fix: ignore all .env files for create-next-app by default#61920
Merged
fix: ignore all .env files for create-next-app by default#61920
.env files for create-next-app by default#61920Conversation
Member
Stats from current PRDefault Build (Increase detected
|
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| buildDuration | 15s | 15.1s | |
| buildDurationCached | 8.3s | 7.1s | N/A |
| nodeModulesSize | 199 MB | 199 MB | ✓ |
| nextStartRea..uration (ms) | 412ms | 412ms | ✓ |
Client Bundles (main, webpack)
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| 2453-HASH.js gzip | 31.5 kB | 31.5 kB | N/A |
| 3304.HASH.js gzip | 169 B | 169 B | ✓ |
| 3f784ff6-HASH.js gzip | 53.7 kB | 53.7 kB | N/A |
| 8299-HASH.js gzip | 5.1 kB | 5.1 kB | N/A |
| framework-HASH.js gzip | 45.2 kB | 45.2 kB | ✓ |
| main-app-HASH.js gzip | 228 B | 228 B | ✓ |
| main-HASH.js gzip | 29.6 kB | 29.7 kB | N/A |
| webpack-HASH.js gzip | 1.64 kB | 1.65 kB | N/A |
| Overall change | 45.6 kB | 45.6 kB | ✓ |
Legacy Client Bundles (polyfills)
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| polyfills-HASH.js gzip | 31 kB | 31 kB | ✓ |
| Overall change | 31 kB | 31 kB | ✓ |
Client Pages
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| _app-HASH.js gzip | 193 B | 194 B | N/A |
| _error-HASH.js gzip | 193 B | 191 B | N/A |
| amp-HASH.js gzip | 511 B | 511 B | ✓ |
| css-HASH.js gzip | 342 B | 343 B | N/A |
| dynamic-HASH.js gzip | 2.51 kB | 2.51 kB | N/A |
| edge-ssr-HASH.js gzip | 265 B | 265 B | ✓ |
| head-HASH.js gzip | 365 B | 364 B | N/A |
| hooks-HASH.js gzip | 389 B | 391 B | N/A |
| image-HASH.js gzip | 4.28 kB | 4.28 kB | N/A |
| index-HASH.js gzip | 269 B | 268 B | N/A |
| link-HASH.js gzip | 2.68 kB | 2.69 kB | N/A |
| routerDirect..HASH.js gzip | 328 B | 326 B | N/A |
| script-HASH.js gzip | 395 B | 397 B | N/A |
| withRouter-HASH.js gzip | 323 B | 323 B | ✓ |
| 1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
| Overall change | 1.21 kB | 1.21 kB | ✓ |
Client Build Manifests
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| _buildManifest.js gzip | 483 B | 485 B | N/A |
| Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| index.html gzip | 528 B | 529 B | N/A |
| link.html gzip | 540 B | 542 B | N/A |
| withRouter.html gzip | 523 B | 524 B | N/A |
| Overall change | 0 B | 0 B | ✓ |
Edge SSR bundle Size
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| edge-ssr.js gzip | 94.5 kB | 94.5 kB | N/A |
| page.js gzip | 3.05 kB | 3.04 kB | N/A |
| Overall change | 0 B | 0 B | ✓ |
Middleware size
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| middleware-b..fest.js gzip | 624 B | 626 B | N/A |
| middleware-r..fest.js gzip | 155 B | 156 B | N/A |
| middleware.js gzip | 25.6 kB | 25.6 kB | N/A |
| edge-runtime..pack.js gzip | 839 B | 839 B | ✓ |
| Overall change | 839 B | 839 B | ✓ |
Next Runtimes
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| app-page-exp...dev.js gzip | 171 kB | 171 kB | ✓ |
| app-page-exp..prod.js gzip | 97.6 kB | 97.6 kB | ✓ |
| app-page-tur..prod.js gzip | 99.4 kB | 99.4 kB | ✓ |
| app-page-tur..prod.js gzip | 93.6 kB | 93.6 kB | ✓ |
| app-page.run...dev.js gzip | 145 kB | 145 kB | ✓ |
| app-page.run..prod.js gzip | 92.1 kB | 92.1 kB | ✓ |
| app-route-ex...dev.js gzip | 21.5 kB | 21.5 kB | ✓ |
| app-route-ex..prod.js gzip | 15.1 kB | 15.1 kB | ✓ |
| app-route-tu..prod.js gzip | 15.1 kB | 15.1 kB | ✓ |
| app-route-tu..prod.js gzip | 14.9 kB | 14.9 kB | ✓ |
| app-route.ru...dev.js gzip | 21.2 kB | 21.2 kB | ✓ |
| app-route.ru..prod.js gzip | 14.9 kB | 14.9 kB | ✓ |
| pages-api-tu..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
| pages-api.ru...dev.js gzip | 9.82 kB | 9.82 kB | ✓ |
| pages-api.ru..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
| pages-turbo...prod.js gzip | 21.4 kB | 21.4 kB | ✓ |
| pages.runtim...dev.js gzip | 22.1 kB | 22.1 kB | ✓ |
| pages.runtim..prod.js gzip | 21.4 kB | 21.4 kB | ✓ |
| server.runti..prod.js gzip | 51.6 kB | 51.6 kB | ✓ |
| Overall change | 946 kB | 946 kB | ✓ |
build cache Overall increase ⚠️
| vercel/next.js canary | vercel/next.js env-ignore | Change | |
|---|---|---|---|
| 0.pack gzip | 1.6 MB | 1.59 MB | N/A |
| index.pack gzip | 106 kB | 107 kB | |
| Overall change | 106 kB | 107 kB |
Diff details
Diff for middleware.js
Diff too large to display
Diff for image-HASH.js
@@ -1,7 +1,7 @@
(self["webpackChunk_N_E"] = self["webpackChunk_N_E"] || []).push([
[8358],
{
- /***/ 1552: /***/ (
+ /***/ 4070: /***/ (
__unused_webpack_module,
__unused_webpack_exports,
__webpack_require__
@@ -9,7 +9,7 @@
(window.__NEXT_P = window.__NEXT_P || []).push([
"/image",
function () {
- return __webpack_require__(5237);
+ return __webpack_require__(396);
},
]);
if (false) {
@@ -18,7 +18,7 @@
/***/
},
- /***/ 2016: /***/ (module, exports, __webpack_require__) => {
+ /***/ 8490: /***/ (module, exports, __webpack_require__) => {
"use strict";
/* __next_internal_client_entry_do_not_use__ cjs */
Object.defineProperty(exports, "__esModule", {
@@ -40,15 +40,15 @@
__webpack_require__(422)
);
const _head = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(6074)
+ __webpack_require__(2457)
);
- const _getimgprops = __webpack_require__(9571);
- const _imageconfig = __webpack_require__(6567);
- const _imageconfigcontextsharedruntime = __webpack_require__(419);
- const _warnonce = __webpack_require__(4486);
- const _routercontextsharedruntime = __webpack_require__(162);
+ const _getimgprops = __webpack_require__(7932);
+ const _imageconfig = __webpack_require__(5706);
+ const _imageconfigcontextsharedruntime = __webpack_require__(9483);
+ const _warnonce = __webpack_require__(9035);
+ const _routercontextsharedruntime = __webpack_require__(4829);
const _imageloader = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(6996)
+ __webpack_require__(7240)
);
// This is replaced by webpack define plugin
const configEnv = {
@@ -379,7 +379,7 @@
/***/
},
- /***/ 9571: /***/ (
+ /***/ 7932: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -395,9 +395,9 @@
return getImgProps;
},
});
- const _warnonce = __webpack_require__(4486);
- const _imageblursvg = __webpack_require__(133);
- const _imageconfig = __webpack_require__(6567);
+ const _warnonce = __webpack_require__(9035);
+ const _imageblursvg = __webpack_require__(2642);
+ const _imageconfig = __webpack_require__(5706);
const VALID_LOADING_VALUES =
/* unused pure expression or super */ null && [
"lazy",
@@ -772,7 +772,7 @@
/***/
},
- /***/ 133: /***/ (__unused_webpack_module, exports) => {
+ /***/ 2642: /***/ (__unused_webpack_module, exports) => {
"use strict";
/**
* A shared function, used on both client and server, to generate a SVG blur placeholder.
@@ -827,7 +827,7 @@
/***/
},
- /***/ 4085: /***/ (
+ /***/ 503: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -854,10 +854,10 @@
},
});
const _interop_require_default = __webpack_require__(2430);
- const _getimgprops = __webpack_require__(9571);
- const _imagecomponent = __webpack_require__(2016);
+ const _getimgprops = __webpack_require__(7932);
+ const _imagecomponent = __webpack_require__(8490);
const _imageloader = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(6996)
+ __webpack_require__(7240)
);
function getImageProps(imgProps) {
const { props } = (0, _getimgprops.getImgProps)(imgProps, {
@@ -889,7 +889,7 @@
/***/
},
- /***/ 6996: /***/ (__unused_webpack_module, exports) => {
+ /***/ 7240: /***/ (__unused_webpack_module, exports) => {
"use strict";
Object.defineProperty(exports, "__esModule", {
@@ -924,7 +924,7 @@
/***/
},
- /***/ 5237: /***/ (
+ /***/ 396: /***/ (
__unused_webpack_module,
__webpack_exports__,
__webpack_require__
@@ -941,8 +941,8 @@
// EXTERNAL MODULE: ./node_modules/.pnpm/react@18.2.0/node_modules/react/jsx-runtime.js
var jsx_runtime = __webpack_require__(1527);
- // EXTERNAL MODULE: ./node_modules/.pnpm/file+..+main-repo+packages+next+next-packed.tgz_react-dom@18.2.0_react@18.2.0/node_modules/next/image.js
- var next_image = __webpack_require__(1577);
+ // EXTERNAL MODULE: ./node_modules/.pnpm/file+..+diff-repo+packages+next+next-packed.tgz_react-dom@18.2.0_react@18.2.0/node_modules/next/image.js
+ var next_image = __webpack_require__(73);
var image_default = /*#__PURE__*/ __webpack_require__.n(next_image); // CONCATENATED MODULE: ./pages/nextjs.png
/* harmony default export */ const nextjs = {
src: "/_next/static/media/nextjs.cae0b805.png",
@@ -972,12 +972,8 @@
/***/
},
- /***/ 1577: /***/ (
- module,
- __unused_webpack_exports,
- __webpack_require__
- ) => {
- module.exports = __webpack_require__(4085);
+ /***/ 73: /***/ (module, __unused_webpack_exports, __webpack_require__) => {
+ module.exports = __webpack_require__(503);
/***/
},
@@ -987,7 +983,7 @@
/******/ var __webpack_exec__ = (moduleId) =>
__webpack_require__((__webpack_require__.s = moduleId));
/******/ __webpack_require__.O(0, [2888, 9774, 179], () =>
- __webpack_exec__(1552)
+ __webpack_exec__(4070)
);
/******/ var __webpack_exports__ = __webpack_require__.O();
/******/ _N_E = __webpack_exports__;Diff for 2453-HASH.js
Diff too large to display
Diff for main-HASH.js
Diff too large to display
Member
Tests Passed |
balazsorban44
approved these changes
Feb 26, 2024
balazsorban44
requested changes
Feb 28, 2024
| `.env.local` always overrides the defaults set. | ||
|
|
||
| > **Good to know**: `.env`, `.env.development`, and `.env.production` files should be included in your repository as they define defaults. **`.env*.local` should be added to `.gitignore`**, as those files are intended to be ignored. `.env.local` is where secrets can be stored. | ||
| > **Good to know**: `.env`, `.env.development`, and `.env.production` files should be included in your repository as they define defaults. All `.env` files are excluded in `.gitignore` by default, allowing you to opt-into committing these values to your repository. |
Member
There was a problem hiding this comment.
Should we not mention .env here? Aren't we trying to say that .env is the new recommendation for secrets and such?
All
.envfiles are excluded in.gitignoreby default, allowing you to opt-into committing these values to your repository.
This is only true if you are using the version of create-next-app from the version up when this PR gets merged/released. If you are on a version below (maybe CNA was cached globally by your package manager), this might be confusing as your .env will be committed by default still.
Member
|
Let's land this in the next major release of Next.js. See #61920 (comment) |
balazsorban44
approved these changes
Apr 19, 2024
huozhi
approved these changes
May 9, 2024
panteliselef
pushed a commit
to panteliselef/next.js
that referenced
this pull request
May 20, 2024
…#61920) We've seen too many instances of folks accidentally committing their `.env` files that I feel it's time to make this change. Up until now, Next.js has recommended that you use `.env.local` when working locally to store your environment variables. Some developers do intentionally want to commit their `.env` file without secret values to source control. However, the ecosystem is fragmented on `.local` support. There are tools which require secrets values that do _not_ support `.local` and require using `.env`. This means that it's possible to dump your secret values into a `.env` file and commit to source control, thinking that the defaults would have you covered. This change updates the defaults for `create-next-app` to ignore all `.env` files by default. If you want to commit then, you opt-in by modifying your `.gitignore`, versus the opposite. Related: https://x.com/complexlity/status/1755890800527892716 --------- Co-authored-by: Sam Ko <sam@vercel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We've seen too many instances of folks accidentally committing their
.envfiles that I feel it's time to make this change.Up until now, Next.js has recommended that you use
.env.localwhen working locally to store your environment variables. Some developers do intentionally want to commit their.envfile without secret values to source control. However, the ecosystem is fragmented on.localsupport.There are tools which require secrets values that do not support
.localand require using.env. This means that it's possible to dump your secret values into a.envfile and commit to source control, thinking that the defaults would have you covered.This change updates the defaults for
create-next-appto ignore all.envfiles by default. If you want to commit then, you opt-in by modifying your.gitignore, versus the opposite.Related: https://x.com/complexlity/status/1755890800527892716