Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why dotenv files should not be checked in?

I'm new to nodejs, so forgive me if my question is too trivial. I'm creating an enviornment files using dotenv.

However, on their WebSite, they recommend against checking in .env file. So, I was wondering if this files is not checked in , how will I tell the other developers about the environment variables that the application needs. They would require to fill out the values of environment variables because it could be used in all the places in the js (sever, config) files. And it would be non-trivial to look at every files that uses env variables and replace? Unless I'm missing something entirely.

Any help is much appreciated.

like image 990
ANewGuyInTown Avatar asked Feb 03 '17 00:02

ANewGuyInTown


People also ask

Should I check .env files?

env files to version control (carefully) Many software projects require sensitive data which shouldn't be committed to version control. You don't want Bad Guys to read your usernames, passwords, API keys, etc.

Are .env files safe?

env files are simply too risky and cumbersome for modern application development. While . env files are still commonly used and were an improvement upon storing secrets in source code, the security risks and impact on developer productivity are only now being fully realized.

Where do I put dotenv files?

Once you have DotEnv installed and configured, make a file called . env at the top level of your file structure. This is where you will create all of your environment variables, written in thr NAME=value format. For example, you could set a port variable to 3000 like this: PORT=3000 .

Is it okay to have multiple .env files?

env files is to have one per machine, so you can precisely have content in them depending on the machine/environment : dev, staging, production.


1 Answers

Environment variables are typically used for environment-specific configuration values, like database credentials, API endpoints, and so on. Since they're environment-specific, and usually hold sensitive data like database credentials, .env files should not be committed.

If you want to show which environment variables are used, one method is to create and commit a sample file:

.env.sample

DB_HOST=localhost
DB_USERNAME=
DB_PASSWORD=
DB_DATABASE=our_project

Then it's up to the other developers to copy the same and create their own .env file (or just populate the relevant environment variables on their system).

like image 56
Agop Avatar answered Oct 12 '22 21:10

Agop