We've seen too many instances of folks accidentally committing their
`.env` files that I feel it's time to make this change.
Up until now, Next.js has recommended that you use `.env.local` when
working locally to store your environment variables. Some developers do
intentionally want to commit their `.env` file without secret values to
source control. However, the ecosystem is fragmented on `.local`
support.
There are tools which require secrets values that do _not_ support
`.local` and require using `.env`. This means that it's possible to dump
your secret values into a `.env` file and commit to source control,
thinking that the defaults would have you covered.
This change updates the defaults for `create-next-app` to ignore all
`.env` files by default. If you want to commit then, you opt-in by
modifying your `.gitignore`, versus the opposite.
Related: https://x.com/complexlity/status/1755890800527892716
---------
Co-authored-by: Sam Ko <sam@vercel.com>
09a385669b