Gathering detailed insights and metrics for dotenv-expand
Gathering detailed insights and metrics for dotenv-expand
Variable expansion for dotenv. Expand variables already on your machine for use in your .env file.
Installations
npm install dotenv-expandReleases
Unable to fetch releases
Developer
Developer Guide
BETA
Module System
CommonJS, ESM
Min. Node Version
>=12
Typescript Support
Yes
Node Version
22.4.1
NPM Version
10.8.1
Statistics
961 Stars
263 Commits
96 Forks
7 Watching
1 Branches
23 Contributors
Updated on 27 Nov 2024
Bundle Size
888.00 B
Minified
533.00 B
Minified + Gzipped
Languages
JavaScript (99.5%)
TypeScript (0.5%)
Total Downloads
Cumulative downloads
Total Downloads
2,424,531,260
Last day
-5.1%
3,226,557
Compared to previous day
Last week
2.9%
17,012,791
Compared to previous week
Last month
10%
70,966,121
Compared to previous month
Last year
24.9%
771,265,014
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
Dev Dependencies
5
Versions
🎉 announcing dotenvx. expansion AND command substitution, multi-environment, encrypted envs, and more.
Â
Dotenv libraries are supported by the community.
Special thanks to:
Get more done in the CLI with real text editing, block-based output, and AI command search.
Add Single Sign-On, Multi-Factor Auth, and more, in minutes instead of months.
dotenv-expand 
Dotenv-expand adds variable expansion on top of dotenv. If you find yourself needing to expand environment variables already existing on your machine, then dotenv-expand is your tool.
Install
1# Install locally (recommended) 2npm install dotenv-expand --save
Or installing with yarn? yarn add dotenv-expand
Usage
Create a .env file in the root of your project:
1PASSWORD="s1mpl3" 2DB_PASS=$PASSWORD
As early as possible in your application, import and configure dotenv and then expand dotenv:
1const dotenv = require('dotenv') 2const dotenvExpand = require('dotenv-expand') 3 4dotenvExpand.expand(dotenv.config()) 5 6console.log(process.env) // remove this after you've confirmed it is expanding
That's it. process.env now has the expanded keys and values you defined in your .env file.
dotenvExpand.expand(dotenv.config())
...
connectdb(process.env.DB_PASS)
Preload
Note: Consider using
dotenvxinstead of preloading. I am now doing (and recommending) so.It serves the same purpose (you do not need to require and load dotenv), has built-in expansion support, adds better debugging, and works with ANY language, framework, or platform. – motdotla
You can use the --require (-r) command line option to preload dotenv & dotenv-expand. By doing this, you do not need to require and load dotenv or dotenv-expand in your application code. This is the preferred approach when using import instead of require.
1$ node -r dotenv-expand/config your_script.js
The configuration options below are supported as command line arguments in the format dotenv_config_<option>=value
1$ node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/your/env/vars
Additionally, you can use environment variables to set configuration options. Command line arguments will precede these.
1$ DOTENV_CONFIG_<OPTION>=value node -r dotenv-expand/config your_script.js
1$ DOTENV_CONFIG_ENCODING=latin1 node -r dotenv-expand/config your_script.js dotenv_config_path=/custom/path/to/.env
Examples
See tests/.env.test for simple and complex examples of variable expansion in your .env
file.
Documentation
dotenv-expand exposes one function:
- expand
Expand
expand will expand your environment variables.
1const env = { 2 parsed: { 3 BASIC: 'basic', 4 BASIC_EXPAND: '${BASIC}', 5 BASIC_EXPAND_SIMPLE: '$BASIC' 6 } 7} 8 9console.log(dotenvExpand.expand(env))
Options
processEnv
Default: process.env
Specify an object to write your secrets to. Defaults to process.env environment variables.
1const myEnv = {} 2const env = { 3 processEnv: myEnv, 4 parsed: { 5 HELLO: 'World' 6 } 7} 8dotenvExpand.expand(env) 9 10console.log(myEnv.HELLO) // World 11console.log(process.env.HELLO) // undefined
FAQ
What rules does the expansion engine follow?
See a full list of rules here.
How can I avoid expanding pre-existing envs (already in my process.env, for example pas$word)?
As of v12.0.0 dotenv-expand no longer expands process.env.
If you need this ability, use dotenvx by shipping an encrypted .env file with your code - allowing safe expansion at runtime.
How can I override an existing environment variable?
Use dotenvx as dotenv-expand does not support this.
dotenv-expand is a separate module (without knowledge of the loading of process.env and the .env file) and so cannot reliably know what to override.
Contributing Guide
See CONTRIBUTING.md
CHANGELOG
See CHANGELOG.md
Who's using dotenv-expand?
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
24 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: BSD 2-Clause "Simplified" License: LICENSE:0
Reason
5 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Reason
Found 1/21 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/motdotla/dotenv-expand/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/motdotla/dotenv-expand/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/motdotla/dotenv-expand/ci.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:24
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 13 are checked with a SAST tool
Score
3.9
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More