bun
bun copied to clipboard
oven-sh
bun build --target=bun inlines environment variable and .env file values
What version of Bun is running?
1.1.8+89d25807f
What platform is your computer?
Linux 6.1.0-17-amd64 x86_64 unknown
What steps can reproduce the bug?
bun build --target=bun inlines the value of environment variables set in the environment and .env, eg:
.env
MYVAR=gotcha
test.ts
console.log(process.env.MYVAR);
console.log(process.env.MYOTHERVAR);
bundle
export MYOTHERVAR=hmmm
bun build --outdir bundled test.ts --target=bun
What is the expected behavior?
Expect to see directly specified environment variables used when supplied so that I can use environment variables for configuration/externalization of secrets. Running typescript directly with bun works:
MYVAR=hello MYOTHERVAR=world bun test.ts
hello
world
What do you see instead?
Values from .env and the environment are inlined into the bundle/compiled executable when --target=bun used. Referenced environment variables that had no value during build work as expected:
MYVAR=hello MYOTHERVAR=world bun ./bundled/test.js
gotcha
hmmm
Additional information
Unwanted inlining will embed secrets into bundles/executables. I already did this without realising:
grep $TEST_BINANCE_FUTURES_API_KEY build/app
grep: build/app: binary file matches
The behaviour of target is documented at https://bun.sh/docs/bundler#target but does not mention anything about inlining environment variables and .env files
I guess the workaround would be to run bun compile in a clean environment and move any .env files out of the way first
Workaround:
mv .env .env.nouse
env -i ~/.bun/bin/bun build --target=bun --compile --sourcemap src/app.ts --outfile build/app
mv .env.nouse .env
I am also experiencing this issue.
Here is the environment variable
but it in-lined the .env from a development build
the .env should never be included in builds, imho, or we need a CLI flag
This also happens when creating a single-file exectuable. Would love to see this fixed.
Just run into the same issue.
Another workaround is to use import.meta.env in your code instead of process.env.
$ mkdir bun-env-test
$ cd bun-env-test
$ bun init -y
$ touch .env
$ echo "FOO=wrong" > .env
$ bun build --compile index.ts --outfile bun-env-test
$ FOO=correct ./bun-env-test
process.env.FOO="wrong"
import.meta.env.FOO="correct"
{ FOO } = process.env -> "correct"
index.ts
console.log(`process.env.FOO="${process.env.FOO}"`)
console.log(`import.meta.env.FOO="${import.meta.env.FOO}"`)
const { FOO } = process.env
console.log(`{ FOO } = process.env -> "${FOO}"`)
It seems like the best temporary solution is to to use Bun.env as that will have the expected values on it.
.env
FOO=foo
test.ts
console.log(`FOO: ${process.env.FOO}`)
console.log(`FOO (Bun.env): ${Bun.env.FOO}`)
If we run the file directly while changing the value of FOO:
$ FOO=bar bun test.ts
FOO: bar
FOO (Bun.env): bar
Now if we compile it and then run it while changing the value of FOO:
$ bun build --compile --outfile=test ./test.ts
$ FOO=bar ./test
FOO: foo
FOO (Bun.env): bar
Both process.env and Bun.env inherit from the parent process' environment, but only process.env is then modified by inlined values.
If this behavior is intentional, it should definitely be mentioned somewhere in the documentation. And I'd also ask why, because I can't see a good reason for Bun to do this. It's unexpected behavior and goes against the general assumption that a process will inherit its environment from the parent.
There is any official mention if this is an error or an actual expected behavior? This doesn't seems to be right for me and already cause many hours of troubleshooting, almost gave up for node before I found out this thread....
Weirdly enough, it was working fine as I expected and just changed out of no where ignoring my envs even without changing the version on Dockerfile
When runnung
bun --env-file=.env build --env=inline --minify --target=bun src/main.ts --outfile dist/main.js
no env variables inlined in the built file
