fix: ignore all .env files for create-next-app by default (#61920)
We've seen too many instances of folks accidentally committing their `.env` files that I feel it's time to make this change. Up until now, Next.js has recommended that you use `.env.local` when working locally to store your environment variables. Some developers do intentionally want to commit their `.env` file without secret values to source control. However, the ecosystem is fragmented on `.local` support. There are tools which require secrets values that do _not_ support `.local` and require using `.env`. This means that it's possible to dump your secret values into a `.env` file and commit to source control, thinking that the defaults would have you covered. This change updates the defaults for `create-next-app` to ignore all `.env` files by default. If you want to commit then, you opt-in by modifying your `.gitignore`, versus the opposite. Related: https://x.com/complexlity/status/1755890800527892716 --------- Co-authored-by: Sam Ko <sam@vercel.com>
This commit is contained in:
Lee Robinson
GitHub
parent
c3c0c4f8a3
commit
09a385669b
9 changed files with 23 additions and 25 deletions
|
|
@ -14,14 +14,14 @@ description: Learn to add and access environment variables in your Next.js appli
|
|||
|
||||
Next.js comes with built-in support for environment variables, which allows you to do the following:
|
||||
|
||||
- [Use `.env.local` to load environment variables](#loading-environment-variables)
|
||||
- [Use `.env` to load environment variables](#loading-environment-variables)
|
||||
- [Bundle environment variables for the browser by prefixing with `NEXT_PUBLIC_`](#bundling-environment-variables-for-the-browser)
|
||||
|
||||
## Loading Environment Variables
|
||||
|
||||
Next.js has built-in support for loading environment variables from `.env.local` into `process.env`.
|
||||
Next.js has built-in support for loading environment variables from `.env*` files into `process.env`.
|
||||
|
||||
```txt filename=".env.local"
|
||||
```txt filename=".env"
|
||||
DB_HOST=localhost
|
||||
DB_USER=myuser
|
||||
DB_PASS=mypassword
|
||||
|
|
@ -51,7 +51,7 @@ export async function getStaticProps() {
|
|||
> **Note**: Next.js also supports multiline variables inside of your `.env*` files:
|
||||
>
|
||||
> ```bash
|
||||
> # .env.local
|
||||
> # .env
|
||||
>
|
||||
> # you can write with line breaks
|
||||
> PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
|
||||
|
|
@ -211,13 +211,11 @@ export default function Component() {
|
|||
|
||||
## Default Environment Variables
|
||||
|
||||
In general only one `.env.local` file is needed. However, sometimes you might want to add some defaults for the `development` (`next dev`) or `production` (`next start`) environment.
|
||||
Typically, only `.env*` file is needed. However, sometimes you might want to add some defaults for the `development` (`next dev`) or `production` (`next start`) environment.
|
||||
|
||||
Next.js allows you to set defaults in `.env` (all environments), `.env.development` (development environment), and `.env.production` (production environment).
|
||||
|
||||
`.env.local` always overrides the defaults set.
|
||||
|
||||
> **Good to know**: `.env`, `.env.development`, and `.env.production` files should be included in your repository as they define defaults. **`.env*.local` should be added to `.gitignore`**, as those files are intended to be ignored. `.env.local` is where secrets can be stored.
|
||||
> **Good to know**: `.env`, `.env.development`, and `.env.production` files should be included in your repository as they define defaults. All `.env` files are excluded in `.gitignore` by default, allowing you to opt-into committing these values to your repository.
|
||||
|
||||
## Environment Variables on Vercel
|
||||
|
||||
|
|
@ -228,7 +226,7 @@ All types of Environment Variables should be configured there. Even Environment
|
|||
If you've configured [Development Environment Variables](https://vercel.com/docs/concepts/projects/environment-variables#development-environment-variables?utm_source=next-site&utm_medium=docs&utm_campaign=next-website) you can pull them into a `.env.local` for usage on your local machine using the following command:
|
||||
|
||||
```bash filename="Terminal"
|
||||
vercel env pull .env.local
|
||||
vercel env pull
|
||||
```
|
||||
|
||||
> **Good to know**: When deploying your Next.js application to [Vercel](https://vercel.com), your environment variables in `.env*` files will not be made available to Edge Runtime, unless their name are prefixed with `NEXT_PUBLIC_`. We strongly recommend managing your environment variables in [Project Settings](https://vercel.com/docs/projects/environment-variables?utm_medium=docs&utm_source=next-site&utm_campaign=next-website) instead, from where all environment variables are available.
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ npm-debug.log*
|
|||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# local env files
|
||||
.env*.local
|
||||
# env files (can opt-in for commiting if needed)
|
||||
.env*
|
||||
|
||||
# vercel
|
||||
.vercel
|
||||
|
|
|
|||
Loading…
Reference in a new issue