npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@dotenvar/cli

v1.0.5

Published

CLI for dotenvar — pull secrets, run processes, manage deploy keys

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

dotenvardotenvar

Keywords

dotenvarenvsecretsclidevops

Readme

@dotenvar/cli

Zero-knowledge secrets manager — pull encrypted secrets into any environment, on any stack.

dotenvar is language and framework agnostic. It works with Node.js, Python, Go, Ruby, PHP, Rust, Docker, Kubernetes, or any other runtime — because it operates at the OS process level, not inside your application. All decryption happens locally; plaintext secrets never leave your machine or server.

For the full documentation, visit dotenvar.com/documentation/cli.

Installation

Via npm

npm install -g @dotenvar/cli

Via npx (no install needed)

For one-off usage or CI/CD:

npx @dotenvar/cli exec -- your-start-command

Via standalone binary

Download the latest binary for your platform from releases:

  • macOS (Apple Silicon): dotenvar-macos-arm64
  • macOS (Intel): dotenvar-macos-x64
  • Linux (x64): dotenvar-linux-x64
  • Linux (ARM64): dotenvar-linux-arm64
  • Windows (x64): dotenvar-win.exe

macOS:

# Apple Silicon
curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-macos-arm64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

# Intel
curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-macos-x64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

Linux (x64):

curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-linux-x64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

Linux (ARM64):

curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-linux-arm64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

Windows:

$url = "https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-win.exe"
$dest = "$env:PROGRAMFILES\dotenvar\dotenvar.exe"
New-Item -ItemType Directory -Path "$env:PROGRAMFILES\dotenvar" -Force
Invoke-WebRequest -Uri $url -OutFile $dest

Quick Start

# 1. Log in once (opens browser)
dotenvar auth login

# 2. Initialise your project
cd my-project
dotenvar init

# 3a. Pull to a .env file (for local dev tooling that reads .env)
dotenvar pull

# 3b. Or run directly without writing to disk
dotenvar exec -- npm run dev

Commands

Authentication

dotenvar auth login          # OAuth via browser, saves credentials to ~/.dotenvar/
dotenvar auth logout         # Revoke session and clear credentials
dotenvar auth status         # Show who is logged in

Project Setup

dotenvar init                                       # Interactive wizard
dotenvar init --env grp_abc123                      # Skip the env selector
dotenvar init --env grp_abc123 --out .env.local

Pulling Secrets

dotenvar pull                                       # Pull all envs in dotenvar.json
dotenvar pull --env grp_abc123                      # Pull a specific env
dotenvar pull --env grp_abc123 --out .env.staging

Running Commands

dotenvar exec -- npm start
dotenvar exec -- python -m uvicorn main:app
dotenvar exec --env grp_abc123 -- node scripts/seed.js

Secrets are injected into the child process environment only — nothing is written to disk.

Deploy Keys

dotenvar deploy-key print                           # Print the deploy key blob
dotenvar deploy-key print --env grp_abc123
dotenvar deploy-key revoke --env grp_abc123         # Revoke a deploy key
dotenvar deploy-key rotate --env grp_abc123         # Rotate (re-seals all DEKs)

Utilities

dotenvar list                # List all environments you have access to
dotenvar status              # Show auth, config, and deploy key health

CI/CD

# Generate and copy the deploy key blob on your local machine
dotenvar deploy-key print --env grp_abc123
# → DOTENVAR_DEPLOY_KEY=eyJ...

Add it as a secret in your CI provider, then use it in your pipeline:

dotenvar pull             # writes .env
dotenvar exec -- npm test # or inject directly

GitHub Actions

- name: Pull secrets
  run: dotenvar pull
  env:
    DOTENVAR_DEPLOY_KEY: ${{ secrets.DOTENVAR_DEPLOY_KEY }}

- name: Run tests
  run: npm test

GitLab CI

pull_secrets:
  script:
    - dotenvar pull
  variables:
    DOTENVAR_DEPLOY_KEY: $DOTENVAR_DEPLOY_KEY

The preferred pattern for production

Backend / server applications (runtime injection)

The recommended approach is to prefix your start command with dotenvar exec --. Secrets are decrypted in memory and injected as environment variables into the child process. Nothing is written to disk.

dotenvar exec -- <your normal start command>

That's it. No code changes required inside your application. Your app reads process.env / os.environ / ENV exactly as it always did.

Examples across stacks:

# Node.js
dotenvar exec -- node dist/server.js
dotenvar exec -- npm start

# Python
dotenvar exec -- python manage.py runserver
dotenvar exec -- gunicorn app:app

# Go
dotenvar exec -- ./bin/server

# Ruby
dotenvar exec -- bundle exec rails server

# PHP
dotenvar exec -- php artisan serve

# Any binary
dotenvar exec -- ./my-app

Docker

Install dotenvar inside the image and change the CMD / ENTRYPOINT:

FROM node:22-alpine

# Install dotenvar globally
RUN npm install -g @dotenvar/cli

# Copy your app
WORKDIR /app
COPY . .
RUN npm ci && npm run build

# Inject secrets at startup — no .env file in the image
CMD ["dotenvar", "exec", "--", "node", "dist/server.js"]

Pass the deploy key as an environment variable when running the container:

docker run -e DOTENVAR_DEPLOY_KEY="$DOTENVAR_DEPLOY_KEY" my-image

docker-compose

services:
  api:
    build: .
    command: ["dotenvar", "exec", "--", "node", "dist/server.js"]
    environment:
      - DOTENVAR_DEPLOY_KEY=${DOTENVAR_DEPLOY_KEY}

Kubernetes

Store the deploy key as a Secret and mount it as an env var:

env:
  - name: DOTENVAR_DEPLOY_KEY
    valueFrom:
      secretKeyRef:
        name: dotenvar-secrets
        key: deploy-key

Then change your container command:

command: ["dotenvar", "exec", "--", "node", "dist/server.js"]

Frontend / build-time usage

For client-side apps (Next.js, Vite, Create React App, etc.) secrets are only needed at build time, not at runtime. Pull a .env file before running the build:

dotenvar pull && npm run build

In Vercel / Netlify / any build platform, set DOTENVAR_DEPLOY_KEY as a build environment variable and override the build command:

dotenvar pull && next build

Getting a deploy key

A deploy key lets any environment authenticate without a browser or passphrase. Generate one on first setup from your local machine (where you are logged in):

# 1. Run init in your project (generates the deploy key)
dotenvar init

# 2. Print the key blob to copy into your environment
dotenvar deploy-key print
# → DOTENVAR_DEPLOY_KEY=eyJ...

Store the printed value as a secret in your hosting platform, CI provider, or secret manager. From that point on, any environment that has DOTENVAR_DEPLOY_KEY set can pull secrets without any interactive login.

Security

  • Zero-knowledge: all decryption is local. The dotenvar server stores only ciphertext and never sees your plaintext secrets.
  • Per-environment deploy keys: each dotenvar init generates a unique RSA-4096 key pair. The private key lives in dotenvar.key (gitignored automatically) and is never transmitted.
  • No secrets on disk in production: use dotenvar exec -- to keep secrets in memory only.
  • dotenvar.key and .env are added to .gitignore automatically on init.

Requirements

  • Node.js ≥ 18

License

MIT