Proposal: Support .env
files
#44975
Replies: 12 comments 32 replies
-
I imagine we would be concerned about making this the default behavior and so we would make it opt-in. I imagine there's an attack vector where people slip in hidden |
Beta Was this translation helpful? Give feedback.
-
Another potential concern (not necessarily a deal-breaker, but something to think about) is that this might break things for existing
|
Beta Was this translation helpful? Give feedback.
-
My previous comments aside, this would be a nice convenience for users if we can do it securely and in a backward-compatible way. |
Beta Was this translation helpful? Give feedback.
-
IMHO, the best UX to have it to be opt-in and user-defined via setting the relative file URL to the |
Beta Was this translation helpful? Give feedback.
-
Unless we're OK having the env variables related to enabling V8 features not working, the challenges for the implementation would be:
My understanding is that it would require to have the implementation done in C++, but maybe there are other solutions I'm not thinking of. |
Beta Was this translation helpful? Give feedback.
-
I'm not sure if this would be possible, but having a method on process - like |
Beta Was this translation helpful? Give feedback.
-
Just piping in that the security policy integrity check passed via CLI
wouldn't let policies be tampered with. You have to pass that in anyway for
safety reasons and it wouldn't allow tampering even if .env is supported
due to CLI precedence and failure if specified multiple times.
…On Fri, Oct 14, 2022, 1:45 AM Stephen Belanger ***@***.***> wrote:
There are substantially more V8 options not supported.
I worry this would just draw more attention to an already confusing env
var.
Also, as was just brought up, it would introduce prioritization
complications--if an env var already exists, will the file take precedence?
Should it merge them somehow? What if a value is made explicitly blank in
the file? Would that delete a non-blank env var?
There's a lot of ways this could cause issues if it's able to handle
Node.js startup configuration. Consider the policy work--a rogue .env file
could make nefarious changes to security policy settings.
I would be a lot more comfortable with a more intentionally designed
configuration system that's not going to risk accidental security incidents.
As stated previously, I think .env is a nice feature for user code, but I
think giving it runtime configuration control is unwise.
To me, it would only be reasonable for it to have configuration control if
you had to explicitly point to the .env file with a cli option: node
--env-file=.env
—
Reply to this email directly, view it on GitHub
<#44975 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABZJI7Z5ZRVZ3MZRE6JGKLWDD6OZANCNFSM6AAAAAARC35O5I>
.
You are receiving this because you are on a team that was mentioned.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Ah I would also note that for policies we would want to be able to
integrity check these .env files but that is a simple port back to c++ for
policies. Not an issue, just some work, and probably shouldn't be blocking.
…On Fri, Oct 14, 2022, 9:34 AM Bradley Farias ***@***.***> wrote:
Just piping in that the security policy integrity check passed via CLI
wouldn't let policies be tampered with. You have to pass that in anyway for
safety reasons and it wouldn't allow tampering even if .env is supported
due to CLI precedence and failure if specified multiple times.
On Fri, Oct 14, 2022, 1:45 AM Stephen Belanger ***@***.***>
wrote:
> There are substantially more V8 options not supported.
>
> I worry this would just draw more attention to an already confusing env
> var.
>
> Also, as was just brought up, it would introduce prioritization
> complications--if an env var already exists, will the file take precedence?
> Should it merge them somehow? What if a value is made explicitly blank in
> the file? Would that delete a non-blank env var?
>
> There's a lot of ways this could cause issues if it's able to handle
> Node.js startup configuration. Consider the policy work--a rogue .env file
> could make nefarious changes to security policy settings.
>
> I would be a lot more comfortable with a more intentionally designed
> configuration system that's not going to risk accidental security incidents.
>
> As stated previously, I think .env is a nice feature for user code, but I
> think giving it runtime configuration control is unwise.
>
> To me, it would only be reasonable for it to have configuration control
> if you had to explicitly point to the .env file with a cli option: node
> --env-file=.env
>
> —
> Reply to this email directly, view it on GitHub
> <#44975 (reply in thread)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AABZJI7Z5ZRVZ3MZRE6JGKLWDD6OZANCNFSM6AAAAAARC35O5I>
> .
> You are receiving this because you are on a team that was mentioned.Message
> ID: ***@***.***>
>
|
Beta Was this translation helpful? Give feedback.
-
What if this were
I think the first is needed to avoid introducing security problems into existing scripts. I think the second is needed to be robust for options which need loaded early (like policy and custom loaders) while also being robust when node is launched as a child process where the parent may not already pass the desired environment or command line option. How minimally ugly could we make something like that? Options:
Something like that could be used for the "ambient configuration" mentioned in #43828 |
Beta Was this translation helpful? Give feedback.
-
should have one that's committed and one that isn't. |
Beta Was this translation helpful? Give feedback.
-
This is supported now via |
Beta Was this translation helpful? Give feedback.
-
Is it possible to use $ NODE_OPTIONS="--env-file=.env.local" eslint some-file and getting the error: |
Beta Was this translation helpful? Give feedback.
-
Spinning off from #43973 (comment), I propose that Node support loading
.env
files. Node would read such files as part of startup and set all defined environment variables ontoprocess.env
before any user code is evaluated; and if one of the defined variables isNODE_OPTIONS
, it would be treated as if theNODE_OPTIONS
environment variable had been set before the normal processing of that variable. cc @nodejs/cpp-reviewersMotivation
This would solve nodejs/loaders#98, providing users a way to tell Node to use particular loaders via configuration file rather than CLI flag. To do so, they could create a
.env
file with a line likeNODE_OPTIONS='--loader my-loader'
. cc @nodejs/loaders Though the intent is to support all of the options allowed byNODE_OPTIONS
, not just things related to loaders.Prior art
dotenv
The
dotenv
module supports reading a.env
file, or other file as defined by configuration. It’s enabled via a function call in user code, which would be too late for configuring Node.Deno
Deno supports an API very similar to
dotenv
.Bun
Bun supports this approach:
We could do the same. Bun also supports config files; we could always choose add support for that in addition to reading
.env
files; like with Bun, I think both features are complementary.Beta Was this translation helpful? Give feedback.
All reactions