Leaked content of comments when debug: true

[Jolg42]

Given this configuration

require('dotenv').config({ debug: true })

and this .env

#Local
DATABASE_URL=postgresql://user:password@localhost:5432/database
#Production
#DATABASE_URL=postgresql://user:password@pg-db-provision.id.eu-central-1.rds.amazonaws.com:5432/database

Dotenv output will show

[dotenv][DEBUG] did not match key and value when parsing line 1: #Local
[dotenv][DEBUG] did not match key and value when parsing line 1: #Production
[dotenv][DEBUG] did not match key and value when parsing line 1: #DATABASE_URL=postgresql://user:password@pg-db-provision.id.eu-central-1.rds.amazonaws.com:5432/database

Leaking the secret into the logs 😨

I see a PR who could solve this, has been open and then closed, about removing comments from the DEBUG logs #404
@maxbeatty What do you think about this with this new light?

(Context: prisma/prisma#9428)

[maxbeatty]

I don't participate in maintaining this repository anymore, but you asked what I think so I'll tell you I think you're solving the wrong problem 😸 The intention of the debug option for dotenv is to help understand why you might not be getting the expected values assigned to process.env. It is not intended as a general logging tool.

The problem you should be solving is how to separate your local and production secrets so they are not together in the same file. I know it's easier, but it's also less secure. Ideally, your production and other hosted environments don't use .env files at all. There are lots of great secure secret management tools out there. Further, I wouldn't allow connections to RDS outside of a VPC, but I digress.

Good luck! Hope you all find a solution that works for everyone ✌🏼

[Jolg42]

@maxbeatty thanks for chiming up!

Indeed I really don't recommend mixing secrets here but some people do 🙈

[Jolg42]

Hi @motdotla, pinging you since it seems you are the most active on the codebase, what do you think about this?
Any feedback is welcome!

[janpio]

To potentially explain what we are trying to do:

Some of the other debug: true output we find super useful in our own verbose mode as it gives more information what happened with the user's .env file:

[dotenv][DEBUG] "FOO" is already defined in `process.env` and will not be overwritten

[motdotla]

The debug feature needs a fresh pass. It's being used for a different reason than it was originally intentioned.

We will improve it soon. It includes requests here as well:

• In debug mode, comments and empty lines almost appear as invalid syntax #551
• Dotenv running on debug mode for any non-undefined debug option #548

[motdotla]

@Jolg42 this is fixed in v13.0.1. Let us know if you run into any trouble.

And for production (and other) environments, you can use Dotenv Sync.

[motdotla]

@janpio see comment above.

Thank you for your patience everyone on this one.