dotenv-expand
Advanced tools
The dotenv-expand npm package is an extension for dotenv. It allows you to have more complex .env files by enabling variable expansion within your environment variables. This means you can reference other environment variables within your .env file, which dotenv by itself does not support.
Variable Expansion
This feature allows you to reference other variables in your .env file. For example, if you have a BASE_URL variable, you can use it to construct the API_URL variable.
require('dotenv').config();
require('dotenv-expand')(process.env);
// .env file
// BASE_URL=https://myapi.com
// API_URL=${BASE_URL}/v1Nested Variable Expansion
This feature allows for nested variable expansion where you can use multiple environment variables to construct a new one.
require('dotenv').config();
require('dotenv-expand')(process.env);
// .env file
// URL=https://myapi.com
// VERSION=v1
// API_URL=${URL}/${VERSION}env-cmd is a simple node program for executing commands using an environment from an env file. It is similar to dotenv-expand in that it helps manage environment variables, but it does not support variable expansion.
cross-env allows you to run scripts that set and use environment variables across platforms. It is similar to dotenv-expand in the sense that it helps with environment variables, but it does not support .env file variable expansion.
envfile is a package to parse and stringify the envfile format. It is similar to dotenv-expand in that it works with .env files, but it does not support variable expansion within the .env file itself.
Dotenv libraries are supported by the community.
Special thanks to:
Dotenv-expand adds variable expansion on top of dotenv. If you find yourself needing to expand environment variables already existing on your machine, then dotenv-expand is your tool.
# Install locally (recommended)
npm install dotenv-expand --save
Or installing with yarn? yarn add dotenv-expand
Create a .env file in the root of your project:
PASSWORD="s1mpl3"
DB_PASS=$PASSWORD
As early as possible in your application, import and configure dotenv and then expand dotenv:
const dotenv = require('dotenv')
const dotenvExpand = require('dotenv-expand')
dotenvExpand.expand(dotenv.config())
console.log(process.env) // remove this after you've confirmed it is expanding
That's it. process.env now has the expanded keys and values you defined in your .env file.
dotenvExpand.expand(dotenv.config())
...
connectdb(process.env.DB_PASS)
Note: Consider using
dotenvxinstead of preloading. I am now doing (and recommending) so.It serves the same purpose (you do not need to require and load dotenv), has built-in expansion support, adds better debugging, and works with ANY language, framework, or platform. – motdotla
You can use the --require (-r) command line option to preload dotenv & dotenv-expand. By doing this, you do not need to require and load dotenv or dotenv-expand in your application code. This is the preferred approach when using import instead of require.
$ node -r dotenv-expand/config your_script.js
The configuration options below are supported as command line arguments in the format dotenv_config_<option>=value
$ node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/your/env/vars
Additionally, you can use environment variables to set configuration options. Command line arguments will precede these.
$ DOTENV_CONFIG_<OPTION>=value node -r dotenv-expand/config your_script.js
$ DOTENV_CONFIG_ENCODING=latin1 node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/.env
See tests/.env.test for simple and complex examples of variable expansion in your .env
file.
dotenv-expand exposes one function:
expand will expand your environment variables.
const env = {
parsed: {
BASIC: 'basic',
BASIC_EXPAND: '${BASIC}',
BASIC_EXPAND_SIMPLE: '$BASIC'
}
}
console.log(dotenvExpand.expand(env))
Default: process.env
Specify an object to write your secrets to. Defaults to process.env environment variables.
const myEnv = {}
const env = {
processEnv: myEnv,
parsed: {
HELLO: 'World'
}
}
dotenvExpand.expand(env)
console.log(myEnv.HELLO) // World
console.log(process.env.HELLO) // undefined
See a full list of rules here.
process.env, for example pas$word)?As of v12.0.0 dotenv-expand no longer expands process.env.
If you need this ability, use dotenvx by shipping an encrypted .env file with your code - allowing safe expansion at runtime.
Use dotenvx as dotenv-expand does not support this.
dotenv-expand is a separate module (without knowledge of the loading of process.env and the .env file) and so cannot reliably know what to override.
See CONTRIBUTING.md
See CHANGELOG.md
12.0.0 (2024-11-16)
NOTE: I recommend dotenvx over dotenv-expand when you are ready. I'm putting all my effort there for a unified standard .env implementation that works everywhere and matches bash, docker-compose, and more. In some cases it slightly improves on them - leading to more reliability for your secrets and config.
This has always been dangerous (unexpected side effects) and is now removed.
process.envshould not hold values you want to expand. If for some reason you need equivalent abilities, use dotenvx. You can ship an encrypted .env file with your code - allowing safe expansion at runtime - rather than relying on trying to expand pre-existingprocess.envvalues that could for good reason have a dollar sign in them (example a password).
FAQs
Expand environment variables using dotenv
The npm package dotenv-expand receives a total of 16,456,792 weekly downloads. As such, dotenv-expand popularity was classified as popular.
We found that dotenv-expand demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.
Security News
Socket CEO Feross Aboukhadijeh discusses the open web, open source security, and how Socket tackles software supply chain attacks on The Pair Program podcast.
Security News
Opengrep continues building momentum with the alpha release of its Playground tool, demonstrating the project's rapid evolution just two months after its initial launch.