dotenv Alternative
dotenv works for solo devs. It breaks with teams.
The dotenv package loads environment variables from a .env file into process.env. It's simple, it's everywhere, and it was never designed for teams, CI/CD pipelines, or production workloads. secr is the upgrade.
The dotenv Problem
dotenv solved a real problem in 2013: stop hardcoding credentials in source code. But the tool has not evolved. Your .env file is still a plaintext file on disk. Sharing it still means copying it through Slack, email, or a password manager never designed for environment variables. When your team grows past one person, the cracks become canyons.
5 Risks of Using .env Files in Production
Plaintext on every developer's machine
Your database URL, Stripe secret key, and API tokens sit unencrypted in a file that any process — including malicious npm packages — can read. A single compromised dependency exposes everything.
No access control
Everyone who has the file has every secret. The intern and the CTO get the same production database credentials. There is no concept of roles, environments, or least-privilege access.
Secrets drift between machines
Developer A adds a new key and forgets to update the team. Developer B's app crashes with a missing variable. The “source of truth” is whichever .env file was copied last — and nobody is sure whose that was.
Accidental commits to git
GitHub reports millions of leaked secrets on public repositories every year. A missing .gitignore entry, a force push, or an AI coding assistant that scaffolds a project without the right ignore rules — and your production keys are public.
No audit trail
When a key leaks, you cannot answer: who had access? When was it last changed? Which environments were affected? dotenv gives you no history, no logs, and no way to trace the blast radius.
dotenv vs secr
| Feature | dotenv | secr |
|---|---|---|
| Storage | Plaintext file on disk | Encrypted at rest (AES-256-GCM) |
| Encryption | None | AES-256-GCM + KMS (AWS, GCP, Azure) |
| Team sync | Copy/paste via Slack or email | Centralized with real-time sync |
| Access control | None (file-level) | RBAC (owner, admin, developer, viewer) |
| Audit trail | None | Full history (who, when, what changed) |
| CI/CD | Manual setup per provider | GitHub Actions, Vercel, Netlify built-in |
| Secret scanning | Not included | 20+ patterns, pre-commit hook |
| Injection method | Reads .env file at runtime | Zero-disk: secr run -- <cmd> |
| Version history | None | Full version history per secret |
| Environments | Multiple .env files | Named environments with promotion |
Migrate in 3 Commands
You do not need to rewrite your application. secr reads your existing.env file and imports every key-value pair into an encrypted, team-accessible store. Your code keeps reading process.env as before — the only difference is where the values come from.
# Install the CLI globally
npm i -g @secr/cli
# Initialize secr in your project
secr init
# Import your existing .env file
secr migrate .env
# Now run your app without .env files
secr run -- npm start
The secr migrate command parses your .env file, detects duplicates, and imports all variables into the current environment. Add --dry-run to preview without writing.
Who Should Switch?
dotenv is fine for a personal project you never share. For everything else, consider upgrading:
Teams of 2 or more
The moment a second person needs your secrets, you need access control, sync, and an audit trail. Slack DMs are not infrastructure.
Anyone with a CI/CD pipeline
If you are manually copying env vars into GitHub Actions, Vercel, or Netlify settings, secr centralizes them in one place and injects them everywhere.
Anyone who has been burned
Accidentally committed a key? Spent hours rotating credentials after a leak? secr's scanning and pre-commit hooks make sure it does not happen again.
Projects with multiple environments
Managing .env.local,.env.staging, and.env.production files is error-prone. secr gives you named environments with secret promotion between them.
Replace dotenv in 30 seconds
npm i -g @secr/cli
secr init
secr migrate .env
secr run -- npm start