Verification, sanitization, and type coercion for environment variables in Node.js
Verification, sanitization, and type coercion for environment variables in Node.js and web applications. Supports TypeScript!
env-varenv-varnpm install env-var
yarn add env-var
You can use env-var in both JavaScript and TypeScript!
const env = require('env-var');
// Or using module import syntax:
// import env from 'env-var'
const PASSWORD = env.get('DB_PASSWORD')
// Throws an error if the DB_PASSWORD variable is not set (optional)
.required()
// Decode DB_PASSWORD from base64 to a utf8 string (optional)
.convertFromBase64()
// Call asString (or other APIs) to get the variable value (required)
.asString();
// Read in a port (checks that PORT is in the range 0 to 65535)
// Alternatively, use a default value of 5432 if PORT is not defined
const PORT = env.get('PORT').default('5432').asPortNumber()
import * as env from 'env-var';
// Read a PORT environment variable and ensure it's a positive integer.
// An EnvVarError will be thrown if the variable is not set, or if it
// is not a positive integer.
const PORT: number = env.get('PORT').required().asIntPositive();
When using environment variables in a web application, usually your tooling
such as vite imposes special conventions and doesn't expose process.env.
Use from function to workaround this, and create an env object like so:
import { from } from 'env-var'
const env = from({
BASE_URL: import.meta.env.BASE_URL,
VITE_CUSTOM_VARIABLE: import.meta.env.CUSTOM_VARIABLE
})
For more examples, refer to the /example directory and EXAMPLE.md. A summary of the examples available in /example is written in the 'Other examples' section of EXAMPLE.md.
The examples above only cover a very small set of env-var API calls. There are many others such as asFloatPositive(), asJson() and asRegExp(). For a full list of env-var API calls, check out API.md.
You can also create your own custom accessor; refer to the 'extraAccessors' section of API.md.
Logging is disabled by default in env-var to prevent accidental logging of secrets.
To enable logging, you need to create an env-var instance using the from() function that the API provides and pass in a logger.
The built-in logger will print logs only when NODE_ENV is not set to either prod or production.
const { from, logger } = require('env-var')
const env = from(process.env, {}, logger)
const API_KEY = env.get('API_KEY').required().asString()
This is an example output from the built-in logger generated by running example/logging.js:
If you need to filter env-var logs based on log levels (e.g. trace logging only) or have your own preferred logger, you can use a custom logging solution such as pino easily.
See the 'Custom logging' section of EXAMPLE.md for more information.
You can optionally use dotenv with env-var.
There is no coupling between dotenv and env-var, but you can easily use them both together. This loose coupling reduces package bloat and allows you to start or stop using one without being forced to do the same for the other.
See the 'dotenv' section of EXAMPLE.md for more information.
Contributions are welcomed and discussed in CONTRIBUTING.md. If you would like to discuss an idea, open an issue or a PR with an initial implementation.
dotenv is a popular package for loading environment variables from a .env file into process.env. It does not provide validation or type conversion features like env-var, but it is widely used for managing environment variables in development.
joi is a powerful schema description language and data validator for JavaScript. While it is not specifically designed for environment variables, it can be used to validate them. It offers more complex validation rules compared to env-var.
convict is a configuration management tool for Node.js that allows you to define a schema for your configuration, including environment variables. It provides validation and default values, similar to env-var, but also supports nested configurations and different configuration sources.
FAQs
Verification, sanitization, and type coercion for environment variables in Node.js
The npm package env-var receives a total of 766,104 weekly downloads. As such, env-var popularity was classified as popular.
We found that env-var demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Company News
Socket won two 2026 Reppy Awards from RepVue, ranking in the top 5% of all sales orgs. AE Alexandra Lister shares what it's like to grow a sales career here.
Security News
NIST will stop enriching most CVEs under a new risk-based model, narrowing the NVD's scope as vulnerability submissions continue to surge.
Company News
/Security News
Socket is an initial recipient of OpenAI's Cybersecurity Grant Program, which commits $10M in API credits to defenders securing open source software.