DEV Community

Cover image for Why Your .env File Is Lying to You
Odejobi Abiola Samuel
Odejobi Abiola Samuel

Posted on • Edited on

Why Your .env File Is Lying to You

Two weeks ago I deployed a service that crashed on the first request. Not because the code was wrong — because process.env.DATABASE_URL was undefined and nobody caught it until a user hit the endpoint.

I've made this mistake enough times to recognize the pattern: environment variables in Node.js are string | undefined. TypeScript shrugs. Validation is your problem. Most teams don't do it, or they scatter it across 15 files with parseInt() and ?? operators.

The Three Lies process.env Tells You

1. "This variable exists"

const dbUrl = process.env.DATABASE_URL
//    ^? string | undefined — TypeScript can't help
Enter fullscreen mode Exit fullscreen mode

It might exist. It might not. You won't know until runtime. If it's undefined, the error surfaces at the point of first use — not at startup.

2. "This value is the right type"

const port = process.env.PORT // "3000" — it's a string!
app.listen(port + 1)          // listens on "30001", not 3001
Enter fullscreen mode Exit fullscreen mode

PORT is semantically a number. At runtime it's a string. Every consumer has to parse it. Nobody does it consistently.

3. "The format is correct"

// .env
DATABASE_URL=localhost:5432/myapp  // forgot postgres://

// somewhere in your app
new URL(process.env.DATABASE_URL)  // TypeError: Invalid URL
Enter fullscreen mode Exit fullscreen mode

No error at import. No error at server start. The first database query crashes.

The Manual Approach

I've written this function more times than I can count:

function getEnv() {
  const dbUrl = process.env.DATABASE_URL
  if (!dbUrl) throw new Error("DATABASE_URL is required")

  const port = parseInt(process.env.PORT ?? "3000", 10)
  if (isNaN(port) || port < 1 || port > 65535) {
    throw new Error("PORT must be between 1 and 65535")
  }

  const nodeEnv = process.env.NODE_ENV ?? "development"
  if (!["development", "production", "test"].includes(nodeEnv)) {
    throw new Error(`Invalid NODE_ENV: ${nodeEnv}`)
  }

  return { dbUrl, port, nodeEnv } as const
}
Enter fullscreen mode Exit fullscreen mode

It works. But it's repetitive, undocumented, and TypeScript can't infer literal types from it. Every project reinvents this same function with slightly different bugs.

Schema-Based Validation

CtroEnv does the same thing with a schema:

import { defineEnv, string, number, pick } from "@ctroenv/core"

const env = defineEnv({
  DATABASE_URL: string().url().describe("PostgreSQL connection URL"),
  PORT: number().port().default(3000),
  NODE_ENV: pick(["development", "production", "test"] as const).default("development"),
})
Enter fullscreen mode Exit fullscreen mode
  • env.PORT is number — already parsed
  • env.NODE_ENV is "development" | "production" | "test" — exact union, no typos
  • env.DATABASE_URL is string — guaranteed present and valid

If anything is missing or invalid, defineEnv() throws immediately with every error grouped:

● Missing required (1)

  DATABASE_URL  Add this variable to your .env file

✗ Invalid (1)

  PORT  Expected a port number (1-65535), received 0
Enter fullscreen mode Exit fullscreen mode

No hunting through logs. The app crashes at import time, not on the first request.

What You Get

Problem Raw process.env CtroEnv
Type safety `string \ undefined`
Startup validation None All vars validated
Error clarity cannot read property of undefined Grouped, descriptive
Defaults Manual ?? .default()
Secret handling Silent .secret() masks at runtime
CI integration None ctroenv check, ctroenv validate

The Validators

string().url()              // valid URL
string().email()            // valid email (HTML5 regex)
string().port()             // port 1-65535
string().min(8)             // minimum length
string().max(255)           // maximum length
string().hostname()         // RFC 1123 hostname
string().regex(/^[a-z]+$/)  // custom pattern

number().int()              // integer
number().positive()         // > 0
number().port()             // 1-65535
number().min(1)             // minimum value
number().max(100)           // maximum value

boolean()                   // "true"/"false", "yes"/"no", "1"/"0", "y"/"n"
pick(["dev", "prod"])       // exact string union

// Chainable on all validators:
.optional() .default(v) .describe(t) .secret() .validate(fn)
Enter fullscreen mode Exit fullscreen mode

One line per variable, and TypeScript infers everything from the schema.

npm install @ctroenv/core
Enter fullscreen mode Exit fullscreen mode

Links: GitHub · Docs · npm

Next: Type-Safe Env Vars Without Zod

Top comments (3)

Collapse
 
theoephraim profile image
Theo Ephraim • Edited

Use varlock (also free and open source) - its a mature solution with an active user base. Plugins and integrations for everything. Supports built in hardware backed encryption, or pulling from any common vaults. Log redaction, leak prevention, tons of very powerful features.

Collapse
 
nazar-boyko profile image
Nazar Boyko

Honest question, since you tease the Zod comparison in the next post. For someone already calling z.object on process.env at startup, what's the day-one reason to switch? From your examples the real wins look like the grouped missing-and-invalid summary and the .secret() masking, with the typed parsing being roughly parity. If that's the pitch, it's a fair one, that error output is genuinely friendlier than Zod's default throw. I just want to be sure I'm reading the delta right and not missing something deeper in the validator chain.

Collapse
 
ctrotech profile image
Odejobi Abiola Samuel

yes brother, you're reading the delta correctly for the parsing layer itself. The typed validation between z.object({ PORT: z.coerce.number().min(1).max(65535).default(3000) }) and number().port().default(3000) is roughly parity. Same guarantees, similar expressiveness.

The deeper differences are around the schema, not the parsing:

Zero dependencies. Zod adds ~50 KB to your bundle. CtroEnv core is 6.5 KB with zero runtime deps. If you're building a CLI tool or a serverless function, that difference shows up in cold start times and install speed.

Error collection. Zod throws on the first validation failure. You fix it, re-run, hit the next one. CtroEnv collects every error before throwing, so you get the full picture in one pass. The grouped output is a nicer default, but the real win is not having to iterate.

Secret masking. The .secret() proxy is deeper than just console.log protection. It traps get, getOwnPropertyDescriptor, has, ownKeys, JSON.stringify, and util.inspect. A Zod schema doesn't prevent a stray JSON.stringify(config) from leaking secrets into your log aggregator. With CtroEnv it's masked at every exit point by default.

Framework adapters. If you're using Vite or Next.js, you need to wire up import.meta.env or the server/client split yourself with Zod. CtroEnv has adapters that handle those sources. Same schema, different source, no code changes.

CLI tooling. ctroenv check --source .env.example runs in CI without importing your schema. ctroenv docs generates an ENVIRONMENT.md that's always accurate. Neither exists in the Zod ecosystem.

Coercion strictness. z.coerce.number() accepts "0xFF" (parses as 255) and "1e2" (parses as 100). CtroEnv's number() rejects both. For env vars, silent coercion of hex or scientific notation is usually a bug, not a feature.

If parsing parity is all you need, sticking with Zod is fine. The day-one reason to switch is the tooling, the secret guarantees, and the smaller dependency footprint. The validation is table stakes -- everything else around it is where the time gets saved.