eslint-plugin-no-process-env
Advanced tools
ESLint plugin that bans direct process.env access in application code
Disallow direct process.env access in application code and enforce a centralized environment configuration pattern.
Every use of process.env in application code is a dependency on your external environment, and those dependencies are often unsatisfied at runtime, lack validation, and have inconsistent fallbacks.
It's generally a good practice to centralize env var access into a single configuration file which makes them explicit and self-documenting, and creates an opportunity to validate, coerce types, and set default values where appropriate.
This rule won't help your app crash less, but it will help it crash earlier and more loudly!
npm i -D eslint eslint-plugin-no-process-env
yarn add -D eslint eslint-plugin-no-process-env
pnpm add -D eslint eslint-plugin-no-process-env
bun add -d eslint eslint-plugin-no-process-env
Tested with ESLint 8.57+, 9.x, and 10 alpha. Node 14.17+ for ESLint 8, 18.18+ for ESLint 9, 20.19+ for ESLint 10.
// eslint.config.mjs
import noProcessEnv from "eslint-plugin-no-process-env";
export default [
{
plugins: { "no-process-env": noProcessEnv },
rules: {
"no-process-env/no-process-env": "error",
},
},
];
// .eslintrc.cjs
module.exports = {
plugins: ["no-process-env"],
rules: {
"no-process-env/no-process-env": "error",
},
extends: ["plugin:no-process-env/legacy"],
};
env.ts patternCreating a boundary around your environment configuration is a good practice. Using a validation library like Zod makes it even easier to enforce consistent types and fallbacks.
env.ts at the root of your app:// env.ts
import { z } from "zod";
const schema = z.object({
DATABASE_URL: z.string().url(),
NODE_ENV: z.enum(["development", "test", "production"]),
DEBUG_LOGGING_ENABLED: z
.string()
.default("true")
.transform((val) => val !== "false"),
});
export const ENV = schema.parse(process.env);
env.ts elsewhere:// db/client.ts
import { ENV } from "./env";
const client = new Client({
connectionString: ENV.DATABASE_URL,
});
process.env is allowed only inside env.ts / env.js; everywhere else the rule will error.process.env.FOOconst { env } = process;process['env']It ignores:
env.ts or env.js.process identifiers (e.g., function process() {}).None. The rule is purposefully minimal.
npm run lint — lint sources and testsnpm run test — run rule tests (Vitest + ESLint RuleTester)npm run build — bundle to dist/ via TSUP (ESM + d.ts)The prepare script builds automatically on install from git, which matches npm’s publishing flow.
MIT
FAQs
ESLint plugin that bans direct process.env access in application code
We found that eslint-plugin-no-process-env demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rights.
Security News
CVE disclosures hit a record 48,185 in 2025, driven largely by vulnerabilities in third-party WordPress plugins.
Security News
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.