Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
By Socket Research Team - Dec 02, 2024
Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
dotenv-cli
Advanced tools
dotenv-cli
A global executable to run applications with the ENV variables loaded by dotenv
What is dotenv-cli?
The dotenv-cli package is a command-line interface tool that allows you to load environment variables from a .env file into your shell environment. This is particularly useful for managing environment variables in development and testing environments.
What are dotenv-cli's main functionalities?
Load environment variables from a .env file
This feature allows you to load environment variables from a specified .env file and run a command with those variables. In this example, the environment variables from the .env file are loaded and then the Node.js application (app.js) is executed with those variables.
dotenv -e .env -- node app.jsSpecify multiple .env files
This feature allows you to load environment variables from multiple .env files. The variables from the files are merged, with the latter files overriding the former ones if there are conflicts. In this example, variables from both .env and .env.local are loaded before running the Node.js application.
dotenv -e .env -e .env.local -- node app.jsUse different .env files for different environments
This feature allows you to specify different .env files for different environments, such as production, development, or testing. In this example, the environment variables from the .env.production file are loaded before running the Node.js application.
dotenv -e .env.production -- node app.jsOther packages similar to dotenv-cli
cross-env
The cross-env package allows you to set environment variables across different platforms in a consistent manner. Unlike dotenv-cli, which loads variables from a .env file, cross-env allows you to set them directly in the command line. This can be useful for setting variables in a cross-platform way, but it does not provide the same file-based management of environment variables.
env-cmd
The env-cmd package allows you to set environment variables from a file or inline. It is similar to dotenv-cli in that it can load variables from a file, but it also provides more flexibility in terms of specifying variables directly in the command line. Env-cmd also supports JSON and JavaScript configuration files, offering more versatility compared to dotenv-cli.
dotenv
The dotenv package is a zero-dependency module that loads environment variables from a .env file into process.env. While it is similar to dotenv-cli in terms of loading variables from a .env file, it is designed to be used programmatically within your Node.js application rather than as a command-line tool.
dotenv-cli
Installing
NPM
$ npm install -g dotenv-cli
Yarn
$ yarn global add dotenv-cli
pnpm
pnpm add -g dotenv-cli
Usage
$ dotenv -- <command with arguments>
This will load the variables from the .env file in the current working directory and then run the command (using the new set of environment variables).
Alternatively, if you do not need to pass arguments to the command, you can use the shorthand:
$ dotenv <command>
Custom .env files
Another .env file could be specified using the -e flag (this will replace loading .env file):
$ dotenv -e .env2 -- <command with arguments>
Multiple .env files can be specified, and will be processed in order:
$ dotenv -e .env3 -e .env4 -- <command with arguments>
Cascading env variables
Some applications load from .env, .env.development, .env.local, and .env.development.local
(see #37 for more information).
dotenv-cli supports this using the -c flag for just .env and .env.local and -c development for the ones above.
The -c flag can be used together with the -e flag. The following example will cascade env files located one folder up in the directory tree (../.env followed by ../.env.local):
dotenv -e ../.env -c
Setting variable from command line
It is possible to set variable directly from command line using the -v flag:
$ dotenv -v VARIABLE=somevalue -- <command with arguments>
Multiple variables can be specified:
$ dotenv -v VARIABLE1=somevalue1 -v VARIABLE2=somevalue2 -- <command with arguments>
Variables set up from command line have higher priority than from env files.
Purpose of this is that standard approach
VARIABLE=somevalue <command with arguments>doesn't work on Windows. The -v flag works on all the platforms.
Check env variable
If you want to check the value of an environment variable, use the -p flag
$ dotenv -p NODE_ENV
Flags to the underlying command
If you want to pass flags to the inner command use -- after all the flags to dotenv-cli.
E.g. the following command without dotenv-cli:
mvn exec:java -Dexec.args="-g -f"
will become the following command with dotenv-cli:
$ dotenv -- mvn exec:java -Dexec.args="-g -f"
or in case the env file is at .my-env
$ dotenv -e .my-env -- mvn exec:java -Dexec.args="-g -f"
Variable expansion
We support expanding env variables inside .env files (See dotenv-expand npm package for more information)
For example:
IP=127.0.0.1
PORT=1234
APP_URL=http://${IP}:${PORT}
Using the above example .env file, process.env.APP_URL would be http://127.0.0.1:1234.
Disabling variable expansion
If your .env variables include values that should not be expanded (e.g. PASSWORD="pas$word"), you can pass flag --no-expand to dotenv-cli to disable variable expansion.
For example:
dotenv --no-expand <command>
Variable expansion in the command
If your .env file looks like:
SAY_HI=hello!
you might expect dotenv echo "$SAY_HI" to display hello!. In fact, this is not what happens: your shell will first interpret your command before passing it to dotenv-cli, so if SAY_HI envvar is set to "", the command will be expanded into dotenv echo: that's why dotenv-cli cannot make the expansion you expect.
Possible solutions
- Bash and escape
One possible way to get the desired result is:
$ dotenv -- bash -c 'echo "$SAY_HI"'
In bash, everything between ' is not interpreted but passed as is. Since $SAY_HI is inside '' brackets, it's passed as a string literal.
Therefore, dotenv-cli will start a child process bash -c 'echo "$SAY_HI"' with the env variable SAY_HI set correctly which means bash will run echo "$SAY_HI" in the right environment which will print correctly hello
- Subscript encapsulation
Another solution is simply to encapsulate your script in another subscript.
Example here with npm scripts in a package.json
{
"scripts": {
"_print-stuff": "echo $STUFF",
"print-stuff": "dotenv -- npm run _print-stuff",
}
}
This example is used in a project setting (has a package.json). Should always install locally npm install -D dotenv-cli
Debugging
You can add the --debug flag to output the .env files that would be processed and exit.
Override
Override any environment variables that have already been set on your machine with values from your .env file.
dotenv -e .env.test -o -- jest
License
FAQs
A global executable to run applications with the ENV variables loaded by dotenv
We found that dotenv-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 21 Nov 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Research
Typosquatting Cryptographic Libraries: Malicious npm Packages Threaten Crypto Developers with Keylogging and Wallet Theft
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
By Kirill Boychenko - Nov 27, 2024
Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
By Sarah Gooding - Nov 26, 2024