Syed Jafer K

Its all about Trade-Offs

Migrating from .env to dotenvx

Official Link: https://github.com/motdotla/dotenv

As a developer, we used .env file where we used to store environmental variables.

As stated from founder,

Dotenv is a zero-dependency module that loads environment variables from a .env file into process.env. Storing configuration in the environment separate from code is based on The Twelve-Factor App methodology.

During software development, we use environment variables to access the secret values, segregation based on env and other details required for development.

Dotenv is a small software library that helps manage environment variables in applications. Environment variables are like little pieces of information your application needs to run, such as database passwords, API keys, and other configuration details.

Why is Dotenv Useful?

Imagine you have an app that needs to connect to a database. You don’t want to hard-code your database password directly into your app’s code because:

  1. Security: If someone gets access to your code, they’ll also get your password.
  2. Flexibility: If you ever need to change the password, you’d have to go through your code and update it everywhere.

Dotenv allows you to store these important pieces of information in a separate file, usually named .env. This file is kept out of the main codebase, making it easier to manage and more secure.

How Does Dotenv Work?

Here’s a step-by-step on how you might use dotenv:

  1. Create a .env File: In the root directory of your project, create a file named .env.
  2. Add Variables: Inside this file, you add your environment variables. It might look something like this:
DATABASE_URL=your-database-url
API_KEY=your-api-key

3. Load Variables in Your Code: In your application code, use dotenv to load these variables. Here’s a quick example in JavaScript using Node.js:

require('dotenv').config();

const dbUrl = process.env.DATABASE_URL;
const apiKey = process.env.API_KEY;

Benefits of Using Dotenv

  • Security: Sensitive information is not directly embedded in your code.
  • Ease of Use: It’s straightforward to update configuration settings without digging through the code.
  • Portability: You can easily share your project with others. They can create their own .env file with their settings without changing the code.

So no problems right ?

Not really, there are some problems within itself,

  1. If not handled properly, the .env file can be accidentally committed to version control systems like Git. This exposes sensitive information to anyone with access to the repository.
  2. The contents of a .env file are stored in plain text. If unauthorized users gain access to the server or development environment, they can easily read sensitive information.
  3. Managing multiple .env files for different environments (development, testing, staging, production) can become cumbersome and error-prone.
  4. Each time the application starts, dotenv has to read and parse the .env file. While this overhead is generally minimal, it can become noticeable in very large applications or performance-critical environments.
  5. Using dotenv adds an additional dependency to your project. While it’s a relatively small and stable library, it’s still something that needs to be maintained and kept up-to-date. ( <- This is my main concern )

What to do ?

The dotenv founder itself brought a upgraded version of dotenv; dotenvx.

dotenvx works the same across every language, framework, and platform – inject your env at runtime with dotenvx run -- your-cmd.

Installing dotenvx

https://dotenvx.com/docs#getting-started

# download it directly as a standalone binary
curl -sfS https://dotenvx.sh/install.sh | sh
dotenvx help

Run Anywhere

This is one of my main concern, that i need to install one extra package to my codebase and i need to do some code changes while deploying to different deployment environments.

With dotenvx, I can simply run my application without installing additional packages.

$ echo "HELLO=World" > .env 
$ echo 'import os;print("Hello " + os.getenv("HELLO", ""))' > index.py

$ dotenvx run -- python3 index.py
Hello World

Even for different environments, 

$ echo "HELLO=production" > .env.production
$ echo 'import os;print("Hello " + os.getenv("HELLO", ""))' > index.py

$ dotenvx run -f .env.production -- python3 index.py
Hello production

So for me, now it more handy to use .env