotate`</summary><br> | ||
| Rotate public/private keys for `.env` file and re-encrypt all encrypted values. | ||
| ```sh | ||
| $ echo "HELLO=World" > .env | ||
| $ dotenvx encrypt | ||
| ✔ encrypted (.env) | ||
| $ dotenvx rotate | ||
| ✔ rotated (.env) | ||
| ``` | ||
| </details> | ||
| * <details><summary>`rotate -f`</summary><br> | ||
| Rotate public/private keys for a specified encrypted `.env` file and re-encrypt all encrypted values. | ||
| ```sh | ||
| $ echo "HELLO=World" > .env | ||
| $ echo "HELLO=Production" > .env.production | ||
| $ dotenvx encrypt -f .env.production | ||
| ✔ encrypted (.env.production) | ||
| $ dotenvx rotate -f .env.production | ||
| ✔ rotated (.env.production) | ||
| ``` | ||
| </details> | ||
| * <details><summary>`rotate -fk`</summary><br> | ||
| Specify path to `.env.keys`. This is useful with monorepos. | ||
| ```sh | ||
| $ mkdir -p apps/app1 | ||
| $ echo "HELLO=World" > apps/app1/.env | ||
| $ dotenvx encrypt -fk .env.keys -f apps/app1/.env | ||
| ✔ encrypted (apps/app1/.env) | ||
| $ dotenvx rotate -fk .env.keys -f apps/app1/.env | ||
| ✔ rotated (apps/app1/.env) | ||
| ``` | ||
| </details> | ||
| * <details><summary>`rotate -k`</summary><br> | ||
| Rotate the contents of a specified key inside an encrypted `.env` file. | ||
| ```sh | ||
| $ echo "HELLO=World\nHOLA=Mundo" > .env | ||
| $ dotenvx encrypt | ||
| ✔ encrypted (.env) | ||
| $ dotenvx rotate -k HELLO | ||
| ✔ rotated (.env) | ||
| ``` | ||
| Even specify a glob pattern. | ||
| ```sh | ||
| $ echo "HELLO=World\nHOLA=Mundo" > .env | ||
| $ dotenvx encrypt | ||
| ✔ encrypted (.env) | ||
| $ dotenvx rotate -k "HE*" | ||
| ✔ rotated (.env) | ||
| ``` | ||
| </details> | ||
| * <details><summary>`rotate -ek`</summary><br> | ||
| Rotate the encrypted contents inside an encrypted `.env` file except for an exluded key. | ||
| ```sh | ||
| $ echo "HELLO=World\nHOLA=Mundo" > .env | ||
| $ dotenvx encrypt | ||
| ✔ encrypted (.env) | ||
| $ dotenvx rotate -ek HOLA | ||
| ✔ rotated (.env) | ||
| ``` | ||
| Even specify a glob pattern. | ||
| ```sh | ||
| $ echo "HELLO=World\nHOLA=Mundo" > .env | ||
| $ dotenvx encrypt | ||
| ✔ encrypted (.env) | ||
| $ dotenvx rotate -ek "HO*" | ||
| ✔ rotated (.env) | ||
| ``` | ||
| </details> | ||
| * <details><summary>`rotate --stdout`</summary><br> | ||
| Rotate the contents of an encrypted `.env` file and send to stdout. | ||
| ```sh | ||
| $ dotenvx rotate --stdout | ||
| #/-------------------[DOTENV_PUBLIC_KEY]--------------------/ | ||
| #/ public-key encryption for .env files / | ||
| #/ [how it works](https://dotenvx.com/encryption) / | ||
| #/----------------------------------------------------------/ | ||
| DOTENV_PUBLIC_KEY="034af93e93708b994c10f236c96ef88e47291066946cce2e8d98c9e02c741ced45" | ||
| # .env | ||
| HELLO="encrypted:12345" | ||
| ``` | ||
| or send to a file: | ||
| ```sh | ||
| $ dotenvx rotate --stdout > somefile.txt | ||
| ``` | ||
| </details> | ||
| * <details><summary>`help`</summary><br> | ||
@@ -2139,2 +2249,18 @@ | ||
| #### How does encryption work? | ||
| Dotenvx uses Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt each secret with a unique ephemeral key, while ensuring it can be decrypted using a long-term private key. | ||
| When you initialize encryption, a DOTENV_PUBLIC_KEY (encryption key) and DOTENV_PRIVATE_KEY (decryption key) are generated. The DOTENV_PUBLIC_KEY is used to encrypt secrets, and the DOTENV_PRIVATE_KEY is securely stored in your cloud secrets manager or .env.keys file. | ||
| Your encrypted .env file is then safely committed to code. Even if the file is exposed, secrets remain protected since decryption requires the separate DOTENV_PRIVATE_KEY, which is never stored alongside it. Read [the whitepaper](https://dotenvx.com/dotenvx.pdf?v=README) for more details. | ||
| #### Is it safe to commit an encrypted .env file to code? | ||
| Yes. Dotenvx encrypts secrets using AES-256 with ephemeral keys, ensuring that even if the encrypted .env file is exposed, its contents remain secure. The encryption keys themselves are protected using Secp256k1 elliptic curve cryptography, which is widely used for secure key exchange in technologies like Bitcoin. | ||
| This means that every secret in the .env file is encrypted with a unique AES-256 key, and that key is further encrypted using a public key (Secp256k1). Even if an attacker obtains the encrypted .env file, they would still need the corresponding private key—stored separately in a secrets manager—to decrypt anything. | ||
| Breaking this encryption would require brute-forcing both AES-256 and elliptic curve cryptography, which is computationally infeasible with current technology. Read [the whitepaper](https://dotenvx.com/dotenvx.pdf?v=README) for more details. | ||
| #### Why am I getting the error `node: .env: not found`? | ||
@@ -2141,0 +2267,0 @@ |
@@ -159,2 +159,16 @@ #!/usr/bin/env node | ||
| // dotenvx rotate | ||
| const rotateAction = require('./actions/rotate') | ||
| program.command('rotate') | ||
| .description('rotate keypair(s) and re-encrypt .env file(s)') | ||
| .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), []) | ||
| .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)') | ||
| .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)') | ||
| .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)') | ||
| .option('--stdout', 'send to stdout') | ||
| .action(function (...args) { | ||
| this.envs = envs | ||
| rotateAction.apply(this, args) | ||
| }) | ||
| // dotenvx help | ||
@@ -161,0 +175,0 @@ program.command('help [command]') |
No alert changes
Improved metrics
- Total package byte prevSize
264411
5.97%- Number of package files
91
3.41%- Lines of code
4279
6.47%- Number of lines in readme file
2303
5.79%Worsened metrics
- Number of low supply chain risk alerts
31
3.33%No dependency changes