TL;DR: dotenv served us well for a decade. But plaintext .env files on disk are a liability — especially with AI coding tools reading your filesystem. Here are the best alternatives in 2026, from Node.js built-ins to full secrets managers.
Why Move Beyond dotenv
The dotenv npm package has 45 million weekly downloads. It works. So why consider alternatives?
Security: .env files sit on disk in plaintext. AI coding tools like Claude Code, Cursor, and Copilot read them automatically. .gitignore prevents commits but not filesystem reads.
Team friction: Every new developer joining your team asks "can someone send me the .env file?" — usually over Slack, often in plaintext. Secrets drift between machines. Nobody knows which values are current.
No versioning or audit trail: Who changed DATABASE_URL last week? When? Why? With dotenv, you have no idea.
Environment proliferation: .env, .env.local, .env.development, .env.production, .env.staging, .env.test... it gets out of hand fast.
If any of this sounds familiar, it's time to look at alternatives.
Node.js Native --env-file (Built-in Since v20.6)
Starting with Node.js v20.6, you can load .env files without any dependency:
node --env-file=.env app.js
In Node.js v24 (stable), this is fully production-ready:
# Load multiple files with priority
node --env-file=.env --env-file=.env.local app.js
# Works with any Node.js entry point
node --env-file=.env --run dev
Pros: Zero dependencies. Ships with Node.js. Reduces your node_modules by one package.
Cons: Still plaintext files on disk. Same security and team-sharing problems as dotenv. Only works with Node.js (not Python, Ruby, Go, etc.).
Verdict: A direct drop-in replacement for the dotenv package, but it doesn't solve the underlying problems with .env files themselves. Use it when you'd use dotenv — you just don't need the dependency anymore.
dotenvx -- Encrypted .env Files from the Creator of dotenv
dotenvx is the successor to dotenv, built by the same creator (Mot). It encrypts your .env files so you can safely commit them to git:
# Install
brew install dotenvx/brew/dotenvx
# Encrypt your .env file
dotenvx encrypt
# Run with decryption
dotenvx run -- npm run dev
# Commit the encrypted .env to git
git add .env
git commit -m "add encrypted env"
The encrypted file looks like this:
#/-------------------[DOTENV_PUBLIC_KEY]--------------------/
#/ public-key encryption for .env files /
#/----------------------------------------------------------/
DOTENV_PUBLIC_KEY="034af..."
DATABASE_URL="encrypted:BEn3..."
STRIPE_SECRET_KEY="encrypted:BKq7..."
Pros: No external service. Files live in git. Works across languages. The creator knows the problem space deeply.
Cons: Encrypted files are still on disk — an attacker with the decryption key gets everything. Key management becomes the new problem. No audit trail, no access controls beyond git permissions.
For a deeper comparison, see Keyway vs dotenvx.
Keyway -- GitHub-Native Secrets Management
Keyway takes a different approach: secrets never touch your filesystem. They're stored remotely and injected into your process at runtime.
# Install
brew install keywaysh/tap/keyway
# Initialize (authenticates via GitHub)
keyway init
# Import existing .env
keyway push
# Run with secrets injected into memory
keyway run -- npm run dev
The key idea is zero-disk secrets. There's no .env file to read — not encrypted, not plaintext. Secrets exist only in your running process's memory.
# Verify: no .env on disk
ls .env*
# No such file or directory
# But your app has secrets
keyway run -- node -e "console.log(process.env.DATABASE_URL ? 'Available' : 'Missing')"
# Available
Team onboarding is instant — if a developer has GitHub access to the repo, they get the secrets:
git clone your-repo && npm install
keyway login # GitHub OAuth
keyway run -- npm run dev
# Done. No "ask Sarah for the .env".
Pros: Zero-disk approach keeps secrets away from AI tools. GitHub-native auth (no new accounts). Simple CLI. Syncs to Vercel, Netlify, Railway.
Cons: Requires network access. External service dependency. Smaller feature set than enterprise platforms.
Learn more about the security architecture.
Doppler -- Enterprise Secrets Platform
Doppler is a full-featured secrets management platform built for teams and enterprises:
# Install
brew install dopplerhq/cli/doppler
# Setup
doppler setup
# Run with secrets
doppler run -- npm run dev
Pros: SSO/SAML, audit logs, secret rotation, RBAC, integrations with everything. Mature product with enterprise support.
Cons: More setup and configuration than simpler tools. Free tier limited to 5 users, then $8/user/month. Can feel heavyweight for small projects.
See Keyway vs Doppler for a detailed comparison.
Infisical -- Open-Source Secrets Management
Infisical is an open-source secrets manager you can self-host:
# Install
brew install infisical/get-cli/infisical
# Login and init
infisical login
infisical init
# Run with secrets
infisical run -- npm run dev
Pros: Open-source. Self-hostable (important for air-gapped or regulated environments). Feature-rich: secret rotation, dynamic secrets, PKI. Active community.
Cons: Self-hosting adds operational burden. Cloud pricing starts at $18/user/month. More complex setup than lightweight alternatives.
Comparison Table
| Feature | dotenv | Node.js --env-file | dotenvx | Keyway | Doppler | Infisical |
|---|---|---|---|---|---|---|
| Secrets on disk | Plaintext | Plaintext | Encrypted | Never | Never | Never |
| AI-tool safe | No | No | Partial | Yes | Yes | Yes |
| Team sharing | Manual | Manual | Via git | GitHub auth | Dashboard | Dashboard |
| Audit trail | No | No | Git history | Yes | Yes | Yes |
| Self-hosted | N/A | N/A | Yes (git) | No | No | Yes |
| Language support | Node.js | Node.js | Any | Any | Any | Any |
| Setup time | 1 min | 0 min | 5 min | 3 min | 10 min | 15 min |
| Pricing | Free | Free | Free | Free (public repos) | Free 5 users | Free 5 users |
When .env Files Are Still Fine
Let's be honest. Not every project needs a secrets manager. Plain .env files are perfectly fine when:
- Solo hobby projects where you're the only developer and the "secrets" are test API keys
- Prototyping and hackathons where speed matters more than security posture
- No sensitive data — if your
.envonly containsPORT=3000andLOG_LEVEL=debug, there's nothing to protect - Tutorials and learning where adding a secrets manager is unnecessary complexity
- Air-gapped environments with no network access (consider dotenvx here)
The moment you have real API keys, database credentials, or payment provider secrets — and especially when you're working with AI coding tools — it's time to upgrade.
How to Choose
"I just want to drop the dotenv dependency" -- Use Node.js --env-file. Zero effort.
"I want encrypted files in git, no external service" -- Use dotenvx. Git-native, no accounts needed.
"I want secrets off disk, simple setup" -- Use Keyway. GitHub auth, zero-disk secrets, works in minutes.
"I need enterprise features: SSO, RBAC, rotation" -- Use Doppler or Infisical. They're built for this.
"I must self-host everything" -- Use Infisical (full platform) or dotenvx (files in git).
The common thread: whatever you pick, stop sharing .env files over Slack.
Further Reading
- Keyway vs dotenvx — encrypted files in git vs. centralized secrets
- Keyway vs Doppler — GitHub-native simplicity vs. enterprise platform
- AI Coding Agents Are Reading Your Secrets — why
.envfiles are a security risk with AI tools - Environment Variables in Next.js: The Complete Guide — best practices for Next.js projects
- Keyway Security Architecture — how Keyway protects your secrets with AES-256-GCM encryption