Have you ever built a project using an API that you wanted to post in a public repository so that you can share your code with the world? Perhaps y...
For further actions, you may consider blocking this person and/or reporting abuse
A perfect follow-up article would be: Stop using archaic .env files: Why you need hierarchical configuration systems right now.
Both approaches have their use cases IMHO. The biggest advantage I can see in hierarchical config is the ability to fetch from secret vaults in real time rather than having to store multiple tokens and what not in the MacBook of each developer, which on it's own can be an attack vector.
It's just a plain text file, just like a .json file. The problem is perpetuating the concept of "an environment" in the browser. This artificial construct is unneeded. The whole
dotenvis unneeded, even in NodeJS where there is an environment. Hierarchical configurations are much more versatile in every way. It is just dumb to keep .env files around.Aren't the hierarchical config files not "around" somewhere as well? Hocon, json... Who cares. Even if you store these in the DB (which is probably the most common way to implement a hierarchical configuration system) you'll have the migration or script to spin up a new environment based off of that given config, and none should be present in your repo or exposed to the public.
For a project (no matter how big) that doesn't need many configurations a dotenv is just fine, same goes for small projects which entire config is a handful of tokens and a flag.
Each and every tool has its pros and cons, glorifying a tool or applying the golden hammer approach only leads to dramas 😂
It is "finer" to not use .env at all.
That's it. Why .env that forces you to install a BIG package like
dotenv? How is that better?.env files are natively supported since long ago... Also
isn't bad, either.
PS: env files are read on startup so make sure you restart the server when making changes there.
That wasn't long ago, and that's only in NodeJS. In browser projects are still a hack.
Would you please write an article on this subject? I know I would love to read this. Thanks!
All key are sensitive keys in a production environment.
Yes! As stated in the previous sentence in that section, environment variables should only be used during development.
As others have stated in the comment section, using other tools such as SecretsManager/BitWarden or implementing hierarchical configuration systems is the way to go for production environments.
What do you do if you don't have AWS? or other 3rd party services for it?