Configuring environment variables seems simple, but it frequently leads to two common issues in production-grade applications:
-
Missing Variables: A developer adds a new variable locally but forgets to update the
.env.examplefile. Other team members pull the changes, and their local environments crash. -
Leaked Credentials: A debug log like
console.log(process.env)prints database connection strings or API tokens to the terminal, leaving them visible in plaintext logs.
To solve this, we created @novaedgedigitallabs/envkit. It is a zero-dependency (other than Zod) utility that validates, loads, and masks environment variables, and keeps your example configurations updated automatically.
Key Features
- Schema Validation: Define your environment variables with Zod to enforce types and formats.
- Log Masking: Automatically redact sensitive credentials in console output.
-
Example Syncing: Automatically append missing variables to your
.env.examplefile without overwriting comments or values. - Module Support: Runs in ESM and CommonJS.
Getting Started
Install the package and Zod:
npm install @novaedgedigitallabs/envkit zod
Initialize your configuration in a file like env.ts:
import { createEnv } from '@novaedgedigitallabs/envkit';
import { z } from 'zod';
export const env = createEnv({
schema: {
DATABASE_URL: z.string().url(),
JWT_SECRET: z.string().min(32),
PORT: z.coerce.number().default(3000),
NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
},
secrets: ['JWT_SECRET', 'DATABASE_URL'],
generateExample: true, // Appends new keys to .env.example at runtime
});
Because the variables are validated using Zod, your editor will provide full TypeScript autocomplete and type safety:
env.PORT; // Resolved as a number
env.JWT_SECRET; // Resolved as a string
Preventing Secret Leaks in Logs
Logging environment configs is a common debugging habit. With envkit, any variables listed in the secrets array are automatically masked when printed:
console.log(env);
// Output:
// {
// PORT: 3000,
// NODE_ENV: 'development',
// JWT_SECRET: '[MASKED]',
// DATABASE_URL: '[MASKED]'
// }
The underlying code still accesses the correct, unmasked values when called directly (e.g., env.JWT_SECRET), keeping your database connections and authentications functional while protecting your log files.
Keeping .env.example Files Synchronized
Updating example files manually is tedious. Envkit offers two ways to sync them:
1. Runtime Syncing
By setting generateExample: true in createEnv, the library reads your schema during startup and appends any missing keys directly to .env.example.
2. CLI Tool
If you prefer to sync before running your code, you can use the CLI tool:
npx envkit generate
This parses your .env file and appends only the new, missing keys to .env.example. Unlike standard tools that overwrite the entire target file, this command is non-destructive: it preserves all your existing values, custom comments, and spacing.
If you use non-standard file names, you can specify them manually:
npx envkit generate --env .env.production --out .env.production.example
Comparison with Existing Tools
| Feature | dotenv | t3-env | envkit |
|---|---|---|---|
| Loads env files | Yes | Yes | Yes |
| Zod validation | No | Yes | Yes |
| Framework agnostic | Yes | Limited | Yes |
| Secrets masking in logs | No | No | Yes |
Auto .env.example sync |
No | No | Yes |
| ESM + CommonJS support | Yes | ESM only | Yes |
Support
If envkit saved you time → novaedgedigitallabs.tech/pay
Conclusion
Validating your environment configurations and keeping your example files updated should not require manual tracking. By integrating validation, log masking, and automated syncing, @novaedgedigitallabs/envkit ensures your environment is consistent and secure.
If you want to view the source code, report issues, or contribute, you can find the project on GitHub: github.com/novaedgedigitallabs/envkit.
Top comments (2)
This is an excellent utility for managing environment variables in Node.js and TypeScript. I really appreciate how envkit combines Zod-based schema validation, secret masking in logs, and automated .env.example syncing. These are frequent sources of production bugs and security leaks, and envkit addresses them elegantly while preserving developer convenience.
I’d love to collaborate or exchange ideas on building best practices for secure environment management, particularly for multi-environment projects or CI/CD pipelines. It could be interesting to explore ways to extend envkit for dynamic environment validation, cross-service secrets consistency, or integration with AI-assisted deployment tooling.
Would you be open to experimenting together on enhancing or extending these workflows?
check out varlock.dev - it's free and open source. Does this and ton more!