-
-
Notifications
You must be signed in to change notification settings - Fork 860
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leaked content of comments when debug: true
#569
Comments
I don't participate in maintaining this repository anymore, but you asked what I think so I'll tell you I think you're solving the wrong problem 😸 The intention of the debug option for dotenv is to help understand why you might not be getting the expected values assigned to The problem you should be solving is how to separate your local and production secrets so they are not together in the same file. I know it's easier, but it's also less secure. Ideally, your production and other hosted environments don't use .env files at all. There are lots of great secure secret management tools out there. Further, I wouldn't allow connections to RDS outside of a VPC, but I digress. Good luck! Hope you all find a solution that works for everyone ✌🏼 |
@maxbeatty thanks for chiming up! Indeed I really don't recommend mixing secrets here but some people do 🙈 |
Hi @motdotla, pinging you since it seems you are the most active on the codebase, what do you think about this? |
To potentially explain what we are trying to do: Some of the other
|
The debug feature needs a fresh pass. It's being used for a different reason than it was originally intentioned. We will improve it soon. It includes requests here as well: |
@Jolg42 this is fixed in And for production (and other) environments, you can use Dotenv Sync. |
@janpio see comment above. Thank you for your patience everyone on this one. |
Given this configuration
require('dotenv').config({ debug: true })
and this
.env
Dotenv output will show
Leaking the secret into the logs 😨
I see a PR who could solve this, has been open and then closed, about removing comments from the DEBUG logs #404
@maxbeatty What do you think about this with this new light?
(Context: prisma/prisma#9428)
The text was updated successfully, but these errors were encountered: