a secure dotenv–from the creator of dotenv.

• run anywhere (cross-platform)
• multi-environment
• encrypted envs

Read the whitepaper

Quickstart

Install and use it in code just like dotenv.

npm install @dotenvx/dotenvx --save

// index.js
require('@dotenvx/dotenvx').config()
// or import '@dotenvx/dotenvx/config' // for esm

console.log(`Hello ${process.env.HELLO}`)

or install globally - unlocks dotenv for any language, framework, or platform!

<summary>with curl 🌐 </summary>
sh curl -sfS https://dotenvx.sh | sh dotenvx help  

<summary>with brew 🍺</summary>
sh brew install dotenvx/brew/dotenvx dotenvx help  

<summary>with docker 🐳</summary>
sh docker run -it --rm -v $(pwd):/app dotenv/dotenvx help  

<summary>with github releases 🐙</summary>
sh curl -L -o dotenvx.tar.gz "https://github.com/dotenvx/dotenvx/releases/latest/download/dotenvx-$(uname -s)-$(uname -m).tar.gz" tar -xzf dotenvx.tar.gz ./dotenvx help  

Run Anywhere

$ echo "HELLO=World" > .env
$ echo "console.log('Hello ' + process.env.HELLO)" > index.js

$ node index.js
Hello undefined # without dotenvx

$ dotenvx run -- node index.js
Hello World # with dotenvx
> :-D

see extended quickstart guide

More examples

Multiple Environments

Create a .env.production file and use -f to load it. It's straightforward, yet flexible. ```sh $ echo "HELLO=production" > .env.production $ echo "console.log('Hello ' + process.env.HELLO)" > index.js

$ dotenvx run -f .env.production -- node index.js [dotenvx@1.X.X] injecting env (1) from .env.production Hello production

^^ ```

More examples

Encryption

Add encryption to your .env files with a single command. Use dotenvx encrypt.

$ dotenvx encrypt
✔ encrypted (.env)

A DOTENV_PUBLIC_KEY (encryption key) and a DOTENV_PRIVATE_KEY (decryption key) are generated using the same public-key cryptography as Bitcoin.

More examples

Advanced

Become a dotenvx power user.

CLI 📟

Advanced CLI commands.

Extensions 🔌

CLI extensions.

Library 📦

Use dotenvx directly in code.

Radar 📡

Dotenvx Radar is a commercial extension for dotenvx.

Observe, version, and back up your environment variables at runtime.

Usage

1. Install Radar

$ curl -sfS https://dotenvx.sh/radar | sh

1. Log in

$ dotenvx-radar login
✔ logged in [username]

1. Run dotenvx

$ dotenvx run -- yourcommand
[dotenvx@1.0.0] 📡 radar active
[dotenvx@1.0.0] injecting env (1) from .env

That's it! Your environment variables are auto-observed and backed up by Radar.

UI

CLI

Whitepaper

Dotenvx: Reducing Secrets Risk with Cryptographic Separation

Abstract. An ideal secrets solution would not only centralize secrets but also contain the fallout of a breach. While secrets managers offer centralized storage and distribution, their design creates a large blast radius, risking exposure of thousands or even millions of secrets. We propose a solution that reduces the blast radius by splitting secrets management into two distinct components: an encrypted secrets file and a separate decryption key.

...

Read the whitepaper

Guides

Go deeper with dotenvx – detailed framework and platform guides.

• Languages
  • Node.js
  • [Python](https://d

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

Unreleased

1.49.0 (2025-08-18)

Added

• For precommit and prebuild, ignore .env.x file like we do with .env.vault file. (#666)

1.48.4 (2025-07-29)

Removed

• Remove unnecessary use of eval in proKeypair helper (#654)

1.48.3

Changed

• Include privateKeyName and privateKey on internal processedEnv object (#649)

1.48.2

Changed

• Check radar status before sending (#646)

1.48.1

Changed

• Send beforEnv and afterEnv to Radar if user has installed (#645)

1.48.0

Added

• Include beforeEnv and afterEnv for user debugging (#644)

1.47.7

Changed

• src should be in internal processEnv object (#643)

1.47.6

Changed

• Make Radar call non-blocking (#642)

1.47.5

Changed

• Add resilient handling of any Radar failures (#639)

1.47.4

Changed

• Smarter require of non-installed libs like dotenvx-radar (#638)

1.47.3

Added

• Send to radar#observe if Radar installed by user (#631)

Removed

• Remove cli in package.json (#632)

1.47.2

Added

• Export cli in package.json (#629)

1.47.1

Added

• Add convenience log that radar active 📡 when dotenvx-radar is installed (#625)

1.47.0

Added

• Add optional dotenvx radar command (#624)
• Radar is an early access commercial extension for dotenvx that will auto backup your .env files.

 _______________________________________________________________________
|                                                                       |
|  Dotenvx Radar: Env Observability                                     |
|                                                                       |
|  ░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓███████▓▒░    |
|  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   |
|  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   |
|  ░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓████████▓▒░▒▓███████▓▒░    |
|  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   |
|  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   |
|  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   |
|                                                                       |
|  Observe, version, and back up your environment variables at runtime. |
|                                                                       |
|  Purchase lifetime access at https://dotenvx.com/radar                |
|                                                                       |
| --------------------------------------------------------------------- |
| - thank you for using dotenvx! - @motdotla                            |
|_______________________________________________________________________|

1.46.0

Added

• Add error when hoisting issue experienced around commander.js (#623)

Removed

• Remove git-dotenvx and git dotenvx shorthand (#621)

1.45.2

Changed

• Minor README updates

1.45.1

Changed

• Include setLogName and setLogVersion in config (#613)

1.45.0

Added

• Add logger.setName and logger.setVersion for customization of logger (#612)

1.44.2

Changed

• Clarify license is BSD-3.

1.44.1

Changed

• Patch SetOutput type (#597)

1.44.0

Added

• Add armv7 support (#593)

1.43.0

Removed

• Remove errorv, errornocolor, blank from logger options (#584)

Changed

• Replace instances of console.error with logger.error (#584)

1.42.2

Changed

• Fix --force flag work with ?force=true (2776715)

1.42.1

Added

• Add --force flag to install.sh (0b8d21c)

1.42.0

Added

• Add ability to override the os and arch via install.sh and dotenvx.sh (3ded752)

1.41.0

Added

• Add [directory] argument to precommit and prebuild (#572)

1.40.1

Changed

• Patch ext scan command (#570)

1.40.0

Added

• Smarter ext precommit and ext prebuild – catch duplicate KEYs in the same .env file where one is mistakenly left unencrypted (#567)

1.39.1

Added

• Add version to homebrew formula (#564)

1.39.0

Added

• Add --convention flow option to dotenvx run (#551)

Changed

• Fix typos (#550)

1.38.5

Added

• 🐞 Add config.d.ts file to fix type error when loading dotenvx/dotenvx/config with dynamic import (#547)

1.38.4

Changed

• 🐞 Fix blank line disappearing after encrypting empty value (#542)

1.38.3

Changed

• 🐞 Fix self-referencing expansion when key exists already in process.env (#536)

1.38.2

Added

• Add typescript types for main.get.

1.38.1

Changed

• Support encrypt when mutliline contains windows CRLF (\r\n) (#534)

Note: dotenvx will convert these \r\n newlines to \n. Our recommendation is to stop using CRLF - its origin is from typewriter days. Instead, set your editor or gitattributes to use LF.

1.38.0

Changed

• Command substitution failures no longer halt further processing of keys in a .env file (#533)
• A more helpful error is raised if a command substitution failure occurs (#533)

1.37.0

Added

• add dotenvx rotate command 🎉 (#530)

also: our whitepaper is released as a draft.

1.36.0

Changed

• --strict flag respects (doesn't throw) anything in --ignore flag (#527)

1.35.0

Added

• npx dotenvx precommit support as a convenience (#523)
• main.get method (#524)

The addition of main.get facilitates what we term Decryption at Access, a concept explored in greater detail in our whitepaper.

1.34.0

Added

• main.set method now writes to files (#517)

1.33.0

Added

• support ESM import convenience import '@dotenvx/dotenvx/config' (#508)

1.32.1

Changed

• remove duplicated help messages (#504)

1.32.0

Added

• add encrypted check support for ext prebuild (#501)

Changed

• modify ext precommit to check git modified state as well as git staged state - useful for using dotenvx ext precommit without the --install flag in automated scripts and ci. (#499)

Removed

• remove internal logger methods errorvp, errorvpb, warnv, warnvp, warnvpb, successvp, successvpb, help2 (#501)

1.31.3

Changed

• adjust wingetcreate to use powershell when parsing version

1.31.2

Changed

• use wingetcreate for releasing to WinGet (#498)

1.31.1

Changed

• 🐞 fix encryption of values containing explicit \n newlines (#495)

1.31.0

Added

• expose main.set function (#492)
• add missing types for main.config (#491)

1.30.1

Added

• support complex command substitution combining variable expansion (#490)

1.30.0

Added

• add -fk (--env-keys-file) flag to customize the path to your .env.keys file with run, get, set, encrypt, decrypt, and keypair 🎉 (#486)

This is great for monorepos. Maintain one .env.keys file across all your apps.

$ dotenvx encrypt -fk .env.keys -f apps/backend/.env
$ dotenvx encrypt -fk .env.keys -f apps/frontend/.env

$ tree -a .
├── .env.keys
└── apps
    ├── backend
    │   └── .env
    └── frontend
        └── .env

$ dotenvx get -fk .env.keys -f apps/backend/.env

1.29.0

Added

• add --ignore flag to suppress specified errors. example: dotenvx run --ignore=MISSING_ENV_FILE (#485)

1.28.0

Changed

• .env.keys file is generated WITHOUT quotes going forward. This is to minimize friction around Docker gotchas to developers - old versions of Docker do not support --env-file containing quoted keys/values. (#480) (additional note)

1.27.0

Added

• add support for \t expansion when double quoted. (e.g. TAB="hi\tfriend" becomes hi friend) (#479)

1.26.2

Changed

• build binaries with bytecode option (#477)

1.26.1

Added

• add typescript type definitions for main.parse method (#475)

1.26.0

Added

• add privateKey option to main.parse method (#474)

1.25.2

Added

• for binaries add pre-build step using esbuild (#471)

Removed

• remove types for functions that were removed a while back (2aa660)

1.25.1

Changed

• improve helpful error messaging around decryption failures by specifying specific key and private key name (#463)

1.25.0

Added

• add run --strict flag to exit with code 1 if any errors are encountered - like a missing .env file or decryption failure (#460)
• add get --strict flag to exit with code 1 if any errors are encountered - like a missing .env file or decryption failure (#461)
• add strict option to config() to throw for any errors (#459)

Changed

• log MISSING_ENV_FILE and DECRYPTION_FAILED errors to stderr (prior was stdout as a warning) (#459)

Removed

• remove dotenvx.get() function from lib/main.js. (parse already historically exists for this purpose) (#461)

1.24.5

Changed

• 🐞 do not expand prior literal values (#458)

1.24.4

Changed

• do not expand command substitution (#456)

1.24.3

Changed

• 🐞 fix command substitution for more complex commands (#455)

1.24.2

Changed

• treat pre-existing expandable values as literal in process.env (#450)

1.24.1

Changed

• bump cross-spawn to prevent potential ReDoS CVE-2024-21538 (#449)

1.24.0

Added

• support progressive append/update (#445)

FOO=foo
FOO=${FOO}bar
# foobar

• support alternate value expansion (#445)

Changed

• dotenvx.parse now maps to dotenvx's internal parser. (prior it was mapping to dotenv's)

Removed

• removed dotenvx.configDotenv(). use dotenvx.config() (#445)

1.23.0

Added

• deeper variable expansion support and protection against self-referencing variables 🛡️ (#439)

1.22.2

Changed

• more lenient handling of -- separator and better error messaging when flags are ambiguous (#438)

1.22.1

Changed

• 🐞 patch loading order issue with single quotes (#436)

1.22.0

Added

• add --pattern argument to ext gitignore (dotenvx ext gitignore --pattern .env.keys) (#430)

Changed

• clarify next steps after first time encrypting (#430)

1.21.1

Changed

• for --convention nextjs ignore .env.local for TEST environment (#425)
• for precommit redirect missing dotenvx command using POSIX compliant redirection (#424)
• make parent dotenvx help command less noisy by removing [options]. run dotenvx COMMAND -h to list all available options like always (#429)

1.21.0

Changed

• treat single quotes literally (#423)
• respect user chosen quotes (#423 #377)

🎓 now if you choose to single quote, double quote, no quote, or backtick your value it will be respected - including for encrypted values. this more intuitively handles complex cases like escaped characters, literals, and json.

1.20.1

Changed

• update eciesjs (#421)
• remove default values for ts interface - no longer permitted by latest ts (#419)

1.20.0

Changed

• respect process.env.DOTENV_PRIVATE_KEY and/or process.env.DOTENV_PUBLIC_KEY on set (#401)
• respect process.env.DOTENV_PRIVATE_KEY and/or process.env.DOTENV_PUBLIC_KEY on encrypt (#411)
• respect process.env.DOTENV_PRIVATE_KEY on decrypt (#412)
• change logger.help to use brighter blue (#414)

Removed

• remove main.decrypt,encrypt,set (#410)

1.19.3

Changed

• 🐞 fix decrypt re-encrypt of values containing backslashes (#406)

1.19.2

Changed

• forward additional signals like SIGUSR2 (#403)

1.19.1

Changed

• if SIGTERM or SIGINT sent, don't bubble wrapped process error (#402)

1.19.0

Added

• support key glob filtering for encrypt and decrypt. example: dotenvx encrypt -ek "NEXT_PUBLIC_*" (#397)

1.18.1

Added

• escape user inputted regex groupings like $1 or $2. (#396)

1.18.0

Added

• set and encrypt preserve leading spaces (#395)

     HELLO=world

Changed

• improve escape and quote handling for set, encrypt, and decrypt (#395)
• 🐞 fix encrypt, then decrypt, then encrypt on a json value (#377)

Note: the underlying replace engine to support these changes now wraps your values in single quotes. the prior replace engine wrapped in double quotes.

So where your .env used to look like this with double quotes:

HELLO="encrypted:1234"
API_KEY="encrypted:5678"

It will now begin looking like this with single quotes:

HELLO='encrypted:1234'
API_KEY='encrypted:5678'

It's an aesthetic side effect only. Your values will continue to be decrypted and encrypted correctly.

1.17.0

Added

• add --format=eval option for get (#393)

1.16.1

Changed

• suppress stderr using options.stdio (#391)

1.16.0

Changed

• for dotenvx keypair call out to dotenvx pro keypair if pro installed (#390)

1.15.0

Added

• add --format=shell option for keypair (#389)

1.14.2

Changed

• swap process.stdout.write for console.log to patch up npx edge case (#387)

1.14.1

Changed

• run precommit hook only on staged files (#380)

1.14.0

Added

• add dotenvx keypair command for printing your public/private keypairs (#375)

1.13.3

Changed

• exit code 1 when decrypt fails in any way (#374)

1.13.2

Added

• expose getColor and bold to lib/main.js (#369)

1.13.1

Added

• expose logger and setLogLevel to lib/main.js - const = { logger, setLogLevel } = require('@dotenvx/dotenvx') (#368)

1.13.0

Changed

• move ls to core commands (#367)

1.12.1

Changed

• return without quotations for dotenvx get --format shell (#366)

1.12.0

Added

• add dotenvx get --format shell option (#363)

1.11.5

Changed

• revert tinyexec for execa - to support usage in bun

1.11.4

Changed

• bump tinyexec and add postrelease-bunx check (#362)

1.11.3

Changed

• fallback to process.env.TERM for color depth where deno and bun do not support it (#360)

1.11.2

Added

• detect encoding when reading .env* file on run/get (#359)

1.11.1

Changed

• support encryption of export KEY variables and preserve #!shebangs (#357)

1.11.0

Added

• add --exclude-env-file (-ef) to ext ls (#356)

Changed

• ext precommit ignores tests/ directory (and similar) (#356)

1.10.4

Changed

• fix pro display in help command

1.10.3

Added

• ci: automate publishing to winget (#354)

1.10.2

Changed

• default config to empty [] array so that DOTENV_KEY_${environment} looks up correctly (#352)

1.10.1

Changed

• check subfolders on dotenvx ext precommit hook (#350)

1.10.0

Removed

• remove dotenvx ext vault, replace with dotenvx-ext-vault (install there to continue using ext vault) (#351)

1.9.1

Added

• warn if private key is missing or blank (#349)

1.9.0

Added

• add --exclude-key (-ek) option to dotenvx encrypt and dotenvx decrypt (#344)

Changed

• preserve comments and spacing on first-time generation of .env.example file (#346)

Removed

• removed winston - logger simplified to use console.log going forward (#347)

1.8.0

Added

• warn when decryption fails on run (#339)
• decrypt expanded values as necessary (#336)

Changed

• use ansi colors over rgb - for wider terminal coverage (#340)
• replace chalk with picocolors and color-name - cutting down on 5 dependencies (#335)
• replace execa with tinyexec - cutting down on 15 dependencies (#328)
• optimize Ls._filepaths (#317)

Removed

• remove picocolors and color-name - cutting down on 2 dependencies (#340)
• remove ext hub from extension list (you can still install it as an extension here) (#337)

1.7.0

Removed

• remove ext settings command (and conf along with it) (#323)

1.6.5

Changed

• 🐞 patch chomp for interpolation. strip ending newline (was stripping first found newline) (#322)

1.6.4

Changed

• fix dotenvx help (command was missing)

1.6.3

Changed

• adjust dotenvx pro to be dynamic if dotenvx-pro is installed user's machine

1.6.2

Added

• add more detailed type definitions (#313)

1.6.1

Added

• add support for .env1 (.env*) file format. (private key expands to DOTENV_PRIVATE_KEY_DEVELOPMENT1) (#312)

1.6.0

Added

• add dotenvx decrypt command. works inversely to dotenvx encrypt. same flags. (#294)
• add --stdout option to dotenvx decrypt. example: dotenvx decrypt -f .env.production --stdout > somefile.txt (#298)
• add --stdout option to dotenvx encrypt. example: dotenvx encrypt -f .env.production --stdout > somefile.txt (#298)

Changed

• smarter private key finder. if you rename your file to secrets.txt it can still decrypt from DOTENV_PRIVATE_KEY by seeking out the invert of the DOTENV_PUBLIC_KEY inside secrets.txt (#302)

Removed

• remove dotenvx convert - still at dotenvx encrypt
• remove dotenvx vault - still at dotenvx ext vault

1.5.0

Added

• add help text for dashed values on set. example: dotenvx set KEY -- "- + * ÷" (#293)

Changed

• replace @inquirer/confirm and ora (#285)

Removed

• remove dotenvx ext hub, replace with dotenvx-ext-hub (install there to continue using hub) (#291)

1.4.0

Removed

• remove update notice. let users decide what version they want without nagging them to update (#288)
• remove dotenvx hub. still available at dotenvx ext hub (#290)

1.3.2

Changed

• 🐞 remove risky prepare and postinstall scripts and replace with npm run patch for development and binary building (#286)

1.3.1

Changed

• 🐞 make patch-package only run locally with prepare (#283)

1.3.0

Added

• encrypt specified keys with --key option - dotenvx encrypt -k HELLO (#281)

1.2.0

Added

• handle nested dotenvx invocations - dotenvx run -- dotenvx run -- env (#279)

Changed

• replace glob with faster approach (#278)

1.1.0

Added

• add TypeScript type definitions (#272)

1.0.1

Changed

• 🐞 fix expansion when preset on process.env and/or with --overload (#271)

1.0.0

🎉 dotenvx has made it to 1.0.0. There are BREAKING CHANGES ⚠️ .

Added

• added dotenvx set KEY value --plain to set plain text values
• added dotenvx ext 🔌 as a location to place extensions like gititgnore, precommit, ls, and more. better than cluttering up core features like run, get/set, and encrypt.
• added dotenvx pro 🏆 command with coming soon and link to GitHub issue (if you wish to be notified of progress. will provide tooling/features for teams)

Changed

• BREAKING ⚠️
  • turned on encryption by default for dotenvx set (use dotenvx set KEY value --plain to set plain values)
  • renamed dotenvx encrypt to dotenvx ext vault encrypt (for managing .env.vault files)
  • renamed dotenvx convert to dotenvx encrypt
  • moved ls to dotenvx ext ls
  • moved genexample to dotenvx ext genexample
  • moved gitignore to dotenvx ext gitignore
  • moved prebuild to dotenvx ext prebuild
  • moved precommit to dotenvx ext precommit
  • moved scan to dotenvx ext scan
  • moved hub to dotenvx ext hub
  • moved vault to dotenvx ext vault
  • moved settings to dotenvx ext settings

(for many of these moved commands, for example dotenvx genexample, still work in 1.0.0 but with a large deprecated notice - DEPRECATION NOTICE: [genexample] has moved to [dotenvx ext genexample]. Please change your muscle memory to dotenvx ext genexample, as these deprecated command paths will be removed in a later minor version. importantly dotenvx encrypt was not able to be preserved because as it is now in use for encrypted .env files rather than .env.vault files)

This is a BIG release that sets the tone for dotenvx's core offering and features while maintaining room for growth. Thank you everyone for your support and usage of dotenvx 🙏.

blog post: "From dotenv to dotenvx: Next Generation Config Management"

0.45.0

Changed

• Rename dotenvx vault convert to dotenvx vault migrate (#251)
• Update install.sh regex version check to be sh compatible (not just bash)

0.44.6

Added

• Added checksums.txt as part of each release

0.44.5

Changed

• Removed .github folder from published binaries on npm (example: npm code)
• Add help message to install.sh

0.44.4

Changed

• Automated deployment of install.sh along with sanity checks (#250)

0.44.3

Added

• Include CHANGELOG.md in npm release
• Include install.sh in package release

0.44.2

Changed

• Fix license in package.json to match project's license BSD-3.

0.44.1

Changed

• Respect decryption of zero length strings - dotenvx set HELLO '' --encrypt (#236)

0.44.0

Added

• Added options.debug, options.verbose, options.quiet, and options.logLevel to .config() (#233)

0.43.2

Changed

• Patch replace when replacing double, single, or backticked quoted at anywhere in the .env file. (#232)

0.43.1

Changed

• Improved replace function regex - to handle more edge case scenarios with replacing KEY/values (#227)

0.43.0

Added

• Support require('@dotenvx/dotenvx').config() for DOTENV_PRIVATE_KEY decryption (#225)

0.42.0

Added

• Added .env.vault deprecated warning when using DOTENV_KEY. Provide instructions to convert to encrypted .env files. (#224)

0.41.0

Added

• Added vault convert command to list convert instructions for converting .env.vault to encrypted .env files (#222)

To convert your .env.vault file to encrypted .env file(s):

  1. Run [dotenvx vault decrypt]
  2. Run [ls -a .env*]

Lastly, convert each .env(.environment) file:

  3. Run [dotenvx convert -f .env.production]

For example:

  $ dotenvx convert -f .env
  $ dotenvx convert -f .env.ci
  $ dotenvx convert -f .env.production

Afterward:

Update production with your new DOTENV_PRIVATE_KEY_PRODUCTION located in .env.keys

Learn more at [https://dotenvx.com/docs/quickstart#add-encryption]

Changed

• Rename encryptme to convert (#222)

0.40.1

Added

• Support encryption replacement of multiline values (#220)

0.40.0

Added

• Added dotenvx encryptme command to convert an entire .env file to an encrypted .env file. (#213)

Changed

• Made precommit smart enough to check if a .env* file is encrypted or not. If fully encrypted, then allow precommit check to pass (#211)

Removed

• Do not warn of missing files for conventions (too noisy) (#216)

0.39.0

Added

• Add --convention flag to get

Removed

• Removed help messages like 'in production' and 'in ci'. Too specific and could lead to confusion.

0.38.0

Changed

• ⚠️ DEPRECATION NOTICE: the following commands are being moved. Please, update any code and muscle memory you have related to these:
  • dotenvx encrypt => dotenvx vault encrypt
  • dotenvx decrypt => dotenvx vault decrypt
  • dotenvx status => dotenvx vault status
• ⚠️ DEPRECATION NOTICE: the beta hub commands are being completely deprecated (they will be fully removed in upcoming 1.0.0 release). We will provide .env.keys tooling at a later time (replacing hub) but in the context of the new --encrypt flag functionality below

Added

• Add encryption to your .env files with a single command. Pass the --encrypt flag. 🎉

$ dotenvx set HELLO World --encrypt
set HELLO with encryption (.env)

A DOTENV_PUBLIC_KEY (encryption key) and a DOTENV_PRIVATE_KEY (decryption key) is generated using the same public-key cryptography as Bitcoin.

Further notes:

• DOTENV_PUBLIC_KEY lives in the .env file. You can safely share this with whomever you wish.
• DOTENV_PRIVATE_KEY lives in your .env.keys file. Share this only with those you trust to decrypt your secrets.
• If using encrypted .env files like this it is safe to commit them to source code. This makes reviewing PRs that contain secrets much easier.
• Tell your contributors to contribute a secret using the command dotenvx set HELLO world --encrypt.
• Set your DOTENV_PRIVATE_KEY on your server to decrypt these values using dotenvx run -- yourcommand
• You can repeat all this per environment by modifying your set command to dotenvx set HELLO production -f .env.production --encrypt (for example)
• In time we will add better tooling for sharing the private keys living in .env.keys, but until then safely share with team members you trust.
• This mechanism should be particularly useful for open source projects that want to permit secrets contributions without handing out the decryption keys. Now anyone can contribute a secret and only you can decrypt it to see what was changed.
• This solution is brand new, but I intend it to be the future for .env files. It has many benefits over .env.vault files. We will be sunsetting the .env.vault mechanism but its tooling will stay around in dotenvx for at least 1 year to come - under dotenvx vault parent command.
• Be patient as we update our documentation to prioritize this improved encryption format for .env files.

0.37.1

• warn when running dotenvx status against any untracked (not in .env.vault) files (#196)

0.37.0

• add --convention nextjs flag to dotenvx run (#193)
• improve status error message when decrypt fails or no .env* files (#192)

0.36.1

• handle SIGTERM (#191)

0.36.0

• add dotenvx status command (#186)
• add dotenvx decrypt [directory] argument option (#186)
• add dotenvx decrypt --environment flag option (#186)
• normalize windows \ paths (#186)

0.35.1

Changed

• exit code 1 if get KEY not found/undefined (#185)

0.35.0

Added

• added set command, and optionally pass --env-file flag(s) to set usage: dotenvx set HELLO World (#182)

0.34.0

Changed

• make hub push more forgiving by permitting full filepath like hub push directory/.env.keys (#180)
• add note on generated .env.example (#181)

0.33.1

Changed

• patch injection around falsy values (#177)

0.33.0

Added

• add .env.vault support for .env.something.something (useful for Next.js pattern of .env.development.local) (#174)

0.32.0

Changed

• quiet exit code 1 message (#173)

0.31.1

Changed

• improve error messages (#171)

0.31.0

Added

• add hub logout command (#170)

0.30.2

Changed

• small fixes for windows users related to hub open and hub push (#169)

0.30.1

Changed

• remove windows warnings related to missing git or git origin (#166 #167)

0.30.0

Added

• dotenvx get --quiet will display the value no matter what (adds a blank0 logger level) (#161)

Changed

• refactor dotenvx get to use run under the hood

0.29.2

Changed

• fix broken hub login and hub open (#160)

0.29.1

Changed

• patch situation where DOTENV_KEY is present and --env-file flag is set. assume to still look for .env.vault file as first in line (#157)

0.29.0

Changed

• respect order for --env-vault-file, --env-file and --env flags (for example: dotenvx run --env "HELLO=one" --env-file=.env will prioritize --env flag. Add --overload here to prioritize --env-file or reverse the order.). you can now mix and match multiple flags in any complex order you wish and dotenvx will respect it. (#155)

0.28.0

Added

• add dotenvx settings command to list your current settings. in the future we'll provide ways to modify these settings as dotenvx's functionality grows (#153)

0.27.2

Added

• add windows postrelease step to check that dotenvx.exe is functional immediately after release (#141)

Changed

• replace package-json with undici (#146)
• prune redundant packages (#148)
• return current version if remote version fails (#149)
• switch to our own update notice mechanism (eliminating multiple deps) (#151)

0.27.1

Added

• provide .zip download option for windows executable (#140)

Removed

• remove got from top level deps (#139)

0.27.0

Changed

• move update-notifier into lib/helpers for more control over got lib (#138)
• move clipboardy into lib/helpers for more control and to support commonjs going forward (sindre has dropped support and many mature systems still require commonjs for their infra and have need of dotenvx). (#137)

0.26.0

Added

• add hub pull command to pull a repo's .env.keys down. (#129)

0.25.1

Changed

• 🐞 patch bug with evaluate commands. do not attempt to evaluate risky preset envs in process.env. evaluate only what's set in a .env* file (#125)

0.25.0

Added

• expand hub push with [directory] option. use for monorepos. for example: dotenvx hub push apps/backend (#121)

0.24.0

Added

• add command substitution. for example DATABASE_URL="postgres://$(whoami)@localhost/my_database" (#113)

0.23.0

Added

• support personal environment variables. anything after the comment # personal.dotenvx.com will be considered personal and will not be encrypted to .env.vault (#110)

0.22.0

Added

• require('@dotenvx/dotenvx').config() expands/interpolates variables. this matches the behavior of run. (note that this behavior differs from the original require('dotenv').config() (#107)

0.21.0

Added

• expose genexample function on lib/main.js for export convenience (#102)

Changed

• rely on which npm module to find system command path for user inputted command(s) (#105)

Removed

• remove main.inject function (#102)

0.20.2

Added

• added support for --env flag on the .env.vault decryption portion of run (#101)

0.20.1

Changed

• use system command path (#98)

0.20.0

Changed

• added --env flag. for example, dotenvx --env="HELLO=World" -- yourcommand (#94)

0.19.1

Changed

• patched up the precommit command (#91)

0.19.0

Added

• added scan command to scan for possible leaked secrets in your code (#90)

0.18.0

Added

• added get command, optionally pass --env-file flag(s) to get, optionally pass --overload, and optionally pass --pretty-print. usage: dotenvx get HELLO => World (#89)

0.17.1

Changed

• expose main.encrypt and main.ls functions

0.17.0

Added

• added [directory] argument to encrypt. for example, in your nx repo from root dotenvx encrypt apps/backend will encrypt .env* files in that directory and manage the .env.keys and .env.vault in that directory as well (#82)

0.16.1

Changed

• bumped dotenv version to fix encrypt bug

0.16.0

Added

• added ls command to list all your .env* files (#80)
• added --env-file option ls (#82)
• optionally specify --env-vault-file path to .env.vault (defaults to .env.vault) (#73)

0.15.4

Changed

• 🐞 patch --overload flag logic (#66)

0.15.3

Changed

• 🐞 fix undici readablestream error (#65)

0.15.2

Changed

• switch from axios to undici (#59)
• bump dotenv-expand (#63)

0.15.1

Changed

• use improved dotenv expansion (#62)

0.15.0

Added

• add expansion (#60)
• use dotenvx.com (#56)

0.14.1

Changed

• patch esm issue. use update-notifier ^5.1.0

0.14.0

Added

• Added genexample command. Generate .env.example from your .env file. (#49)
• couple security patches (#50, #51)

0.13.0

Added

• Added decrypt command. Decrypt .env.vault to prospective .env* files. .env.keys must be present. (#48)

0.12.0

Added

• Append to .gitignore with gitignore command (also .dockerignore, .npmignore, and .vercelignore if existing) (#47)

0.11.0

Removed

• no longer append to *ignore files automatically. too invasive. will provide as separate cli command (#45)

0.10.6

Changed

• Improve error message when decryption fails (#40)

0.10.5

Changed

• Rename predockerbuild command to prebuild (#36)

0.10.4

Added

• Add predockerbuild command to prevent including .env file in your docker builds (#35)

0.10.3

Changed

• If dotenvx is missing tell user how to install it from pre-commit (#34)
• Add help notice for ci (when .env file not present) (#33)

0.10.2

Changed

• Improve error message when custom --env-file passed (#32)

0.10.1

Changed

• Adjust precommit verbosity and coloring
• Add --install flag to precommit - installs to .git/hooks/pre-commit (#31)

0.10.0

Added

• Added dotenvx precommit command and instructions for git pre-commit hook (#30)

0.9.0

Changed

• Remove .flaskenv from appends (#27)
• Improved error message when .env file is missing (#28)

0.8.4

Changed

Load axios with a try/catch depending on context 🐞 (#24)

0.8.3

Changed

Patched helpers.guessEnvironment bug when filepath contained a . in the folder name. 🐞 (#23)

0.8.2

Changed

Change path to axios in attempt for pkg to build correctly.

0.8.1

Added

Add axios (missing) to package-lock.json

0.8.0

Added

Added hub support. 🎉 (#16)

0.7.4

Changed

Create binaries with root:root defaults. (#21)

0.7.3

Added

Tell user about undefined subprocess with additional debug logs (#19)

0.7.2

Added

debug other signals send to execa process (#18)

0.7.1

Changed

Fix missed package.json#version

0.7.0

Added

handle SIGINT (#17)

0.6.13

write to /latest only for releases repo (#15)

0.6.12

Changed

do not package README alongside binary. adds noise to a user's machine. keep their machine shiny. (#14)

0.6.11

Added

tell user what to do next (#13)

0.6.10

Patched

do not log when error code is 0 (#12)

0.6.9

Added

tell user when no changes to re-encrypt (#11)

0.6.8

Added

added help text when user's command fails. include link to report issue (#10)

0.6.7

Added

added next step help message when running dotenvx run with no argument (#9)

0.6.6

Added

help includes a command example as well as a full working 'try it out' example (#8)

0.6.5

Changed

made the info messaging more succinct (#7)

0.6.4

Added

added tagged images to hub.docker.com/u/dotenv

0.6.3

Changed

fixed the .env.keys file comment. spacing was off. (#6)

0.6.2

Added

added help text to encrypt. (#5)

0.6.1

Changed

removed the pad on the logging level. didn't look good when running in default INFO mode. (#4)

0.6.0

Added

prevent committing a .env* file to code. append to .gitignore, .dockerignore, .vercelignore, and .npmignore 🗂️ (#3)

0.5.0

Added

run support for .env.vault files 🔑 (#2)

0.4.0

Added

encrypt 🔐 (#1)

0.3.9 and prior

Please see commit history.