Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
dotenv-mono
Advanced tools
This is a package that permit to load a dotenv even from a children applications or packages of a monorepo. It contains also some additionals features like manipulations and save of the changes on the dotenv file.
To prevent code duplication and enhance re-usability, a centralized configuration including all of your environment variables might be handy.
Rather of generating a .env
file for each package, we may utilize a single .env
file at the project's root.
This is a package that allows monorepo applications and packages to share and load a centralized dotenv. It's based over dotenv package.
It also includes some extra features such as manipulation and saving of changes to the dotenv file.
The plugin dotenv-expand is enabled by default.
├── .env
├── packages
│ ├── ui-library
│ ├── other-library
├── apps
│ ├── web
│ ├── docs
The package search the first .env
file, matching with some priority criteria, by walking up the parent directories.
Starting from the current process directory, this package finds the first file that matches the best filepath and filename criteria with the highest priority. The greater the depth of the up folder, the lesser its priority.
The priority can be customized on the configuration with the priorities
property, see the example below on
the usage section.
Note: The allowed values for
NODE_ENV
are usuallytest
,development
andproduction
.
Priority | Filename |
---|---|
75 | .env.$(NODE_ENV).local |
50 | .env.local |
25 | .env.$(NODE_ENV) |
1 | .env |
Given the following folder structure with dotenv files:
├── .env
├── .env.production
├── apps
│ ├── .env.development
│ ├── web
│ ├── docs
│ │ ├── .env
│ │ ├── .env.local
Having the following priority order:
Path | Priority | Depth |
---|---|---|
.env | 1 | 2 |
.env.production | 25 | 2 |
apps/.env.development | 25 | 1 |
apps/docs/.env | 1 | 0 |
apps/docs/.env.local | 50 | 0 |
Then we will have the following outcome scenarios:
Current working directory | Env | Match |
---|---|---|
/ | development | .env |
/ | production | .env.production |
apps/web | development | .env |
apps/web | development | apps/.env.development |
apps/docs | development | apps/docs/.env.local |
Install the library from npm or yarn just running one of the following command lines:
npm | yarn |
---|---|
npm install dotenv-mono --save | yarn add dotenv-mono |
For custom advanced configuration of Next.js, you can create a next.config.js
or next.config.mjs
file in the root of
your project directory (next to package.json
).
Add the following line at the top of the file:
require("dotenv-mono").load();
require("dotenv-mono").load();
/**
* @type {import('next').NextConfig}
*/
const nextConfig = {
/* config options here */
};
module.exports = nextConfig;
Simple methods to export environment variables from the dotenv into the working process. Here are several potential implementation approaches based on your preferences.
// Inline
require("dotenv-mono").load(/* config */);
// Using the function
const {dotenvLoad} = require("dotenv-mono");
dotenvLoad(/* config */);
// Using import
import {dotenvLoad} from "dotenv-mono";
const dotenv = dotenvLoad(); // Dotenv instance
// Using the class
const {Dotenv} = require("dotenv-mono");
const dotenv = new Dotenv(/* config */);
dotenv.load();
If you need a fast way to replace dotenv package with dotenv-mono, and you need also to have a retro-compatible feature, you can have back directly the output like dotenv package using the config
method.
// Inline
const output = require("dotenv-mono").config(/* config */);
// Using the function
const {dotenvConfig} = require("dotenv-mono");
const output = dotenvConfig(/* config */);
// Use `.dotenv.server` or `.dotenv.server.local`, etc...
load({extension: "server"});
// You can specify the file path
load({path: "../../configs/.env"});
dotenv-expand
extensionload({expand: false});
// If `.dotenv.overwrite` is present use it with max priority
load({
priorities: {
".env.overwrite": 100,
},
});
const dotenv = require("dotenv-mono").load();
dotenv.save({"MY_ENV_1": "enjoy"});
// Without loading into the working process
const {Dotenv} = require("dotenv-mono");
const dotenv = new Dotenv();
dotenv.loadFile(); // Skip loading into the process
dotenv.save({
"MY_ENV_1": "enjoy",
"MY_ENV_2": "'enjoy quotes'",
"MY_ENV_3": 999,
});
Setting | Description | Default |
---|---|---|
cwd | Specify the current working directory | process.cwd() |
debug | Turn on/off logging to help debug why certain keys or values are not being set as you expect | false |
depth | Specify the max depth to reach finding up the folder from the children directory | 4 |
encoding | Specify the encoding of your file containing environment variables | utf8 |
expand | Turn on/off the dotenv-expand plugin | true |
extension | Specify to load specific dotenv file used only on specific apps/packages (ex. .env.server... ) | |
override | Override any environment variables that have already been set on your machine with values from your .env file | false |
path | Specify a custom path if your file containing environment variables is located elsewhere | |
priorities | Specify the criteria of the filename priority to load as dotenv file | See Priorities |
It will read your .env
file following the criteria, parse the contents, assign it to process.env
.
NOTE: This method differs from the previous
load
function. In that it requires the configuration to be loaded on the class instance via the constructor.
public load(loadOnProcess: boolean): Dotenv;
It will read your .env
file following the criteria, parse the contents, ready to be read or changed programmatically.
public loadFile(): Dotenv;
Merge the data on input with the loaded data from load
or loadFile
, and save the changes on the original dotenv file.
public save(changes: Record<string, any>): Dotenv;
See the dotenv documentation HERE
public parse<T extends Record<string, any> = Record<string, any>>(src: string | Buffer): T;
Have an idea? Found a bug? Please raise to ISSUES or PULL REQUEST. Contributions are welcome and are greatly appreciated! Every little bit helps, and credit will always be given.
FAQs
This package permit to have a centralized dotenv on a monorepo. It also includes some extra features such as manipulation and saving of changes to the dotenv file, a default centralized file, and a file loader with ordering and priorities.
The npm package dotenv-mono receives a total of 18,402 weekly downloads. As such, dotenv-mono popularity was classified as popular.
We found that dotenv-mono demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.