All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
- Add
--conventionflag toget
- Removed help messages like 'in production' and 'in ci'. Too specific and could lead to confusion.
⚠️ DEPRECATION NOTICE: the following commands are being moved. Please, update any code and muscle memory you have related to these:dotenvx encrypt=>dotenvx vault encryptdotenvx decrypt=>dotenvx vault decryptdotenvx status=>dotenvx vault status
⚠️ DEPRECATION NOTICE: the betahubcommands are being completely deprecated (they will be fully removed in upcoming 1.0.0 release). We will provide .env.keys tooling at a later time (replacing hub) but in the context of the new--encryptflag functionality below
- Add encryption to your
.envfiles with a single command. Pass the--encryptflag. 🎉
$ dotenvx set HELLO World --encrypt
set HELLO with encryption (.env)
A
DOTENV_PUBLIC_KEY(encryption key) and aDOTENV_PRIVATE_KEY(decryption key) is generated using the same public-key cryptography as Bitcoin.
Further notes:
DOTENV_PUBLIC_KEYlives in the.envfile. You can safely share this with whomever you wish.DOTENV_PRIVATE_KEYlives in your.env.keysfile. Share this only with those you trust to decrypt your secrets.- If using encrypted
.envfiles like this it is safe to commmit them to source code. This makes reviewing PRs that contain secrets much easier. - Tell your contributors to contribute a secret using the command
dotenvx set HELLO world --encrypt. - Set your
DOTENV_PRIVATE_KEYon your server to decrypt these values usingdotenvx run -- yourcommand - You can repeat all this per environment by modifying your set command to
dotenvx set HELLO production -f .env.production --encrypt(for example) - In time we will add better tooling for sharing the private keys living in
.env.keys, but until then safely share with team members you trust. - This mechanism should be particularly useful for open source projects that want to permit secrets contributions without handing out the decryption keys. Now anyone can contribute a secret and only you can decrypt it to see what was changed.
- This solution is brand new, but I intend it to be the future for
.envfiles. It has many benefits over.env.vaultfiles. We will be sunsetting the.env.vaultmechanism but its tooling will stay around indotenvxfor at least 1 year to come - underdotenvx vaultparent command. - Be patient as we update our documentation to prioritize this improved encryption format for
.envfiles.
- warn when running
dotenvx statusagainst any untracked (not in .env.vault) files (#196)
- add
--convention nextjsflag todotenvx run(#193) - improve
statuserror message when decrypt fails or no.env*files (#192)
- handle
SIGTERM(#191)
- add
dotenvx statuscommand (#186) - add
dotenvx decrypt [directory]argument option (#186) - add
dotenvx decrypt --environmentflag option (#186) - normalize windows
\paths (#186)
- exit code
1ifget KEYnot found/undefined (#185)
- added
setcommand, and optionally pass--env-fileflag(s) tosetusage:dotenvx set HELLO World(#182)
- make
hub pushmore forgiving by permitting full filepath likehub push directory/.env.keys(#180) - add note on generated
.env.example(#181)
- patch injection around falsy values (#177)
- add .env.vault support for
.env.something.something(useful for Next.js pattern of .env.development.local) (#174)
- quiet exit code 1 message (#173)
- improve error messages (#171)
- add
hub logoutcommand (#170)
- small fixes for windows users related to
hub openandhub push(#169)
dotenvx get --quietwill display the value no matter what (adds ablank0logger level) (#161)
- refactor
dotenvx getto userununder the hood
- fix broken
hub loginandhub open(#160)
- patch situation where
DOTENV_KEYis present and--env-fileflag is set. assume to still look for.env.vaultfile as first in line (#157)
- respect order for
--env-vault-file,--env-fileand--envflags (for example:dotenvx run --env "HELLO=one" --env-file=.envwill prioritize--envflag. Add--overloadhere to prioritize--env-fileor reverse the order.). you can now mix and match multiple flags in any complex order you wish and dotenvx will respect it. (#155)
- add
dotenvx settingscommand to list your current settings. in the future we'll provide ways to modify these settings as dotenvx's functionality grows (#153)
- add windows postrelease step to check that
dotenvx.exeis functional immediately after release (#141)
- replace
package-jsonwithundici(#146) - prune redundant packages (#148)
- return current version if remote version fails (#149)
- switch to our own update notice mechanism (eliminating multiple deps) (#151)
- provide
.zipdownload option for windows executable (#140)
- remove
gotfrom top level deps (#139)
- move
update-notifierintolib/helpersfor more control overgotlib (#138) - move
clipboardyintolib/helpersfor more control and to support commonjs going forward (sindre has dropped support and many mature systems still require commonjs for their infra and have need of dotenvx). (#137)
- add
hub pullcommand to pull a repo's.env.keysdown. (#129)
- 🐞 patch bug with evaluate commands. do not attempt to evaluate risky preset envs in
process.env. evaluate only what's set in a.env*file (#125)
- expand
hub pushwith[directory]option. use for monorepos. for example:dotenvx hub push apps/backend(#121)
- add command substitution. for example
DATABASE_URL="postgres://$(whoami)@localhost/my_database"(#113)
- support personal environment variables. anything after the comment
# personal.dotenvx.comwill be considered personal and will not be encrypted to .env.vault (#110)
require('@dotenvx/dotenvx').config()expands/interpolates variables. this matches the behavior ofrun. (note that this behavior differs from the originalrequire('dotenv').config()(#107)
- expose
genexamplefunction onlib/main.jsfor export convenience (#102)
- rely on
whichnpm module to find system command path for user inputted command(s) (#105)
- remove
main.injectfunction (#102)
- added support for
--envflag on the.env.vaultdecryption portion ofrun(#101)
- use system command path (#98)
- added
--envflag. for example,dotenvx --env="HELLO=World" -- yourcommand(#94)
- patched up the
precommitcommand (#91)
- added
scancommand to scan for possible leaked secrets in your code (#90)
- added
getcommand, optionally pass--env-fileflag(s) toget, optionally pass--overload, and optionally pass--pretty-print. usage:dotenvx get HELLO=>World(#89)
- expose
main.encryptandmain.lsfunctions
- added
[directory]argument toencrypt. for example, in your nx repo from rootdotenvx encrypt apps/backendwill encrypt .env* files in that directory and manage the.env.keysand.env.vaultin that directory as well (#82)
- bumped
dotenvversion to fixencryptbug
- added
lscommand to list all your.env*files (#80) - added
--env-fileoptionls(#82) - optionally specify
--env-vault-filepath to.env.vault(defaults to.env.vault) (#73)
- 🐞 patch
--overloadflag logic (#66)
- 🐞 fix undici readablestream error (#65)
- use improved dotenv expansion (#62)
- patch esm issue. use update-notifier ^5.1.0
- Added
genexamplecommand. Generate.env.examplefrom your.envfile. (#49) - couple security patches (#50, #51)
- Added
decryptcommand. Decrypt.env.vaultto prospective.env*files..env.keysmust be present. (#48)
- Append to
.gitignorewithgitignorecommand (also.dockerignore,.npmignore, and.vercelignoreif existing) (#47)
- no longer append to
*ignorefiles automatically. too invasive. will provide as separate cli command (#45)
- Improve error message when decryption fails (#40)
- Rename
predockerbuildcommand toprebuild(#36)
- Add
predockerbuildcommand to prevent including.envfile in your docker builds (#35)
- If dotenvx is missing tell user how to install it from pre-commit (#34)
- Add help notice for ci (when .env file not present) (#33)
- Improve error message when custom
--env-filepassed (#32)
- Adjust
precommitverbosity and coloring - Add
--installflag to precommit - installs to.git/hooks/pre-commit(#31)
- Added
dotenvx precommitcommand and instructions for git pre-commit hook (#30)
Load axios with a try/catch depending on context 🐞 (#24)
Patched helpers.guessEnvironment bug when filepath contained a . in the folder name. 🐞 (#23)
Change path to axios in attempt for pkg to build correctly.
Add axios (missing) to package-lock.json
Create binaries with root:root defaults. (#21)
Tell user about undefined subprocess with additional debug logs (#19)
debug other signals send to execa process (#18)
Fix missed package.json#version
handle SIGINT (#17)
write to /latest only for releases repo (#15)
do not package README alongside binary. adds noise to a user's machine. keep their machine shiny. (#14)
tell user what to do next (#13)
do not log when error code is 0 (#12)
tell user when no changes to re-encrypt (#11)
added help text when user's command fails. include link to report issue (#10)
added next step help message when running dotenvx run with no argument (#9)
help includes a command example as well as a full working 'try it out' example (#8)
made the info messaging more succinct (#7)
added tagged images to hub.docker.com/u/dotenv
fixed the .env.keys file comment. spacing was off. (#6)
added help text to encrypt. (#5)
removed the pad on the logging level. didn't look good when running in default INFO mode. (#4)
prevent committing a .env* file to code. append to .gitignore, .dockerignore, .vercelignore, and .npmignore 🗂️ (#3)
run support for .env.vault files 🔑 (#2)
encrypt 🔐 (#1)
Please see commit history.