npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

hiding environment variables in a package

I’m creating a package that relies on some secret keys to function correctly. I use a .env file right now to store these keys. I don’t want to remove the .env because then the modules will not work, but if i include the .env all my keys will become public available to anyone who installs the package. Is there a way of keeping a published file hidden to those who install it? Thanks.

So, to clarify, you need to put a file on a user’s computer as part of an installation of a package but you need that file to be invisible to the user. Also you need your code to have access to this file. Correct?

More so looking for a reasonable workaround. Like if there’s a way of having a file like this on a server that I could call to/from without having to host it myself.

There might be something you can do with public/private key signing here that will let you put the file on a user’s computer and only let the user’s machine read it (not write to it). But if you need to allow users to access a file on a server and want to restrict that access I think you’d have to do something with licensing or API keys.

The community will probably need to know more about why you need to do this to be able to help you.