Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
@dotenvx/dotenvx
Advanced tools
a better dotenv–from the creator of dotenv
.
Install and use it in code just like dotenv
.
npm install @dotenvx/dotenvx --save
// index.js
require('@dotenvx/dotenvx').config()
console.log(`Hello ${process.env.HELLO}`)
Or install globally
brew install dotenvx/brew/dotenvx
Installing globally as a cli unlocks dotenv for ANY language, framework, or platform. 💥
I am using (and recommending) this approach going forward. – motdotla
$ echo "HELLO=World" > .env
$ echo "console.log('Hello ' + process.env.HELLO)" > index.js
$ node index.js
Hello undefined
$ dotenvx run -- node index.js
Hello World
> :-D
More examples
$ echo "HELLO=World" > .env
$ echo 'import os;print("Hello " + os.getenv("HELLO", ""))' > index.py
$ dotenvx run -- python3 index.py
Hello World
$ echo "HELLO=World" > .env
$ echo '<?php echo "Hello {$_SERVER["HELLO"]}\n";' > index.php
$ dotenvx run -- php index.php
Hello World
$ echo "HELLO=World" > .env
$ echo 'puts "Hello #{ENV["HELLO"]}"' > index.rb
$ dotenvx run -- ruby index.rb
Hello World
$ echo "HELLO=World" > .env
$ echo 'package main; import ("fmt"; "os"); func main() { fmt.Printf("Hello %s\n", os.Getenv("HELLO")) }' > main.go
$ dotenvx run -- go run main.go
Hello World
$ echo "HELLO=World" > .env
$ echo 'fn main() {let hello = std::env::var("HELLO").unwrap_or("".to_string());println!("Hello {hello}");}' > src/main.rs
$ dotenvx run -- cargo run
Hello World
$ echo "HELLO=World" > .env
$ echo 'public class Index { public static void main(String[] args) { System.out.println("Hello " + System.getenv("HELLO")); } }' > index.java
$ dotenvx run -- java index.java
Hello World
$ dotnet new console -n HelloWorld -o HelloWorld
$ cd HelloWorld
$ echo "HELLO=World" > .env
$ echo 'Console.WriteLine($"Hello {Environment.GetEnvironmentVariable("HELLO")}");' > Program.cs
$ dotenvx run -- dotnet run
Hello World
$ echo "HELLO=World" > .env
$ dotenvx run --quiet -- sh -c 'echo $HELLO'
World
# run every day at 8am
0 8 * * * dotenvx run -- /path/to/myscript.sh
$ dotenvx run -- next dev
$ dotenvx run -- npm start
$ dotenvx run -- bin/rails s
$ dotenvx run -- php artisan serve
see framework guides
$ docker run -it --rm -v $(pwd):/app dotenv/dotenvx run -- node index.js
Or in any image:
FROM node:latest
RUN echo "HELLO=World" > .env && echo "console.log('Hello ' + process.env.HELLO)" > index.js
RUN curl -fsS https://dotenvx.sh/ | sh
CMD ["dotenvx", "run", "--", "echo", "Hello $HELLO"]
see docker guide
name: build
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
- run: curl -fsS https://dotenvx.sh/ | sh
- run: dotenvx run -- node build.js
env:
DOTENV_KEY: ${{ secrets.DOTENV_KEY }}
# heroku
heroku buildpacks:add https://github.com/dotenvx/heroku-buildpack-dotenvx
# docker
RUN curl -fsS https://dotenvx.sh/ | sh
# vercel
npm install @dotenvx/dotenvx --save
see platform guides
# alternatively use npx
$ npx @dotenvx/dotenvx run -- node index.js
$ npx @dotenvx/dotenvx run -- next dev
$ npx @dotenvx/dotenvx run -- npm start
$ npm install @dotenvx/dotenvx --save
{
"scripts": {
"start": "./node_modules/.bin/dotenvx run -- node index.js"
},
"dependencies": {
"@dotenvx/dotenvx": "^0.5.0"
}
}
$ npm run start
> start
> ./node_modules/.bin/dotenvx run -- node index.js
[dotenvx][info] loading env (1) from .env
Hello World
# use as a git submodule
$ git dotenvx run -- node index.js
$ git dotenvx run -- next dev
$ git dotenvx run -- npm start
Create a
.env.production
file and use--env-file
to load it. It's straightforward, yet flexible.
$ echo "HELLO=production" > .env.production
$ echo "console.log('Hello ' + process.env.HELLO)" > index.js
$ dotenvx run --env-file=.env.production -- node index.js
[dotenvx][info] loading env (1) from .env.production
Hello production
> ^^
More examples
$ echo "HELLO=local" > .env.local
$ echo "HELLO=World" > .env
$ dotenvx run --env-file=.env.local --env-file=.env -- node index.js
[dotenvx][info] loading env (1) from .env.local,.env
Hello local
$ echo "HELLO=local" > .env.local
$ echo "HELLO=World" > .env
$ dotenvx run --env-file=.env.local --env-file=.env --overload -- node index.js
[dotenvx][info] loading env (1) from .env.local,.env
Hello World
$ echo "HELLO=production" > .env.production
$ dotenvx run --env-file=.env.production --verbose -- node index.js
[dotenvx][verbose] injecting env from /path/to/.env.production
[dotenvx][verbose] HELLO set
[dotenvx][info] loading env (1) from .env.production
Hello production
$ echo "HELLO=production" > .env.production
$ dotenvx run --env-file=.env.production --debug -- node index.js
[dotenvx][debug] configuring options
[dotenvx][debug] {"envFile":[".env.production"]}
[dotenvx][verbose] injecting env from /path/to/.env.production
[dotenvx][debug] reading env from /path/to/.env.production
[dotenvx][debug] parsing env from /path/to/.env.production
[dotenvx][debug] {"HELLO":"production"}
[dotenvx][debug] writing env from /path/to/.env.production
[dotenvx][verbose] HELLO set
[dotenvx][debug] HELLO set to production
[dotenvx][info] loading env (1) from .env.production
Hello production
Use --quiet
to suppress all output (except errors).
$ echo "HELLO=production" > .env.production
$ dotenvx run --env-file=.env.production --quiet -- node index.js
Hello production
Set --log-level
to whatever you wish. For example, to supress warnings (risky), set log level to error
:
$ echo "HELLO=production" > .env.production
$ dotenvx run --env-file=.env.production --log-level=error -- node index.js
Hello production
Available log levels are error, warn, info, verbose, debug, silly
Encrypt your secrets to a
.env.vault
file and load from it (recommended for production and ci).
$ echo "HELLO=World" > .env
$ echo "HELLO=production" > .env.production
$ echo "console.log('Hello ' + process.env.HELLO)" > index.js
$ dotenvx encrypt
[dotenvx][info] encrypted to .env.vault (.env,.env.production)
[dotenvx][info] keys added to .env.keys (DOTENV_KEY_PRODUCTION,DOTENV_KEY_PRODUCTION)
$ DOTENV_KEY='<dotenv_key_production>' dotenvx run -- node index.js
[dotenvx][info] loading env (1) from encrypted .env.vault
Hello production
^ :-]
More examples
coming soon
coming soon
Add the
dotenvx
binary to your Dockerfile
# Install dotenvx
RUN curl -fsS https://dotenvx.sh/ | sh
Use it in your Dockerfile CMD
# Prepend dotenvx run
CMD ["dotenvx", "run", "--", "node", "index.js"]
see docker guide
coming soon
Add the buildpack, installing the
dotenvx
binary to your heroku deployment.
heroku buildpacks:add https://github.com/dotenvx/heroku-buildpack-dotenvx
Use it in your Procfile.
web: dotenvx run -- node index.js
see heroku guide
coming soon
coming soon
coming soon
coming soon
Add the
dotenvx
npm module
npm install @dotenvx/dotenvx --save
Use it in your
package.json scripts
"scripts": {
"dotenvx": "dotenvx",
"dev": "dotenvx run -- next dev --turbo",
"build": "dotenvx run -- next build",
"start": "dotenvx run -- next start"
},
see vercel guide
coming soon
Add the
dotenvx
binary to GitHub Actions
name: build
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
- run: curl -fsS https://dotenvx.sh/ | sh
- run: dotenvx run -- node build.js
env:
DOTENV_KEY: ${{ secrets.DOTENV_KEY }}
Integrate tightly with GitHub 🐙
$ dotenvx hub login
$ dotenvx hub push
more details coming soon.
You can prevent .env
files from being committed to code with this pre-commit hook.
dotenvx precommit --install
Run without the --install
flag to preview output.
dotenvx precommit
To ignore the pre-commit hook run your git commit with the --no-verify
flag.
git commit -am "msg" --no-verify
You can fork this repo and create pull requests or if you have questions or feedback:
0.13.0
decrypt
command. Decrypt .env.vault
to prospective .env*
files. .env.keys
must be present. (#48)FAQs
a better dotenv–from the creator of `dotenv`
The npm package @dotenvx/dotenvx receives a total of 78,158 weekly downloads. As such, @dotenvx/dotenvx popularity was classified as popular.
We found that @dotenvx/dotenvx demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.