Maggie, I wanted to mention a few things:
- With sensitive data, it is important to mention that for your client-side script files to have scope of those variables they will be put into the
bundle.jsfile which is publicly accessible. They may not be explicitly visible but basic developers will be able to sift through and see everything.
- With that plugin specifically, it bundles EVERY environment variable (whether you use it or not). This could be a HUGE security vulnerability that you need to be aware of. Even if you don’t use every variable they will all be visible in your
I stumbled across this article while I was looking for something related to my Webpack plugin which does everything you mentioned above and does a good job to only bundle the variables that you use, which is extremely helpful if you use the
.env file for other variables outside of your client-side scripts. I recommend it for everyone who wants to put hand-picked sensitive information into your client-side scripts. It also supports system variables and
dotenv-safe features are not required.
Feel free to check it out: https://github.com/mrsteele/dotenv-webpack