All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
- support complex command substitution combining variable expansion (#490)
- add
-fk(--env-keys-file) flag to customize the path to your.env.keysfile withrun, get, set, encrypt, decrypt, and keypair🎉 (#486)
This is great for monorepos. Maintain one .env.keys file across all your apps.
$ dotenvx encrypt -fk .env.keys -f apps/backend/.env
$ dotenvx encrypt -fk .env.keys -f apps/frontend/.env
$ tree -a .
├── .env.keys
└── apps
├── backend
│ └── .env
└── frontend
└── .env
$ dotenvx get -fk .env.keys -f apps/backend/.env- add
--ignoreflag to suppress specified errors. example:dotenvx run --ignore=MISSING_ENV_FILE(#485)
.env.keysfile is generated WITHOUT quotes going forward. This is to minimize friction around Docker gotchas to developers - old versions of Docker do not support--env-filecontaining quoted keys/values. (#480) (additional note)
- add support for
\texpansion when double quoted. (e.g.TAB="hi\tfriend"becomeshi friend) (#479)
- build binaries with bytecode option (#477)
- add typescript type definitions for
main.parsemethod (#475)
- add
privateKeyoption tomain.parsemethod (#474)
- for binaries add pre-build step using esbuild (#471)
- remove types for functions that were removed a while back (2aa660)
- improve helpful error messaging around decryption failures by specifying specific key and private key name (#463)
- add
run --strictflag to exit with code1if any errors are encountered - like a missing.envfile or decryption failure (#460) - add
get --strictflag to exit with code1if any errors are encountered - like a missing.envfile or decryption failure (#461) - add
strictoption toconfig()to throw for any errors (#459)
- log
MISSING_ENV_FILEandDECRYPTION_FAILEDerrors to stderr (prior was stdout as a warning) (#459)
- remove
dotenvx.get()function fromlib/main.js. (parsealready historically exists for this purpose) (#461)
- 🐞 do not expand prior literal values (#458)
- do not expand command substitution (#456)
- 🐞 fix command substitution for more complex commands (#455)
- treat pre-existing expandable values as literal in
process.env(#450)
- bump
cross-spawnto prevent potential ReDoS CVE-2024-21538 (#449)
- support progressive append/update (#445)
FOO=foo
FOO=${FOO}bar
# foobar- support alternate value expansion (#445)
dotenvx.parsenow maps to dotenvx's internal parser. (prior it was mapping to dotenv's)
- removed
dotenvx.configDotenv(). usedotenvx.config()(#445)
- deeper variable expansion support and protection against self-referencing variables 🛡️ (#439)
- more lenient handling of
--separator and better error messaging when flags are ambiguous (#438)
- 🐞 patch loading order issue with single quotes (#436)
- add
--patternargument toext gitignore(dotenvx ext gitignore --pattern .env.keys) (#430)
- clarify next steps after first time encrypting (#430)
- for
--convention nextjsingnore.env.localfor TEST environment (#425) - for
precommitredirect missingdotenvxcommand using POSIX compliant redirection (#424) - make parent
dotenvx helpcommand less noisy by removing[options]. rundotenvx COMMAND -hto list all available options like always (#429)
🎓 now if you choose to single quote, double quote, no quote, or backtick your value it will be respected - including for encrypted values. this more intuitively handles complex cases like escaped characters, literals, and json.
- update eciesjs (#421)
- remove default values for ts interface - no longer permitted by latest ts (#419)
- respect
process.env.DOTENV_PRIVATE_KEYand/orprocess.env.DOTENV_PUBLIC_KEYonset(#401) - respect
process.env.DOTENV_PRIVATE_KEYand/orprocess.env.DOTENV_PUBLIC_KEYonencrypt(#411) - respect
process.env.DOTENV_PRIVATE_KEYondecrypt(#412) - change
logger.helpto use brighter blue (#414)
- remove
main.decrypt,encrypt,set(#410)
- 🐞 fix decrypt re-encrypt of values containing backslashes (#406)
- forward additional signals like
SIGUSR2(#403)
- if
SIGTERMorSIGINTsent, don't bubble wrapped process error (#402)
- support key glob filtering for
encryptanddecrypt. example:dotenvx encrypt -ek "NEXT_PUBLIC_*"(#397)
- escape user inputted regex groupings like
$1or$2. (#396)
setandencryptpreserve leading spaces (#395)
HELLO=world- improve escape and quote handling for
set,encrypt, anddecrypt(#395) - 🐞 fix
encrypt, thendecrypt, thenencrypton a json value (#377)
Note: the underlying replace engine to support these changes now wraps your values in single quotes. the prior replace engine wrapped in double quotes.
So where your .env used to look like this with double quotes:
HELLO="encrypted:1234"
API_KEY="encrypted:5678"It will now begin looking like this with single quotes:
HELLO='encrypted:1234'
API_KEY='encrypted:5678'It's an aesthetic side effect only. Your values will continue to be decrypted and encrypted correctly.
- add
--format=evaloption forget(#393)
- suppress stderr using
options.stdio(#391)
- add
--format=shelloption forkeypair(#389)
- swap
process.stdout.writeforconsole.logto patch up npx edge case (#387)
- run precommit hook only on staged files (#380)
- add
dotenvx keypaircommand for printing your public/private keypairs (#375)
- exit code 1 when
decryptfails in any way (#374)
- expose
getColorandboldtolib/main.js(#369)
- expose
loggerandsetLogLeveltolib/main.js-const = { logger, setLogLevel } = require('@dotenvx/dotenvx')(#368)
- move
lsto core commands (#367)
- return without quotations for
dotenvx get --format shell(#366)
- add
dotenvx get --format shelloption (#363)
- revert
tinyexecforexeca- to support usage in bun
- bump
tinyexecand add postrelease-bunx check (#362)
- fallback to
process.env.TERMfor color depth where deno and bun do not support it (#360)
- detect encoding when reading
.env*file onrun/get(#359)
- support encryption of
export KEYvariables and preserve#!shebangs(#357)
- add
--exclude-env-file (-ef)toext ls(#356)
ext precommitignorestests/directory (and similar) (#356)
- fix
prodisplay in help command
- ci: automate publishing to
winget(#354)
- default
configto empty[]array so thatDOTENV_KEY_${environment}looks up correctly (#352)
- check subfolders on
dotenvx ext precommithook (#350)
- remove
dotenvx ext vault, replace with dotenvx-ext-vault (install there to continue usingext vault) (#351)
- warn if private key is missing or blank (#349)
- add
--exclude-key(-ek) option todotenvx encryptanddotenvx decrypt(#344)
- preserve comments and spacing on first-time generation of .env.example file (#346)
- removed
winston- logger simplified to useconsole.loggoing forward (#347)
- use
ansicolors overrgb- for wider terminal coverage (#340) - replace
chalkwithpicocolorsandcolor-name- cutting down on 5 dependencies (#335) - replace
execawithtinyexec- cutting down on 15 dependencies (#328) - optimize
Ls._filepaths(#317)
- remove
picocolorsandcolor-name- cutting down on 2 dependencies (#340) - remove
ext hubfrom extension list (you can still install it as an extension here) (#337)
- 🐞 patch
chompfor interpolation. strip ending newline (was stripping first found newline) (#322)
- fix
dotenvx help(command was missing)
- adjust
dotenvx proto be dynamic if dotenvx-pro is installed user's machine
- add more detailed type definitions (#313)
- add support for
.env1(.env*) file format. (private key expands toDOTENV_PRIVATE_KEY_DEVELOPMENT1) (#312)
- add
dotenvx decryptcommand. works inversely todotenvx encrypt. same flags. (#294) - add
--stdoutoption todotenvx decrypt. example:dotenvx decrypt -f .env.production --stdout > somefile.txt(#298) - add
--stdoutoption todotenvx encrypt. example:dotenvx encrypt -f .env.production --stdout > somefile.txt(#298)
- smarter private key finder. if you rename your file to
secrets.txtit can still decrypt fromDOTENV_PRIVATE_KEYby seeking out the invert of theDOTENV_PUBLIC_KEYinsidesecrets.txt(#302)
- remove
dotenvx convert- still atdotenvx encrypt - remove
dotenvx vault- still atdotenvx ext vault
- add help text for dashed values on
set. example:dotenvx set KEY -- "- + * ÷"(#293)
- replace
@inquirer/confirmandora(#285)
- remove
dotenvx ext hub, replace with dotenvx-ext-hub (install there to continue using hub) (#291)
- remove update notice. let users decide what version they want without nagging them to update (#288)
- remove
dotenvx hub. still available atdotenvx ext hub(#290)
- 🐞 remove risky
prepareandpostinstallscripts and replace withnpm run patchfor development and binary building (#286)
- 🐞 make
patch-packageonly run locally withprepare(#283)
- encrypt specified keys with
--keyoption -dotenvx encrypt -k HELLO(#281)
- handle nested
dotenvxinvocations -dotenvx run -- dotenvx run -- env(#279)
- replace
globwith faster approach (#278)
- add TypeScript type definitions (#272)
- 🐞 fix expansion when preset on
process.envand/or with--overload(#271)
🎉 dotenvx has made it to 1.0.0. There are BREAKING CHANGES
- added
dotenvx set KEY value --plainto set plain text values - added
dotenvx ext🔌 as a location to place extensions likegititgnore,precommit,ls, and more. better than cluttering up core features likerun,get/set, andencrypt. - added
dotenvx pro🏆 command with coming soon and link to GitHub issue (if you wish to be notified of progress. will provide tooling/features for teams)
BREAKING ⚠️- turned on encryption by default for
dotenvx set(usedotenvx set KEY value --plainto set plain values) - renamed
dotenvx encrypttodotenvx ext vault encrypt(for managing.env.vaultfiles) - renamed
dotenvx converttodotenvx encrypt - moved
lstodotenvx ext ls - moved
genexampletodotenvx ext genexample - moved
gitignoretodotenvx ext gitignore - moved
prebuildtodotenvx ext prebuild - moved
precommittodotenvx ext precommit - moved
scantodotenvx ext scan - moved
hubtodotenvx ext hub - moved
vaulttodotenvx ext vault - moved
settingstodotenvx ext settings
- turned on encryption by default for
(for many of these moved commands, for example dotenvx genexample, still work in 1.0.0 but with a large deprecated notice - DEPRECATION NOTICE: [genexample] has moved to [dotenvx ext genexample]. Please change your muscle memory to dotenvx ext genexample, as these deprecated command paths will be removed in a later minor version. importantly dotenvx encrypt was not able to be preserved because as it is now in use for encrypted .env files rather than .env.vault files)
This is a BIG release that sets the tone for dotenvx's core offering and features while maintaining room for growth. Thank you everyone for your support and usage of dotenvx 🙏.
blog post: "From dotenv to dotenvx: Next Generation Config Management"
- Rename
dotenvx vault converttodotenvx vault migrate(#251) - Update
install.shregex version check to beshcompatible (not just bash)
- Added
checksums.txtas part of each release
- Removed
.githubfolder from published binaries on npm (example: npm code) - Add help message to
install.sh
- Automated deployment of
install.shalong with sanity checks (#250)
- Include
CHANGELOG.mdin npm release - Include
install.shin package release
- Fix license in
package.jsonto match project's license BSD-3.
- Respect decryption of zero length strings -
dotenvx set HELLO '' --encrypt(#236)
- Added
options.debug,options.verbose,options.quiet, andoptions.logLevelto.config()(#233)
- Patch
replacewhen replacing double, single, or backticked quoted at anywhere in the.envfile. (#232)
- Improved
replacefunction regex - to handle more edge case scenarios with replacing KEY/values (#227)
- Support
require('@dotenvx/dotenvx').config()forDOTENV_PRIVATE_KEYdecryption (#225)
- Added
.env.vault deprecatedwarning when usingDOTENV_KEY. Provide instructions to convert to encrypted.envfiles. (#224)
- Added
vault convertcommand to list convert instructions for converting.env.vaultto encrypted .env files (#222)
To convert your .env.vault file to encrypted .env file(s):
1. Run [dotenvx vault decrypt]
2. Run [ls -a .env*]
Lastly, convert each .env(.environment) file:
3. Run [dotenvx convert -f .env.production]
For example:
$ dotenvx convert -f .env
$ dotenvx convert -f .env.ci
$ dotenvx convert -f .env.production
Afterward:
Update production with your new DOTENV_PRIVATE_KEY_PRODUCTION located in .env.keys
Learn more at [https://dotenvx.com/docs/quickstart#add-encryption]- Rename
encryptmetoconvert(#222)
- Support encryption replacemnt of multiline values (#220)
- Added
dotenvx encryptmecommand to convert an entire.envfile to an encrypted.envfile. (#213)
- Made
precommitsmart enough to check if a.env*file is encrypted or not. If fully encrypted, then allowprecommitcheck to pass (#211)
- Do not warn of missing files for conventions (too noisy) (#216)
- Add
--conventionflag toget
- Removed help messages like 'in production' and 'in ci'. Too specific and could lead to confusion.
⚠️ DEPRECATION NOTICE: the following commands are being moved. Please, update any code and muscle memory you have related to these:dotenvx encrypt=>dotenvx vault encryptdotenvx decrypt=>dotenvx vault decryptdotenvx status=>dotenvx vault status
⚠️ DEPRECATION NOTICE: the betahubcommands are being completely deprecated (they will be fully removed in upcoming 1.0.0 release). We will provide .env.keys tooling at a later time (replacing hub) but in the context of the new--encryptflag functionality below
- Add encryption to your
.envfiles with a single command. Pass the--encryptflag. 🎉
$ dotenvx set HELLO World --encrypt
set HELLO with encryption (.env)
A
DOTENV_PUBLIC_KEY(encryption key) and aDOTENV_PRIVATE_KEY(decryption key) is generated using the same public-key cryptography as Bitcoin.
Further notes:
DOTENV_PUBLIC_KEYlives in the.envfile. You can safely share this with whomever you wish.DOTENV_PRIVATE_KEYlives in your.env.keysfile. Share this only with those you trust to decrypt your secrets.- If using encrypted
.envfiles like this it is safe to commmit them to source code. This makes reviewing PRs that contain secrets much easier. - Tell your contributors to contribute a secret using the command
dotenvx set HELLO world --encrypt. - Set your
DOTENV_PRIVATE_KEYon your server to decrypt these values usingdotenvx run -- yourcommand - You can repeat all this per environment by modifying your set command to
dotenvx set HELLO production -f .env.production --encrypt(for example) - In time we will add better tooling for sharing the private keys living in
.env.keys, but until then safely share with team members you trust. - This mechanism should be particularly useful for open source projects that want to permit secrets contributions without handing out the decryption keys. Now anyone can contribute a secret and only you can decrypt it to see what was changed.
- This solution is brand new, but I intend it to be the future for
.envfiles. It has many benefits over.env.vaultfiles. We will be sunsetting the.env.vaultmechanism but its tooling will stay around indotenvxfor at least 1 year to come - underdotenvx vaultparent command. - Be patient as we update our documentation to prioritize this improved encryption format for
.envfiles.
- warn when running
dotenvx statusagainst any untracked (not in .env.vault) files (#196)
- add
--convention nextjsflag todotenvx run(#193) - improve
statuserror message when decrypt fails or no.env*files (#192)
- handle
SIGTERM(#191)
- add
dotenvx statuscommand (#186) - add
dotenvx decrypt [directory]argument option (#186) - add
dotenvx decrypt --environmentflag option (#186) - normalize windows
\paths (#186)
- exit code
1ifget KEYnot found/undefined (#185)
- added
setcommand, and optionally pass--env-fileflag(s) tosetusage:dotenvx set HELLO World(#182)
- make
hub pushmore forgiving by permitting full filepath likehub push directory/.env.keys(#180) - add note on generated
.env.example(#181)
- patch injection around falsy values (#177)
- add .env.vault support for
.env.something.something(useful for Next.js pattern of .env.development.local) (#174)
- quiet exit code 1 message (#173)
- improve error messages (#171)
- add
hub logoutcommand (#170)
- small fixes for windows users related to
hub openandhub push(#169)
dotenvx get --quietwill display the value no matter what (adds ablank0logger level) (#161)
- refactor
dotenvx getto userununder the hood
- fix broken
hub loginandhub open(#160)
- patch situation where
DOTENV_KEYis present and--env-fileflag is set. assume to still look for.env.vaultfile as first in line (#157)
- respect order for
--env-vault-file,--env-fileand--envflags (for example:dotenvx run --env "HELLO=one" --env-file=.envwill prioritize--envflag. Add--overloadhere to prioritize--env-fileor reverse the order.). you can now mix and match multiple flags in any complex order you wish and dotenvx will respect it. (#155)
- add
dotenvx settingscommand to list your current settings. in the future we'll provide ways to modify these settings as dotenvx's functionality grows (#153)
- add windows postrelease step to check that
dotenvx.exeis functional immediately after release (#141)
- replace
package-jsonwithundici(#146) - prune redundant packages (#148)
- return current version if remote version fails (#149)
- switch to our own update notice mechanism (eliminating multiple deps) (#151)
- provide
.zipdownload option for windows executable (#140)
- remove
gotfrom top level deps (#139)
- move
update-notifierintolib/helpersfor more control overgotlib (#138) - move
clipboardyintolib/helpersfor more control and to support commonjs going forward (sindre has dropped support and many mature systems still require commonjs for their infra and have need of dotenvx). (#137)
- add
hub pullcommand to pull a repo's.env.keysdown. (#129)
- 🐞 patch bug with evaluate commands. do not attempt to evaluate risky preset envs in
process.env. evaluate only what's set in a.env*file (#125)
- expand
hub pushwith[directory]option. use for monorepos. for example:dotenvx hub push apps/backend(#121)
- add command substitution. for example
DATABASE_URL="postgres://$(whoami)@localhost/my_database"(#113)
- support personal environment variables. anything after the comment
# personal.dotenvx.comwill be considered personal and will not be encrypted to .env.vault (#110)
require('@dotenvx/dotenvx').config()expands/interpolates variables. this matches the behavior ofrun. (note that this behavior differs from the originalrequire('dotenv').config()(#107)
- expose
genexamplefunction onlib/main.jsfor export convenience (#102)
- rely on
whichnpm module to find system command path for user inputted command(s) (#105)
- remove
main.injectfunction (#102)
- added support for
--envflag on the.env.vaultdecryption portion ofrun(#101)
- use system command path (#98)
- added
--envflag. for example,dotenvx --env="HELLO=World" -- yourcommand(#94)
- patched up the
precommitcommand (#91)
- added
scancommand to scan for possible leaked secrets in your code (#90)
- added
getcommand, optionally pass--env-fileflag(s) toget, optionally pass--overload, and optionally pass--pretty-print. usage:dotenvx get HELLO=>World(#89)
- expose
main.encryptandmain.lsfunctions
- added
[directory]argument toencrypt. for example, in your nx repo from rootdotenvx encrypt apps/backendwill encrypt .env* files in that directory and manage the.env.keysand.env.vaultin that directory as well (#82)
- bumped
dotenvversion to fixencryptbug
- added
lscommand to list all your.env*files (#80) - added
--env-fileoptionls(#82) - optionally specify
--env-vault-filepath to.env.vault(defaults to.env.vault) (#73)
- 🐞 patch
--overloadflag logic (#66)
- 🐞 fix undici readablestream error (#65)
- use improved dotenv expansion (#62)
- patch esm issue. use update-notifier ^5.1.0
- Added
genexamplecommand. Generate.env.examplefrom your.envfile. (#49) - couple security patches (#50, #51)
- Added
decryptcommand. Decrypt.env.vaultto prospective.env*files..env.keysmust be present. (#48)
- Append to
.gitignorewithgitignorecommand (also.dockerignore,.npmignore, and.vercelignoreif existing) (#47)
- no longer append to
*ignorefiles automatically. too invasive. will provide as separate cli command (#45)
- Improve error message when decryption fails (#40)
- Rename
predockerbuildcommand toprebuild(#36)
- Add
predockerbuildcommand to prevent including.envfile in your docker builds (#35)
- If dotenvx is missing tell user how to install it from pre-commit (#34)
- Add help notice for ci (when .env file not present) (#33)
- Improve error message when custom
--env-filepassed (#32)
- Adjust
precommitverbosity and coloring - Add
--installflag to precommit - installs to.git/hooks/pre-commit(#31)
- Added
dotenvx precommitcommand and instructions for git pre-commit hook (#30)
Load axios with a try/catch depending on context 🐞 (#24)
Patched helpers.guessEnvironment bug when filepath contained a . in the folder name. 🐞 (#23)
Change path to axios in attempt for pkg to build correctly.
Add axios (missing) to package-lock.json
Create binaries with root:root defaults. (#21)
Tell user about undefined subprocess with additional debug logs (#19)
debug other signals send to execa process (#18)
Fix missed package.json#version
handle SIGINT (#17)
write to /latest only for releases repo (#15)
do not package README alongside binary. adds noise to a user's machine. keep their machine shiny. (#14)
tell user what to do next (#13)
do not log when error code is 0 (#12)
tell user when no changes to re-encrypt (#11)
added help text when user's command fails. include link to report issue (#10)
added next step help message when running dotenvx run with no argument (#9)
help includes a command example as well as a full working 'try it out' example (#8)
made the info messaging more succinct (#7)
added tagged images to hub.docker.com/u/dotenv
fixed the .env.keys file comment. spacing was off. (#6)
added help text to encrypt. (#5)
removed the pad on the logging level. didn't look good when running in default INFO mode. (#4)
prevent committing a .env* file to code. append to .gitignore, .dockerignore, .vercelignore, and .npmignore 🗂️ (#3)
run support for .env.vault files 🔑 (#2)
encrypt 🔐 (#1)
Please see commit history.