Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
dotenv-expand
Advanced tools
The dotenv-expand npm package is an extension for dotenv. It allows you to have more complex .env files by enabling variable expansion within your environment variables. This means you can reference other environment variables within your .env file, which dotenv by itself does not support.
Variable Expansion
This feature allows you to reference other variables in your .env file. For example, if you have a BASE_URL variable, you can use it to construct the API_URL variable.
require('dotenv').config();
require('dotenv-expand')(process.env);
// .env file
// BASE_URL=https://myapi.com
// API_URL=${BASE_URL}/v1
Nested Variable Expansion
This feature allows for nested variable expansion where you can use multiple environment variables to construct a new one.
require('dotenv').config();
require('dotenv-expand')(process.env);
// .env file
// URL=https://myapi.com
// VERSION=v1
// API_URL=${URL}/${VERSION}
env-cmd is a simple node program for executing commands using an environment from an env file. It is similar to dotenv-expand in that it helps manage environment variables, but it does not support variable expansion.
cross-env allows you to run scripts that set and use environment variables across platforms. It is similar to dotenv-expand in the sense that it helps with environment variables, but it does not support .env file variable expansion.
envfile is a package to parse and stringify the envfile format. It is similar to dotenv-expand in that it works with .env files, but it does not support variable expansion within the .env file itself.
Dotenv libraries are supported by the community.
Special thanks to:Dotenv-expand adds variable expansion on top of dotenv. If you find yourself needing to expand environment variables already existing on your machine, then dotenv-expand is your tool.
# Install locally (recommended)
npm install dotenv-expand --save
Or installing with yarn? yarn add dotenv-expand
Create a .env
file in the root of your project:
PASSWORD="s1mpl3"
DB_PASS=$PASSWORD
As early as possible in your application, import and configure dotenv and then expand dotenv:
var dotenv = require('dotenv')
var dotenvExpand = require('dotenv-expand')
var myEnv = dotenv.config({ processEnv: {} }) // important to set processEnv: {}, otherwise expansion will be attempted on your already existing machine envs
dotenvExpand.expand(myEnv)
console.log(process.env)
That's it. process.env
now has the expanded keys and values you defined in your .env
file.
You can use the --require
(-r
) command line option to preload dotenv & dotenv-expand. By doing this, you do not need to require and load dotenv or dotenv-expand in your application code. This is the preferred approach when using import
instead of require
.
$ node -r dotenv-expand/config your_script.js
The configuration options below are supported as command line arguments in the format dotenv_config_<option>=value
$ node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/your/env/vars
Additionally, you can use environment variables to set configuration options. Command line arguments will precede these.
$ DOTENV_CONFIG_<OPTION>=value node -r dotenv-expand/config your_script.js
$ DOTENV_CONFIG_ENCODING=latin1 node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/.env
See tests/.env for simple and complex examples of variable expansion in your .env
file.
DotenvExpand exposes one function:
expand
will expand your environment variables.
const dotenv = {
parsed: {
BASIC: 'basic',
BASIC_EXPAND: '${BASIC}',
BASIC_EXPAND_SIMPLE: '$BASIC'
}
}
const obj = dotenvExpand.expand(dotenv)
console.log(obj)
Default: process.env
Specify an object to write your secrets to. Defaults to process.env
environment variables.
const myObject = {}
const dotenv = {
processEnv: myObject,
parsed: {
SHOULD_NOT_EXIST: 'testing'
}
}
const obj = dotenvExpand.expand(dotenv).parsed
console.log(obj.SHOULD_NOT_EXIST) // testing
console.log(myObject.SHOULD_NOT_EXIST) // testing
console.log(process.env.SHOULD_NOT_EXIST) // undefined
The expansion engine roughly has the following rules:
$KEY
will expand any env with the name KEY
${KEY}
will expand any env with the name KEY
\$KEY
will escape the $KEY
rather than expand${KEY:-default}
will first attempt to expand any env with the name KEY
. If not one, then it will return default
You can see a full list of examples here.
See CONTRIBUTING.md
See CHANGELOG.md
11.0.0 (2024-02-10)
import dotenv-expand/config
(#99)POSTGRESQL.BASE.USER
(#93)processEnv
option (#105)${VAR-default}
(#109)process.env
environment variables. NOTE: make sure to see updated README regarding dotenv.config({ processEnv: {} })
(#104)$var1$var2
(#103, #104)VAR=$VAR
#98ignoreProcessEnv
option (use processEnv
option going forward)FAQs
Expand environment variables using dotenv
The npm package dotenv-expand receives a total of 13,333,034 weekly downloads. As such, dotenv-expand popularity was classified as popular.
We found that dotenv-expand demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.