dotenv - npm Package Compare versions

Comparing version 16.4.5 to 16.4.6

CHANGELOG.md

@@ -5,4 +5,11 @@ # Changelog
 
-## [Unreleased](https://github.com/motdotla/dotenv/compare/v16.4.5...master)
+## [Unreleased](https://github.com/motdotla/dotenv/compare/v16.4.6...master)
 
+## [16.4.6](https://github.com/motdotla/dotenv/compare/v16.4.5...v16.4.6) (2024-12-02)
+
+### Changed
+
+- Clean up stale dev dependencies [#847](https://github.com/motdotla/dotenv/pull/847)
+- Various README updates clarifying usage and alternative solutions using [dotenvx](https://github.com/dotenvx/dotenvx)
+
 ## [16.4.5](https://github.com/motdotla/dotenv/compare/v16.4.4...v16.4.5) (2024-02-19)
@@ -12,3 +19,3 @@
 
-- 🐞 fix recent regression when using `path` option. return to historical behavior: do not attempt to auto find `.env` if `path` set. (regression was introduced in `16.4.3`) [#814](https://github.com/motdotla/dotenv/pull/814)
+- 🐞 Fix recent regression when using `path` option. return to historical behavior: do not attempt to auto find `.env` if `path` set. (regression was introduced in `16.4.3`) [#814](https://github.com/motdotla/dotenv/pull/814)
 
@@ -15,0 +22,0 @@ ## [16.4.4](https://github.com/motdotla/dotenv/compare/v16.4.3...v16.4.4) (2024-02-13)

package.json

 {
   "name": "dotenv",
-  "version": "16.4.5",
+  "version": "16.4.6",
   "description": "Loads environment variables from .env file",
@@ -24,6 +24,5 @@ "main": "lib/main.js",
     "lint": "standard",
-    "lint-readme": "standard-markdown",
     "pretest": "npm run lint && npm run dts-check",
-    "test": "tap tests/*.js --100 -Rspec",
-    "test:coverage": "tap --coverage-report=lcov",
+    "test": "tap run --allow-empty-coverage --disable-coverage --timeout=60000",
+    "test:coverage": "tap run --show-full-coverage --timeout=60000 --coverage-report=lcov",
     "prerelease": "npm test",
@@ -49,11 +48,8 @@ "release": "standard-version"
   "devDependencies": {
-    "@definitelytyped/dtslint": "^0.0.133",
     "@types/node": "^18.11.3",
-    "decache": "^4.6.1",
+    "decache": "^4.6.2",
     "sinon": "^14.0.1",
     "standard": "^17.0.0",
-    "standard-markdown": "^7.1.0",
     "standard-version": "^9.5.0",
-    "tap": "^16.3.0",
-    "tar": "^6.1.11",
+    "tap": "^19.2.0",
     "typescript": "^4.8.4"
@@ -60,0 +56,0 @@ },

README.md

@@ -36,12 +36,2 @@ <div align="center">
 </a>
-<br/>
-<a href="https://runalloy.com/?utm_source=github&utm_medium=referral&utm_campaign=1224_dotenv">
-  <div>
-    <img src="https://res.cloudinary.com/dotenv-org/image/upload/c_crop,g_center,h_65,w_290,x_0,y_0/v1704258787/AlloyAutomation-logo_dqin8c.svg" width="370" alt="Alloy Automation">
-  </div>
-  <b>Launch user-facing integrations faster</b>
-  <div>
-    <sup>Easily spin up hundreds of integrations. Sign up free or read our docs first</sup>
-  </div>
-</a>
 <hr>
@@ -63,3 +53,3 @@ </div>
 * [🌴 Multiple Environments 🆕](#-manage-multiple-environments)
-* [🚀 Deploying (.env.vault) 🆕](#-deploying)
+* [🚀 Deploying (encryption) 🆕](#-deploying)
 * [📚 Examples](#-examples)
@@ -88,3 +78,3 @@ * [📖 Docs](#-documentation)
 
-Create a `.env` file in the root of your project:
+Create a `.env` file in the root of your project (if using a monorepo structure like `apps/backend/app.js`, put it in the root of the folder where your `app.js` process runs):
 
@@ -113,2 +103,3 @@ ```dosini
 require('dotenv').config()
+// or import 'dotenv/config' if you're using ES6
 
@@ -193,20 +184,38 @@ ...
 
+### Command Substitution
+
+Use [dotenvx](https://github.com/dotenvx/dotenvx) to use command substitution.
+
+Add the output of a command to one of your variables in your .env file.
+
+```ini
+# .env
+DATABASE_URL="postgres://$(whoami)@localhost/my_database"
+```
+```js
+// index.js
+console.log('DATABASE_URL', process.env.DATABASE_URL)
+```
+```sh
+$ dotenvx run --debug -- node index.js
+[dotenvx@0.14.1] injecting env (1) from .env
+DATABASE_URL postgres://yourusername@localhost/my_database
+```
+
 ### Syncing
 
-You need to keep `.env` files in sync between machines, environments, or team members? Use [dotenv-vault](https://github.com/dotenv-org/dotenv-vault).
+You need to keep `.env` files in sync between machines, environments, or team members? Use [dotenvx](https://github.com/dotenvx/dotenvx) to encrypt your `.env` files and safely include them in source control. This still subscribes to the twelve-factor app rules by generating a decryption key separate from code.
 
 ### Multiple Environments
 
-You need to manage your secrets across different environments and apply them as needed? Use a `.env.vault` file with a `DOTENV_KEY`.
+Use [dotenvx](https://github.com/dotenvx/dotenvx) to generate `.env.ci`, `.env.production` files, and more.
 
 ### Deploying
 
-You need to deploy your secrets in a cloud-agnostic manner? Use a `.env.vault` file. See [deploying `.env.vault` files](https://github.com/motdotla/dotenv/tree/master#-deploying).
+You need to deploy your secrets in a cloud-agnostic manner? Use [dotenvx](https://github.com/dotenvx/dotenvx) to generate a private decryption key that is set on your production server.
 
 ## 🌴 Manage Multiple Environments
 
-Use [dotenvx](https://github.com/dotenvx/dotenvx) or [dotenv-vault](https://github.com/dotenv-org/dotenv-vault).
+Use [dotenvx](https://github.com/dotenvx/dotenvx)
 
-### dotenvx
-
 Run any environment locally. Create a `.env.ENVIRONMENT` file and use `--env-file` to load it. It's straightforward, yet flexible.
@@ -236,41 +245,15 @@
 
-### dotenv-vault
+## 🚀 Deploying
 
-Edit your production environment variables.
+Use [dotenvx](https://github.com/dotenvx/dotenvx).
 
-```bash
-$ npx dotenv-vault open production
-```
+Add encryption to your `.env` files with a single command. Pass the `--encrypt` flag.
 
-Regenerate your `.env.vault` file.
-
-```bash
-$ npx dotenv-vault build
 ```
-
-*ℹ️  🔐 Vault Managed vs 💻 Locally Managed: The above example, for brevity's sake, used the 🔐 Vault Managed solution to manage your `.env.vault` file. You can instead use the 💻 Locally Managed solution. [Read more here](https://github.com/dotenv-org/dotenv-vault#how-do-i-use--locally-managed-dotenv-vault). Our vision is that other platforms and orchestration tools adopt the `.env.vault` standard as they did the `.env` standard. We don't expect to be the only ones providing tooling to manage and generate `.env.vault` files.*
-
-<a href="https://github.com/dotenv-org/dotenv-vault#-manage-multiple-environments">Learn more at dotenv-vault: Manage Multiple Environments</a>
-
-## 🚀 Deploying
-
-Use [dotenvx](https://github.com/dotenvx/dotenvx) or [dotenv-vault](https://github.com/dotenv-org/dotenv-vault).
-
-### dotenvx
-
-Encrypt your secrets to a `.env.vault` file and load from it (recommended for production and ci).
-
-```bash
-$ echo "HELLO=World" > .env
-$ echo "HELLO=production" > .env.production
+$ dotenvx set HELLO Production --encrypt -f .env.production
 $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
 
-$ dotenvx encrypt
-[dotenvx][info] encrypted to .env.vault (.env,.env.production)
-[dotenvx][info] keys added to .env.keys (DOTENV_KEY_PRODUCTION,DOTENV_KEY_PRODUCTION)
-
-$ DOTENV_KEY='<dotenv_key_production>' dotenvx run -- node index.js
-[dotenvx][info] loading env (1) from encrypted .env.vault
-Hello production
-^ :-]
+$ DOTENV_PRIVATE_KEY_PRODUCTION="<.env.production private key>" dotenvx run -- node index.js
+[dotenvx] injecting env (2) from .env.production
+Hello Production
 ```
@@ -280,31 +263,2 @@
 
-### dotenv-vault
-
-*Note: Requires dotenv >= 16.1.0*
-
-Encrypt your `.env.vault` file.
-
-```bash
-$ npx dotenv-vault build
-```
-
-Fetch your production `DOTENV_KEY`.
-
-```bash
-$ npx dotenv-vault keys production
-```
-
-Set `DOTENV_KEY` on your server.
-
-```bash
-# heroku example
-heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenvx.com/vault/.env.vault?environment=production
-```
-
-That's it! On deploy, your `.env.vault` file will be decrypted and its secrets injected as environment variables – just in time.
-
-*ℹ️ A note from [Mot](https://github.com/motdotla): Until recently, we did not have an opinion on how and where to store your secrets in production. We now strongly recommend generating a `.env.vault` file. It's the best way to prevent your secrets from being scattered across multiple servers and cloud providers – protecting you from breaches like the [CircleCI breach](https://techcrunch.com/2023/01/05/circleci-breach/). Also it unlocks interoperability WITHOUT native third-party integrations. Third-party integrations are [increasingly risky](https://coderpad.io/blog/development/heroku-github-breach/) to our industry. They may be the 'du jour' of today, but we imagine a better future.*
-
-<a href="https://github.com/dotenv-org/dotenv-vault#-deploying">Learn more at dotenv-vault: Deploying</a>
-
 ## 📚 Examples
@@ -318,3 +272,2 @@
 * [nodejs (processEnv override)](https://github.com/dotenv-org/examples/tree/master/usage/dotenv-custom-target)
-* [nodejs (DOTENV_KEY override)](https://github.com/dotenv-org/examples/tree/master/usage/dotenv-vault-custom-target)
 * [esm](https://github.com/dotenv-org/examples/tree/master/usage/dotenv-esm)
@@ -420,16 +373,6 @@ * [esm (preload)](https://github.com/dotenv-org/examples/tree/master/usage/dotenv-esm-preload)
 
-console.log(myObject) // values from .env or .env.vault live here now.
+console.log(myObject) // values from .env
 console.log(process.env) // this was not changed or written to
 ```
 
-##### DOTENV_KEY
-
-Default: `process.env.DOTENV_KEY`
-
-Pass the `DOTENV_KEY` directly to config options. Defaults to looking for `process.env.DOTENV_KEY` environment variable. Note this only applies to decrypting `.env.vault` files. If passed as null or undefined, or not passed at all, dotenv falls back to its traditional job of parsing a `.env` file.
-
-```js
-require('dotenv').config({ DOTENV_KEY: 'dotenv://:key_1234…@dotenvx.com/vault/.env.vault?environment=production' })
-```
-
 ### Parse
@@ -505,18 +448,2 @@
 
-### Decrypt
-
-The engine which decrypts the ciphertext contents of your .env.vault file is available for use. It accepts a ciphertext and a decryption key. It uses AES-256-GCM encryption.
-
-For example, decrypting a simple ciphertext:
-
-```js
-const dotenv = require('dotenv')
-const ciphertext = 's7NYXa809k/bVSPwIAmJhPJmEGTtU0hG58hOZy7I0ix6y5HP8LsHBsZCYC/gw5DDFy5DgOcyd18R'
-const decryptionKey = 'ddcaa26504cd70a6fef9801901c3981538563a1767c297cb8416e8a38c62fe00'
-
-const decrypted = dotenv.decrypt(ciphertext, decryptionKey)
-
-console.log(decrypted) // # development@v6\nALPHA="zeta"
-```
-
 ## ❓ FAQ
@@ -545,3 +472,3 @@
 
-We recommend creating on `.env` file per environment. Use `.env` for local/development, `.env.production` for production and so on. This still follows the twelve factor principles as each is attributed individually to its own environment. Avoid custom set ups that work in inheritance somehow (`.env.production` inherits values form `.env` for example). It is better to duplicate values if necessary across each `.env.environment` file.
+We recommend creating one `.env` file per environment. Use `.env` for local/development, `.env.production` for production and so on. This still follows the twelve factor principles as each is attributed individually to its own environment. Avoid custom set ups that work in inheritance somehow (`.env.production` inherits values form `.env` for example). It is better to duplicate values if necessary across each `.env.environment` file.
 
@@ -699,8 +626,4 @@ > In a twelve-factor app, env vars are granular controls, each fully orthogonal to other env vars. They are never grouped together as “environments”, but instead are independently managed for each deploy. This is a model that scales up smoothly as the app naturally expands into more deploys over its lifetime.
 
-Use [dotenv-vault](https://github.com/dotenv-org/dotenv-vault)
+Use [dotenvx](https://github.com/dotenvx/dotenvx)
 
-### What is a `.env.vault` file?
-
-A `.env.vault` file is an encrypted version of your development (and ci, staging, production, etc) environment variables. It is paired with a `DOTENV_KEY` to deploy your secrets more securely than scattering them across multiple platforms and tools. Use [dotenv-vault](https://github.com/dotenv-org/dotenv-vault) to manage and generate them.
-
 ### What if I accidentally commit my `.env` file to code?
@@ -707,0 +630,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

360629

increased by356.04%

Dev dependency count

7

decreased by-30%

Number of package files

36

increased by227.27%

Lines of code

3539

increased by654.58%

Worsened metrics

Number of lines in readme file

652

decreased by-10.56%

Number of medium supply chain risk alerts

1

increased byInfinity%

No dependency changes