DEV Community

Vivian Voss
Vivian Voss

Posted on • Originally published at vivianvoss.net

The .env File Nobody Needs

#unix #freebsd #linux #devops

The Unix Way — Episode 10

107 million weekly downloads.

That is the current figure for dotenv on npm. A package whose entire purpose is reading KEY=VALUE pairs from a file and placing them into process.env.

Unix has done this since 1979.

The Archaeology

Version 7 Unix introduced environment variables forty-seven years ago. The mechanism is rather elegant: a parent process passes key-value pairs to its children through exec(). Every process inherits. No library. No file to parse. No package to install.

Then somewhere along the way, the ecosystem decided this was insufficient. The solution: write your secrets into a file called .env, place it in your repository root, and install a package to read it.

The Cost

GitHub detected 39 million leaked secrets in 2024. A 67% increase from the previous year. Toyota exposed 270,000 customer records through a single access key committed to a public repository.

The .env file is not a security mechanism. It is a plaintext file containing your database credentials, sitting one absent .gitignore entry away from publication.

FreeBSD 

# login.conf: per-class environment
default:\
  :setenv=LANG=en_GB.UTF-8,EDITOR=vi:\
  :path=/sbin /bin /usr/sbin /usr/bin:
Enter fullscreen mode Exit fullscreen mode

login.conf sets environment variables per login class. No file in your repository. No dependency. The operating system handles it before your application starts.

For services, rc.d sources variables from rc.conf:

myapp_env="DATABASE_URL=postgres://db/prod"
Enter fullscreen mode Exit fullscreen mode

Linux 

# /etc/environment: system-wide
DATABASE_URL=postgres://localhost/prod

# systemd service unit
[Service]
EnvironmentFile=/etc/myapp/env
Environment=NODE_ENV=production
Enter fullscreen mode Exit fullscreen mode

systemd's EnvironmentFile does precisely what dotenv does. Since 2010. No npm install. The file lives in /etc, where configuration belongs. Not in your Git repository, where it terribly does not.

The Point

Even Node.js conceded. Version 20.6.0 added --env-file as a built-in flag. No package required. The runtime spent a decade outsourcing a one-liner to a third-party dependency, then quietly shipped it itself.

But the actual Unix answer is simpler still: your application should not know where its configuration comes from. The OS sets the environment. The process inherits it. That is the contract. Forty-seven years. Zero CVEs on the mechanism itself.

107 million weekly downloads. For reading lines from a file.

Rather marvellous, that.

Read the full article on vivianvoss.net →

By Vivian Voss — System Architect & Software Developer. Follow me on LinkedIn for daily technical writing.

Top comments (0)