New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: ignore all .env
files for create-next-app
by default
#61920
Conversation
Stats from current PRDefault Build (Increase detected
|
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
buildDuration | 15s | 15.1s | |
buildDurationCached | 8.3s | 7.1s | N/A |
nodeModulesSize | 199 MB | 199 MB | ✓ |
nextStartRea..uration (ms) | 412ms | 412ms | ✓ |
Client Bundles (main, webpack)
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
2453-HASH.js gzip | 31.5 kB | 31.5 kB | N/A |
3304.HASH.js gzip | 169 B | 169 B | ✓ |
3f784ff6-HASH.js gzip | 53.7 kB | 53.7 kB | N/A |
8299-HASH.js gzip | 5.1 kB | 5.1 kB | N/A |
framework-HASH.js gzip | 45.2 kB | 45.2 kB | ✓ |
main-app-HASH.js gzip | 228 B | 228 B | ✓ |
main-HASH.js gzip | 29.6 kB | 29.7 kB | N/A |
webpack-HASH.js gzip | 1.64 kB | 1.65 kB | N/A |
Overall change | 45.6 kB | 45.6 kB | ✓ |
Legacy Client Bundles (polyfills)
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
polyfills-HASH.js gzip | 31 kB | 31 kB | ✓ |
Overall change | 31 kB | 31 kB | ✓ |
Client Pages
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
_app-HASH.js gzip | 193 B | 194 B | N/A |
_error-HASH.js gzip | 193 B | 191 B | N/A |
amp-HASH.js gzip | 511 B | 511 B | ✓ |
css-HASH.js gzip | 342 B | 343 B | N/A |
dynamic-HASH.js gzip | 2.51 kB | 2.51 kB | N/A |
edge-ssr-HASH.js gzip | 265 B | 265 B | ✓ |
head-HASH.js gzip | 365 B | 364 B | N/A |
hooks-HASH.js gzip | 389 B | 391 B | N/A |
image-HASH.js gzip | 4.28 kB | 4.28 kB | N/A |
index-HASH.js gzip | 269 B | 268 B | N/A |
link-HASH.js gzip | 2.68 kB | 2.69 kB | N/A |
routerDirect..HASH.js gzip | 328 B | 326 B | N/A |
script-HASH.js gzip | 395 B | 397 B | N/A |
withRouter-HASH.js gzip | 323 B | 323 B | ✓ |
1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
Overall change | 1.21 kB | 1.21 kB | ✓ |
Client Build Manifests
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
_buildManifest.js gzip | 483 B | 485 B | N/A |
Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
index.html gzip | 528 B | 529 B | N/A |
link.html gzip | 540 B | 542 B | N/A |
withRouter.html gzip | 523 B | 524 B | N/A |
Overall change | 0 B | 0 B | ✓ |
Edge SSR bundle Size
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
edge-ssr.js gzip | 94.5 kB | 94.5 kB | N/A |
page.js gzip | 3.05 kB | 3.04 kB | N/A |
Overall change | 0 B | 0 B | ✓ |
Middleware size
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
middleware-b..fest.js gzip | 624 B | 626 B | N/A |
middleware-r..fest.js gzip | 155 B | 156 B | N/A |
middleware.js gzip | 25.6 kB | 25.6 kB | N/A |
edge-runtime..pack.js gzip | 839 B | 839 B | ✓ |
Overall change | 839 B | 839 B | ✓ |
Next Runtimes
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
app-page-exp...dev.js gzip | 171 kB | 171 kB | ✓ |
app-page-exp..prod.js gzip | 97.6 kB | 97.6 kB | ✓ |
app-page-tur..prod.js gzip | 99.4 kB | 99.4 kB | ✓ |
app-page-tur..prod.js gzip | 93.6 kB | 93.6 kB | ✓ |
app-page.run...dev.js gzip | 145 kB | 145 kB | ✓ |
app-page.run..prod.js gzip | 92.1 kB | 92.1 kB | ✓ |
app-route-ex...dev.js gzip | 21.5 kB | 21.5 kB | ✓ |
app-route-ex..prod.js gzip | 15.1 kB | 15.1 kB | ✓ |
app-route-tu..prod.js gzip | 15.1 kB | 15.1 kB | ✓ |
app-route-tu..prod.js gzip | 14.9 kB | 14.9 kB | ✓ |
app-route.ru...dev.js gzip | 21.2 kB | 21.2 kB | ✓ |
app-route.ru..prod.js gzip | 14.9 kB | 14.9 kB | ✓ |
pages-api-tu..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
pages-api.ru...dev.js gzip | 9.82 kB | 9.82 kB | ✓ |
pages-api.ru..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
pages-turbo...prod.js gzip | 21.4 kB | 21.4 kB | ✓ |
pages.runtim...dev.js gzip | 22.1 kB | 22.1 kB | ✓ |
pages.runtim..prod.js gzip | 21.4 kB | 21.4 kB | ✓ |
server.runti..prod.js gzip | 51.6 kB | 51.6 kB | ✓ |
Overall change | 946 kB | 946 kB | ✓ |
build cache Overall increase ⚠️
vercel/next.js canary | vercel/next.js env-ignore | Change | |
---|---|---|---|
0.pack gzip | 1.6 MB | 1.59 MB | N/A |
index.pack gzip | 106 kB | 107 kB | |
Overall change | 106 kB | 107 kB |
Diff details
Diff for middleware.js
Diff too large to display
Diff for image-HASH.js
@@ -1,7 +1,7 @@
(self["webpackChunk_N_E"] = self["webpackChunk_N_E"] || []).push([
[8358],
{
- /***/ 1552: /***/ (
+ /***/ 4070: /***/ (
__unused_webpack_module,
__unused_webpack_exports,
__webpack_require__
@@ -9,7 +9,7 @@
(window.__NEXT_P = window.__NEXT_P || []).push([
"/image",
function () {
- return __webpack_require__(5237);
+ return __webpack_require__(396);
},
]);
if (false) {
@@ -18,7 +18,7 @@
/***/
},
- /***/ 2016: /***/ (module, exports, __webpack_require__) => {
+ /***/ 8490: /***/ (module, exports, __webpack_require__) => {
"use strict";
/* __next_internal_client_entry_do_not_use__ cjs */
Object.defineProperty(exports, "__esModule", {
@@ -40,15 +40,15 @@
__webpack_require__(422)
);
const _head = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(6074)
+ __webpack_require__(2457)
);
- const _getimgprops = __webpack_require__(9571);
- const _imageconfig = __webpack_require__(6567);
- const _imageconfigcontextsharedruntime = __webpack_require__(419);
- const _warnonce = __webpack_require__(4486);
- const _routercontextsharedruntime = __webpack_require__(162);
+ const _getimgprops = __webpack_require__(7932);
+ const _imageconfig = __webpack_require__(5706);
+ const _imageconfigcontextsharedruntime = __webpack_require__(9483);
+ const _warnonce = __webpack_require__(9035);
+ const _routercontextsharedruntime = __webpack_require__(4829);
const _imageloader = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(6996)
+ __webpack_require__(7240)
);
// This is replaced by webpack define plugin
const configEnv = {
@@ -379,7 +379,7 @@
/***/
},
- /***/ 9571: /***/ (
+ /***/ 7932: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -395,9 +395,9 @@
return getImgProps;
},
});
- const _warnonce = __webpack_require__(4486);
- const _imageblursvg = __webpack_require__(133);
- const _imageconfig = __webpack_require__(6567);
+ const _warnonce = __webpack_require__(9035);
+ const _imageblursvg = __webpack_require__(2642);
+ const _imageconfig = __webpack_require__(5706);
const VALID_LOADING_VALUES =
/* unused pure expression or super */ null && [
"lazy",
@@ -772,7 +772,7 @@
/***/
},
- /***/ 133: /***/ (__unused_webpack_module, exports) => {
+ /***/ 2642: /***/ (__unused_webpack_module, exports) => {
"use strict";
/**
* A shared function, used on both client and server, to generate a SVG blur placeholder.
@@ -827,7 +827,7 @@
/***/
},
- /***/ 4085: /***/ (
+ /***/ 503: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -854,10 +854,10 @@
},
});
const _interop_require_default = __webpack_require__(2430);
- const _getimgprops = __webpack_require__(9571);
- const _imagecomponent = __webpack_require__(2016);
+ const _getimgprops = __webpack_require__(7932);
+ const _imagecomponent = __webpack_require__(8490);
const _imageloader = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(6996)
+ __webpack_require__(7240)
);
function getImageProps(imgProps) {
const { props } = (0, _getimgprops.getImgProps)(imgProps, {
@@ -889,7 +889,7 @@
/***/
},
- /***/ 6996: /***/ (__unused_webpack_module, exports) => {
+ /***/ 7240: /***/ (__unused_webpack_module, exports) => {
"use strict";
Object.defineProperty(exports, "__esModule", {
@@ -924,7 +924,7 @@
/***/
},
- /***/ 5237: /***/ (
+ /***/ 396: /***/ (
__unused_webpack_module,
__webpack_exports__,
__webpack_require__
@@ -941,8 +941,8 @@
// EXTERNAL MODULE: ./node_modules/.pnpm/react@18.2.0/node_modules/react/jsx-runtime.js
var jsx_runtime = __webpack_require__(1527);
- // EXTERNAL MODULE: ./node_modules/.pnpm/file+..+main-repo+packages+next+next-packed.tgz_react-dom@18.2.0_react@18.2.0/node_modules/next/image.js
- var next_image = __webpack_require__(1577);
+ // EXTERNAL MODULE: ./node_modules/.pnpm/file+..+diff-repo+packages+next+next-packed.tgz_react-dom@18.2.0_react@18.2.0/node_modules/next/image.js
+ var next_image = __webpack_require__(73);
var image_default = /*#__PURE__*/ __webpack_require__.n(next_image); // CONCATENATED MODULE: ./pages/nextjs.png
/* harmony default export */ const nextjs = {
src: "/_next/static/media/nextjs.cae0b805.png",
@@ -972,12 +972,8 @@
/***/
},
- /***/ 1577: /***/ (
- module,
- __unused_webpack_exports,
- __webpack_require__
- ) => {
- module.exports = __webpack_require__(4085);
+ /***/ 73: /***/ (module, __unused_webpack_exports, __webpack_require__) => {
+ module.exports = __webpack_require__(503);
/***/
},
@@ -987,7 +983,7 @@
/******/ var __webpack_exec__ = (moduleId) =>
__webpack_require__((__webpack_require__.s = moduleId));
/******/ __webpack_require__.O(0, [2888, 9774, 179], () =>
- __webpack_exec__(1552)
+ __webpack_exec__(4070)
);
/******/ var __webpack_exports__ = __webpack_require__.O();
/******/ _N_E = __webpack_exports__;
Diff for 2453-HASH.js
Diff too large to display
Diff for main-HASH.js
Diff too large to display
Tests Passed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
`.env.local` always overrides the defaults set. | ||
|
||
> **Good to know**: `.env`, `.env.development`, and `.env.production` files should be included in your repository as they define defaults. **`.env*.local` should be added to `.gitignore`**, as those files are intended to be ignored. `.env.local` is where secrets can be stored. | ||
> **Good to know**: `.env`, `.env.development`, and `.env.production` files should be included in your repository as they define defaults. All `.env` files are excluded in `.gitignore` by default, allowing you to opt-into committing these values to your repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we not mention .env
here? Aren't we trying to say that .env
is the new recommendation for secrets and such?
All
.env
files are excluded in.gitignore
by default, allowing you to opt-into committing these values to your repository.
This is only true if you are using the version of create-next-app
from the version up when this PR gets merged/released. If you are on a version below (maybe CNA was cached globally by your package manager), this might be confusing as your .env will be committed by default still.
Let's land this in the next major release of Next.js. See #61920 (comment) |
…#61920) We've seen too many instances of folks accidentally committing their `.env` files that I feel it's time to make this change. Up until now, Next.js has recommended that you use `.env.local` when working locally to store your environment variables. Some developers do intentionally want to commit their `.env` file without secret values to source control. However, the ecosystem is fragmented on `.local` support. There are tools which require secrets values that do _not_ support `.local` and require using `.env`. This means that it's possible to dump your secret values into a `.env` file and commit to source control, thinking that the defaults would have you covered. This change updates the defaults for `create-next-app` to ignore all `.env` files by default. If you want to commit then, you opt-in by modifying your `.gitignore`, versus the opposite. Related: https://x.com/complexlity/status/1755890800527892716 --------- Co-authored-by: Sam Ko <sam@vercel.com>
We've seen too many instances of folks accidentally committing their
.env
files that I feel it's time to make this change.Up until now, Next.js has recommended that you use
.env.local
when working locally to store your environment variables. Some developers do intentionally want to commit their.env
file without secret values to source control. However, the ecosystem is fragmented on.local
support.There are tools which require secrets values that do not support
.local
and require using.env
. This means that it's possible to dump your secret values into a.env
file and commit to source control, thinking that the defaults would have you covered.This change updates the defaults for
create-next-app
to ignore all.env
files by default. If you want to commit then, you opt-in by modifying your.gitignore
, versus the opposite.Related: https://x.com/complexlity/status/1755890800527892716