motdotla
To quiet new runtime message use `.config({quiet: true})` or set `DOTENV_CONFIG_QUIET=true` in your env or .env file
I don't mind the default log message in v17 and respect the general promotion of dotenvx, but this statement is confusing in a team project where encrypting an .env.test file is not applicable:
🔐 encrypt with dotenvx: https://dotenvx.com
It's overkill for our project's .env.test and I'd like to avoid confusing my team.
We'd appreciate the ability to keep the log message but turn off the promo. Thanks for considering!
A totally weird decision by the module author. I get that it's about promoting @dotenvx/dotenvx, but shoving something down users' throats that they don't necessarily need is pretty annoying — just like Microsoft does.
This kind of thing belongs in the documentation or changelog, not in a library's runtime logs. Sure, you can set quiet: true, but — as I said before — I don't think this is an appropriate way to promote another one of your own modules.
I have over 20 Node.js projects that use dotenv, and now I either have to explicitly set quiet: true everywhere, or just stick with v16.6.1.
First:
We'd appreciate the ability to keep the log message but turn off the promo.
This is a good idea, and I'll consider it.
Second, I appreciate everyone using Dotenv.
This message is there to let folks know about Dotenvx, which adds encryption and agent-friendly workflows on top of .env files.
I get that any extra log line can feel like noise, especially in CI or CLI tools. You can disable the message by passing { quiet: true }.
Dotenv is free and open source, and I’ve maintained it for over a decade. Promoting Dotenvx helps sustain the work — and gives folks an upgrade path if they want it.
Dotenv currently has ~63 million downloads per week. Judging by your response, it seems like that's still not enough for you.
In my opinion, you should create a space for your community — for example, a Discord group. You could promote new modules there if that’s something you really care about. There are plenty of ways to do this — sometimes it just takes a bit of thought.
This isn’t just about an “extra log line” — it’s about the fact that you have to disable it manually. If quiet were set to true by default, I personally wouldn’t have any issue with it.
To me, @dotenvx/dotenvx is basically dotenv on steroids. Most people will stick with the regular dotenv anyway. I see that @dotenvx/dotenvx offers encrypted .env files, but in my opinion that’s unnecessary. Maybe some people will find it useful — I personally don’t.
@sefinek, Thanks for the feedback.
Just to clarify: you’re upset that a free library added one log line — to a major (breaking change) release, with a documented way to turn it off — to let developers know there’s now a secure upgrade path?
@motdotla
I'm not upset – I just think adding such a log line, in a main release, feels a bit sloppy. It's good that it can be disabled, but I believe the approach could have been more thought-through.
I don't quite understand why you think I'm upset when I'm simply expressing my opinion and offering you alternative advice/suggestions.
In my opinion, you got a bit lost in what you're doing, that's all.
I'm just talking about basic UX principles and respect for developers. Runtime logs are not the place for self-promotion. This is something Microsoft might do — not an open-source community. If you want to promote dotenvx, that's totally fine: changelog, README, Discord, newsletter — all good. Just not in the runtime. Setting quiet: true is a workaround, not a real solution.
Just to clarify: you’re upset that a free library added one log line — to a major (breaking change) release, with a documented way to turn it off — to let developers know there’s now a secure upgrade path?
Yes. It is tacky. You could promote during npm install, but adding this crap to runtime logs is not ok.
The average app has thousands of small dependencies like this, imagine if every single one started spamming ads for commercial services to stdout.
Open source maintenance can be thankless. So thank you for maintaining dotenv.
Creating a commercial service is great too. But please do not spam ads at runtime.
@sefinek, Thanks for the feedback.
Just to clarify: you’re upset that a free library added one log line — to a major (breaking change) release, with a documented way to turn it off — to let developers know there’s now a secure upgrade path?
I think we get your point, but in my case for example, dotenv is also used by @nestjs/config so unless they update the code on their end, I get the log.
Also Loki don't know how to parse log because it uses a different synthax and thus result in a "unkown" severity.
I prefere log in the npm install, and I usually check new features when they are announced there.
In my vitest, I get the message once per test because of nestjs's config module.
A lot of people use renovate or github dependency bots to update their dependencies, it also forces us to manually update the PR to "fix" a breaking change.
@motdotla. honestly, I don't understand why quiet still isn't set to true by default. Now people are forced to modify their code unnecessarily just because you had a whim to promote another module through runtime logs.
We still appreciate your work on dotenv, but this decision doesn't come across as professional.
This broke our integration with TestRail. As this message ended up in junit.xml report generated by Playwright. Which produces invalid XML file.
In my opinion, it was not a good idea to run console.log in the runtime of any project. I would say it was malicious and pathological.
This broke our integration with TestRail. As this message ended up in
junit.xmlreport generated by Playwright. Which produces invalidXMLfile.In my opinion, it was not a good idea to run
console.login the runtime of any project. I would say it was malicious and pathological.
I am meeting similar issues here.
I am totally fine with an extra hint with npm i, but I definitely disagree that any packages to log anything by default, unless users are indeed doing something wrong, or they are requiring it manually.
I don't want to rude, but is there anyone who are expecting the log to be outputted by default? Who is actually benefiting from the change? If the author can not provide enough cases, then I would rather say that this is totally a change for ads.
All my main project are all open source, and a single glances tells me that I even write more codes then you. I don't want to blame you anything, but this is not the correct way that open source community ask for donation or payment. Stick this only to website, README, installation and similar things please. Try not spam runtime and even make a "New feature" with it.
I created a PR (#877) that sets quiet to true by default and improves overall logging.
Who is actually benefiting from the change?
The majority. The log message is informative - how many keys were injected at runtime and from which .env files.
I've personally tested this in @dotenvx/dotenvx for the past year and the overwhelming majority of the users there prefer it. The minority want a way to turn it off - which is provided.
Not to mention, the value add of becoming aware of encrypted .env files. That will push the community forward in a BIG way. Plaintext .env files have been a massive attack vector.
dotenv is also used by @nestjs/config so unless they update the code on their end, I get the log
@nestjs/config is currently pinned to 16.4.7 so not sure how you are getting the new log message. maybe you have updated to dotenv 17.0.0 yourself somewhere? source. This is also why we have semver and open source. You can go make the change for them and give back to free software.
All my main project are all open source, and a single glances tells me that I even write more codes then you.
This is rude.
A single, helpful log message in free software was added as part of a breaking change — aimed at informing you of your environment changes (and where they came from) and increasing security awareness, which is especially relevant in an age of vibe coding and AI agents.
[[email protected]] injecting env (11) from .env,.env.local – 🔐 encrypt with dotenvx: https://dotenvx.com
Dotenv is a runtime library - it modifies your runtime. This message really should’ve been there all along. Now it is — with an easy way to turn it off.
But for all you haters, what could I charge for? Then I'd consider removing the promotion since I could use the money to market dotenvx.