Gathering detailed insights and metrics for @maximumquiet/dotenv-expand
Gathering detailed insights and metrics for @maximumquiet/dotenv-expand
Variable expansion for dotenv. Expand variables already on your machine for use in your .env file.
Installations
npm install @maximumquiet/dotenv-expandDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Min. Node Version
>=12
Node Version
19.0.0
NPM Version
8.19.2
Releases
Unable to fetch releases
Languages
2
JavaScript
TypeScript
JavaScript (99.5%)
TypeScript (0.5%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
BSD-2-Clause License
1,011 Stars
267 Commits
98 Forks
5 Watchers
1 Branches
23 Contributors
Updated on Jul 08, 2025
Maintainers
1
Package Meta Information
Latest Version
9.0.1
Package Id
@maximumquiet/dotenv-expand@9.0.1
Unpacked Size
12.85 kB
Size
5.28 kB
File Count
7
NPM Version
8.19.2
Node Version
19.0.0
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
6
Dotenv libraries are supported by the community.
Special thanks to:
Get more done in the CLI with real text editing, block-based output, and AI command search.
Build UIs visually with flexible components, connect to any data source, and write business logic in JavaScript.
Add Single Sign-On, Multi-Factor Auth, and more, in minutes instead of months.
dotenv-expand
Dotenv-expand adds variable expansion on top of dotenv. If you find yourself needing to expand environment variables already existing on your machine, then dotenv-expand is your tool.
Install
1# Install locally (recommended) 2npm install dotenv-expand --save
Or installing with yarn? yarn add dotenv-expand
Usage
Create a .env file in the root of your project:
1PASSWORD="s1mpl3" 2DB_PASS=$PASSWORD 3
As early as possible in your application, import and configure dotenv and then expand dotenv:
1var dotenv = require('dotenv') 2var dotenvExpand = require('dotenv-expand') 3 4var myEnv = dotenv.config() 5dotenvExpand.expand(myEnv) 6 7console.log(process.env)
That's it. process.env now has the expanded keys and values you defined in your .env file.
Preload
You can use the --require (-r) command line option to preload dotenv & dotenv-
. By doing this, you do not need to require and load dotenv or dotenv-expand in your application code. This is the preferred approach when using import instead of require.
1$ node -r dotenv-expand/config your_script.js
The configuration options below are supported as command line arguments in the format dotenv_config_<option>=value
1$ node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/your/env/vars
Additionally, you can use environment variables to set configuration options. Command line arguments will precede these.
1$ DOTENV_CONFIG_<OPTION>=value node -r dotenv-expand/config your_script.js
1$ DOTENV_CONFIG_ENCODING=latin1 node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/.env
Examples
See tests/.env for simple and complex examples of variable expansion in your .env
file.
Documentation
DotenvExpand exposes one function:
- expand
Expand
expand will expand your environment variables.
1const dotenv = { 2 parsed: { 3 BASIC: 'basic', 4 BASIC_EXPAND: '${BASIC}', 5 BASIC_EXPAND_SIMPLE: '$BASIC' 6 } 7} 8 9const obj = dotenvExpand.expand(dotenv) 10 11console.log(obj)
Options
ignoreProcessEnv
Default: false
Turn off writing to process.env.
1const dotenv = { 2 ignoreProcessEnv: true, 3 parsed: { 4 SHOULD_NOT_EXIST: 'testing' 5 } 6} 7const obj = dotenvExpand.expand(dotenv).parsed 8 9console.log(obj.SHOULD_NOT_EXIST) // testing 10console.log(process.env.SHOULD_NOT_EXIST) // undefined
FAQ
What rules does the expansion engine follow?
The expansion engine roughly has the following rules:
$KEYwill expand any env with the nameKEY${KEY}will expand any env with the nameKEY\$KEYwill escape the$KEYrather than expand${KEY:-default}will first attempt to expand any env with the nameKEY. If not one, then it will returndefault
You can see a full list of examples here.
Contributing Guide
See CONTRIBUTING.md
CHANGELOG
See CHANGELOG.md
Who's using dotenv-expand?
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: BSD 2-Clause "Simplified" License: LICENSE:0
Reason
4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Reason
7 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Reason
Found 1/22 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/motdotla/dotenv-expand/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/motdotla/dotenv-expand/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/motdotla/dotenv-expand/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:24
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 11 are checked with a SAST tool
Score
3.1
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More