All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
- fix
dotenvx help
(command was missing)
- adjust
dotenvx pro
to be dynamic if dotenvx-pro is installed user's machine
- add more detailed type definitions (#313)
- add support for
.env1
(.env*
) file format. (private key expands toDOTENV_PRIVATE_KEY_DEVELOPMENT1
) (#312)
- add
dotenvx decrypt
command. works inversely todotenvx encrypt
. same flags. (#294) - add
--stdout
option todotenvx decrypt
. example:dotenvx decrypt -f .env.production --stdout > somefile.txt
(#298) - add
--stdout
option todotenvx encrypt
. example:dotenvx encrypt -f .env.production --stdout > somefile.txt
(#298)
- smarter private key finder. if you rename your file to
secrets.txt
it can still decrypt fromDOTENV_PRIVATE_KEY
by seeking out the invert of theDOTENV_PUBLIC_KEY
insidesecrets.txt
(#302)
- remove
dotenvx convert
- still atdotenvx encrypt
- remove
dotenvx vault
- still atdotenvx ext vault
- add help text for dashed values on
set
. example:dotenvx set KEY -- "- + * ÷"
(#293)
- replace
@inquirer/confirm
andora
(#285)
- remove
dotenvx ext hub
, replace with dotenvx-ext-hub (install there to continue using hub) (#291)
- remove update notice. let users decide what version they want without nagging them to update (#288)
- remove
dotenvx hub
. still available atdotenvx ext hub
(#290)
- 🐞 remove risky
prepare
andpostinstall
scripts and replace withnpm run patch
for development and binary building (#286)
- 🐞 make
patch-package
only run locally withprepare
(#283)
- encrypt specified keys with
--key
option -dotenvx encrypt -k HELLO
(#281)
- handle nested
dotenvx
invocations -dotenvx run -- dotenvx run -- env
(#279)
- replace
glob
with faster approach (#278)
- add TypeScript type definitions (#272)
- 🐞 fix expansion when preset on
process.env
and/or with--overload
(#271)
🎉 dotenvx
has made it to 1.0.0
. There are BREAKING CHANGES
- added
dotenvx set KEY value --plain
to set plain text values - added
dotenvx ext
🔌 as a location to place extensions likegititgnore
,precommit
,ls
, and more. better than cluttering up core features likerun
,get/set
, andencrypt
. - added
dotenvx pro
🏆 command with coming soon and link to GitHub issue (if you wish to be notified of progress. will provide tooling/features for teams)
BREAKING ⚠️
- turned on encryption by default for
dotenvx set
(usedotenvx set KEY value --plain
to set plain values) - renamed
dotenvx encrypt
todotenvx ext vault encrypt
(for managing.env.vault
files) - renamed
dotenvx convert
todotenvx encrypt
- moved
ls
todotenvx ext ls
- moved
genexample
todotenvx ext genexample
- moved
gitignore
todotenvx ext gitignore
- moved
prebuild
todotenvx ext prebuild
- moved
precommit
todotenvx ext precommit
- moved
scan
todotenvx ext scan
- moved
hub
todotenvx ext hub
- moved
vault
todotenvx ext vault
- moved
settings
todotenvx ext settings
- turned on encryption by default for
(for many of these moved commands, for example dotenvx genexample
, still work in 1.0.0
but with a large deprecated notice - DEPRECATION NOTICE: [genexample] has moved to [dotenvx ext genexample]
. Please change your muscle memory to dotenvx ext genexample
, as these deprecated command paths will be removed in a later minor version. importantly dotenvx encrypt
was not able to be preserved because as it is now in use for encrypted .env
files rather than .env.vault
files)
This is a BIG release that sets the tone for dotenvx
's core offering and features while maintaining room for growth. Thank you everyone for your support and usage of dotenvx
🙏.
blog post: "From dotenv to dotenvx: Next Generation Config Management"
- Rename
dotenvx vault convert
todotenvx vault migrate
(#251) - Update
install.sh
regex version check to besh
compatible (not just bash)
- Added
checksums.txt
as part of each release
- Removed
.github
folder from published binaries on npm (example: npm code) - Add help message to
install.sh
- Automated deployment of
install.sh
along with sanity checks (#250)
- Include
CHANGELOG.md
in npm release - Include
install.sh
in package release
- Fix license in
package.json
to match project's license BSD-3.
- Respect decryption of zero length strings -
dotenvx set HELLO '' --encrypt
(#236)
- Added
options.debug
,options.verbose
,options.quiet
, andoptions.logLevel
to.config()
(#233)
- Patch
replace
when replacing double, single, or backticked quoted at anywhere in the.env
file. (#232)
- Improved
replace
function regex - to handle more edge case scenarios with replacing KEY/values (#227)
- Support
require('@dotenvx/dotenvx').config()
forDOTENV_PRIVATE_KEY
decryption (#225)
- Added
.env.vault deprecated
warning when usingDOTENV_KEY
. Provide instructions to convert to encrypted.env
files. (#224)
- Added
vault convert
command to list convert instructions for converting.env.vault
to encrypted .env files (#222)
To convert your .env.vault file to encrypted .env file(s):
1. Run [dotenvx vault decrypt]
2. Run [ls -a .env*]
Lastly, convert each .env(.environment) file:
3. Run [dotenvx convert -f .env.production]
For example:
$ dotenvx convert -f .env
$ dotenvx convert -f .env.ci
$ dotenvx convert -f .env.production
Afterward:
Update production with your new DOTENV_PRIVATE_KEY_PRODUCTION located in .env.keys
Learn more at [https://dotenvx.com/docs/quickstart#add-encryption]
- Rename
encryptme
toconvert
(#222)
- Support encryption replacemnt of multiline values (#220)
- Added
dotenvx encryptme
command to convert an entire.env
file to an encrypted.env
file. (#213)
- Made
precommit
smart enough to check if a.env*
file is encrypted or not. If fully encrypted, then allowprecommit
check to pass (#211)
- Do not warn of missing files for conventions (too noisy) (#216)
- Add
--convention
flag toget
- Removed help messages like 'in production' and 'in ci'. Too specific and could lead to confusion.
⚠️ DEPRECATION NOTICE: the following commands are being moved. Please, update any code and muscle memory you have related to these:dotenvx encrypt
=>dotenvx vault encrypt
dotenvx decrypt
=>dotenvx vault decrypt
dotenvx status
=>dotenvx vault status
⚠️ DEPRECATION NOTICE: the betahub
commands are being completely deprecated (they will be fully removed in upcoming 1.0.0 release). We will provide .env.keys tooling at a later time (replacing hub) but in the context of the new--encrypt
flag functionality below
- Add encryption to your
.env
files with a single command. Pass the--encrypt
flag. 🎉
$ dotenvx set HELLO World --encrypt
set HELLO with encryption (.env)
A
DOTENV_PUBLIC_KEY
(encryption key) and aDOTENV_PRIVATE_KEY
(decryption key) is generated using the same public-key cryptography as Bitcoin.
Further notes:
DOTENV_PUBLIC_KEY
lives in the.env
file. You can safely share this with whomever you wish.DOTENV_PRIVATE_KEY
lives in your.env.keys
file. Share this only with those you trust to decrypt your secrets.- If using encrypted
.env
files like this it is safe to commmit them to source code. This makes reviewing PRs that contain secrets much easier. - Tell your contributors to contribute a secret using the command
dotenvx set HELLO world --encrypt
. - Set your
DOTENV_PRIVATE_KEY
on your server to decrypt these values usingdotenvx run -- yourcommand
- You can repeat all this per environment by modifying your set command to
dotenvx set HELLO production -f .env.production --encrypt
(for example) - In time we will add better tooling for sharing the private keys living in
.env.keys
, but until then safely share with team members you trust. - This mechanism should be particularly useful for open source projects that want to permit secrets contributions without handing out the decryption keys. Now anyone can contribute a secret and only you can decrypt it to see what was changed.
- This solution is brand new, but I intend it to be the future for
.env
files. It has many benefits over.env.vault
files. We will be sunsetting the.env.vault
mechanism but its tooling will stay around indotenvx
for at least 1 year to come - underdotenvx vault
parent command. - Be patient as we update our documentation to prioritize this improved encryption format for
.env
files.
- warn when running
dotenvx status
against any untracked (not in .env.vault) files (#196)
- add
--convention nextjs
flag todotenvx run
(#193) - improve
status
error message when decrypt fails or no.env*
files (#192)
- handle
SIGTERM
(#191)
- add
dotenvx status
command (#186) - add
dotenvx decrypt [directory]
argument option (#186) - add
dotenvx decrypt --environment
flag option (#186) - normalize windows
\
paths (#186)
- exit code
1
ifget KEY
not found/undefined (#185)
- added
set
command, and optionally pass--env-file
flag(s) toset
usage:dotenvx set HELLO World
(#182)
- make
hub push
more forgiving by permitting full filepath likehub push directory/.env.keys
(#180) - add note on generated
.env.example
(#181)
- patch injection around falsy values (#177)
- add .env.vault support for
.env.something.something
(useful for Next.js pattern of .env.development.local) (#174)
- quiet exit code 1 message (#173)
- improve error messages (#171)
- add
hub logout
command (#170)
- small fixes for windows users related to
hub open
andhub push
(#169)
dotenvx get --quiet
will display the value no matter what (adds ablank0
logger level) (#161)
- refactor
dotenvx get
to userun
under the hood
- fix broken
hub login
andhub open
(#160)
- patch situation where
DOTENV_KEY
is present and--env-file
flag is set. assume to still look for.env.vault
file as first in line (#157)
- respect order for
--env-vault-file
,--env-file
and--env
flags (for example:dotenvx run --env "HELLO=one" --env-file=.env
will prioritize--env
flag. Add--overload
here to prioritize--env-file
or reverse the order.). you can now mix and match multiple flags in any complex order you wish and dotenvx will respect it. (#155)
- add
dotenvx settings
command to list your current settings. in the future we'll provide ways to modify these settings as dotenvx's functionality grows (#153)
- add windows postrelease step to check that
dotenvx.exe
is functional immediately after release (#141)
- replace
package-json
withundici
(#146) - prune redundant packages (#148)
- return current version if remote version fails (#149)
- switch to our own update notice mechanism (eliminating multiple deps) (#151)
- provide
.zip
download option for windows executable (#140)
- remove
got
from top level deps (#139)
- move
update-notifier
intolib/helpers
for more control overgot
lib (#138) - move
clipboardy
intolib/helpers
for more control and to support commonjs going forward (sindre has dropped support and many mature systems still require commonjs for their infra and have need of dotenvx). (#137)
- add
hub pull
command to pull a repo's.env.keys
down. (#129)
- 🐞 patch bug with evaluate commands. do not attempt to evaluate risky preset envs in
process.env
. evaluate only what's set in a.env*
file (#125)
- expand
hub push
with[directory]
option. use for monorepos. for example:dotenvx hub push apps/backend
(#121)
- add command substitution. for example
DATABASE_URL="postgres:https://$(whoami)@localhost/my_database"
(#113)
- support personal environment variables. anything after the comment
# personal.dotenvx.com
will be considered personal and will not be encrypted to .env.vault (#110)
require('@dotenvx/dotenvx').config()
expands/interpolates variables. this matches the behavior ofrun
. (note that this behavior differs from the originalrequire('dotenv').config()
(#107)
- expose
genexample
function onlib/main.js
for export convenience (#102)
- rely on
which
npm module to find system command path for user inputted command(s) (#105)
- remove
main.inject
function (#102)
- added support for
--env
flag on the.env.vault
decryption portion ofrun
(#101)
- use system command path (#98)
- added
--env
flag. for example,dotenvx --env="HELLO=World" -- yourcommand
(#94)
- patched up the
precommit
command (#91)
- added
scan
command to scan for possible leaked secrets in your code (#90)
- added
get
command, optionally pass--env-file
flag(s) toget
, optionally pass--overload
, and optionally pass--pretty-print
. usage:dotenvx get HELLO
=>World
(#89)
- expose
main.encrypt
andmain.ls
functions
- added
[directory]
argument toencrypt
. for example, in your nx repo from rootdotenvx encrypt apps/backend
will encrypt .env* files in that directory and manage the.env.keys
and.env.vault
in that directory as well (#82)
- bumped
dotenv
version to fixencrypt
bug
- added
ls
command to list all your.env*
files (#80) - added
--env-file
optionls
(#82) - optionally specify
--env-vault-file
path to.env.vault
(defaults to.env.vault
) (#73)
- 🐞 patch
--overload
flag logic (#66)
- 🐞 fix undici readablestream error (#65)
- use improved dotenv expansion (#62)
- patch esm issue. use update-notifier ^5.1.0
- Added
genexample
command. Generate.env.example
from your.env
file. (#49) - couple security patches (#50, #51)
- Added
decrypt
command. Decrypt.env.vault
to prospective.env*
files..env.keys
must be present. (#48)
- Append to
.gitignore
withgitignore
command (also.dockerignore
,.npmignore
, and.vercelignore
if existing) (#47)
- no longer append to
*ignore
files automatically. too invasive. will provide as separate cli command (#45)
- Improve error message when decryption fails (#40)
- Rename
predockerbuild
command toprebuild
(#36)
- Add
predockerbuild
command to prevent including.env
file in your docker builds (#35)
- If dotenvx is missing tell user how to install it from pre-commit (#34)
- Add help notice for ci (when .env file not present) (#33)
- Improve error message when custom
--env-file
passed (#32)
- Adjust
precommit
verbosity and coloring - Add
--install
flag to precommit - installs to.git/hooks/pre-commit
(#31)
- Added
dotenvx precommit
command and instructions for git pre-commit hook (#30)
Load axios
with a try/catch depending on context 🐞 (#24)
Patched helpers.guessEnvironment
bug when filepath contained a .
in the folder name. 🐞 (#23)
Change path to axios in attempt for pkg
to build correctly.
Add axios (missing) to package-lock.json
Create binaries with root:root defaults. (#21)
Tell user about undefined subprocess with additional debug
logs (#19)
debug
other signals send to execa process (#18)
Fix missed package.json#version
handle SIGINT
(#17)
write to /latest
only for releases repo (#15)
do not package README alongside binary. adds noise to a user's machine. keep their machine shiny. (#14)
tell user what to do next (#13)
do not log when error code is 0 (#12)
tell user when no changes to re-encrypt (#11)
added help text when user's command fails. include link to report issue (#10)
added next step help message when running dotenvx run
with no argument (#9)
help includes a command example as well as a full working 'try it out' example (#8)
made the info messaging more succinct (#7)
added tagged images to hub.docker.com/u/dotenv
fixed the .env.keys
file comment. spacing was off. (#6)
added help text to encrypt
. (#5)
removed the pad
on the logging level. didn't look good when running in default INFO mode. (#4)
prevent committing a .env*
file to code. append to .gitignore
, .dockerignore
, .vercelignore
, and .npmignore
🗂️ (#3)
run
support for .env.vault
files 🔑 (#2)
encrypt
🔐 (#1)
Please see commit history.