Why i should not use dotenv in production mode?

Question

Why I should not use dotenv in production mode ?

I saw the following code on some websites. But I did not understand why they are doing this condition check.

if (process.env.NODE_ENV !== 'production') {
  require('dotenv').config();
}
console.log('Bla is :', process.env.Bla);(*)

let assume that the output of the line(*) in not production mode is-> Bla is : Bla

what is the output of line (*) if the NODE_ENV is production? (According to my knowledge I think it will be undefined )

Answer 1

Because in production, you might want to set the environment variables directly into your virtual machine, as you might not have ssh access and you can't push .env file to your version control. In my case I'm using heroku free tier and I can't ssh to create a .env file. So I set my environment variables manually in the Config Vars settings.

Answer 2

Complementing the other answers, you would also create a security issue. You would be versioning (commiting to git) informations like database connections, tokens, and passwords. In this case everyone who access the code, would be able to connect to production resources.

To solve this, on production you create the env variables directly on the instance you are running the code.