Security News
Another Round of TEA Protocol Spam Floods npm, But It’s Not a Worm
Recent coverage mislabels the latest TEA protocol spam as a worm. Here’s what’s actually happening.
By Philipp Burckhardt - Nov 14, 2025
dotenv-expand
Advanced tools
🎉 announcing dotenvx. expansion AND command substitution, multi-environment, encrypted envs, and more.
Special thanks to our sponsors
dotenv-expand 
Dotenv-expand adds variable expansion on top of dotenv. If you find yourself needing to expand environment variables already existing on your machine, then dotenv-expand is your tool.
Install
# Install locally (recommended)
npm install dotenv-expand --save
Or installing with yarn? yarn add dotenv-expand
Usage
Create a .env file in the root of your project:
PASSWORD="s1mpl3"
DB_PASS=$PASSWORD
As early as possible in your application, import and configure dotenv and then expand dotenv:
const dotenv = require('dotenv')
const dotenvExpand = require('dotenv-expand')
dotenvExpand.expand(dotenv.config())
console.log(process.env) // remove this after you've confirmed it is expanding
That's it. process.env now has the expanded keys and values you defined in your .env file.
dotenvExpand.expand(dotenv.config())
...
connectdb(process.env.DB_PASS)
Preload
Note: Consider using
dotenvxinstead of preloading. I am now doing (and recommending) so.It serves the same purpose (you do not need to require and load dotenv), has built-in expansion support, adds better debugging, and works with ANY language, framework, or platform. – motdotla
You can use the --require (-r) command line option to preload dotenv & dotenv-expand. By doing this, you do not need to require and load dotenv or dotenv-expand in your application code. This is the preferred approach when using import instead of require.
$ node -r dotenv-expand/config your_script.js
The configuration options below are supported as command line arguments in the format dotenv_config_<option>=value
$ node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/your/env/vars
Additionally, you can use environment variables to set configuration options. Command line arguments will precede these.
$ DOTENV_CONFIG_<OPTION>=value node -r dotenv-expand/config your_script.js
$ DOTENV_CONFIG_ENCODING=latin1 node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/.env
Examples
See tests/.env.test for simple and complex examples of variable expansion in your .env
file.
Documentation
dotenv-expand exposes one function:
- expand
Expand
expand will expand your environment variables.
const env = {
parsed: {
BASIC: 'basic',
BASIC_EXPAND: '${BASIC}',
BASIC_EXPAND_SIMPLE: '$BASIC'
}
}
console.log(dotenvExpand.expand(env))
Options
processEnv
Default: process.env
Specify an object to write your secrets to. Defaults to process.env environment variables.
const myEnv = {}
const env = {
processEnv: myEnv,
parsed: {
HELLO: 'World'
}
}
dotenvExpand.expand(env)
console.log(myEnv.HELLO) // World
console.log(process.env.HELLO) // undefined
FAQ
What rules does the expansion engine follow?
See a full list of rules here.
How can I avoid expanding pre-existing envs (already in my process.env, for example pas$word)?
As of v12.0.0 dotenv-expand no longer expands process.env.
If you need this ability, use dotenvx by shipping an encrypted .env file with your code - allowing safe expansion at runtime.
How can I override an existing environment variable?
Use dotenvx as dotenv-expand does not support this.
dotenv-expand is a separate module (without knowledge of the loading of process.env and the .env file) and so cannot reliably know what to override.
Contributing Guide
See CONTRIBUTING.md
CHANGELOG
See CHANGELOG.md
Who's using dotenv-expand?
Other packages similar to dotenv-expand
env-cmd
env-cmd is a simple node program for executing commands using an environment from an env file. It is similar to dotenv-expand in that it helps manage environment variables, but it does not support variable expansion.
cross-env
cross-env allows you to run scripts that set and use environment variables across platforms. It is similar to dotenv-expand in the sense that it helps with environment variables, but it does not support .env file variable expansion.
envfile
envfile is a package to parse and stringify the envfile format. It is similar to dotenv-expand in that it works with .env files, but it does not support variable expansion within the .env file itself.
FAQs
Expand environment variables using dotenv
The npm package dotenv-expand receives a total of 17,748,593 weekly downloads. As such, dotenv-expand popularity was classified as popular.
We found that dotenv-expand demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 02 Sep 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
PyPI Expands Trusted Publishing to GitLab Self-Managed as Adoption Passes 25 Percent
PyPI adds Trusted Publishing support for GitLab Self-Managed as adoption reaches 25% of uploads
By Sarah Gooding - Nov 14, 2025
Research
/Security News
Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover.
By Kirill Boychenko - Nov 12, 2025