Skip to content

sveltekit_warnings.md

Latest commit

 

History

History
138 lines (91 loc) · 3.1 KB

sveltekit_warnings.md

File metadata and controls

138 lines (91 loc) · 3.1 KB

SvelteKit warnings

dotenv-diff includes SvelteKit-specific rules for invalid or unsafe environment variable usage.

This page documents the exact warning behavior currently implemented.

1 import.meta.env must use VITE_ prefix

import.meta.env.PUBLIC_URL

Warning:

Variables accessed through import.meta.env must start with "VITE_"

Correct usage:

import.meta.env.VITE_PUBLIC_URL

2 process.env should only be used in server files

// Warning in client file
const apiUrl = process.env.API_URL;

// No warning in server file
export async function load() {
  const secret = process.env.DATABASE_PASSWORD;
}

Warning:

process.env should only be used in server files

Note: process.env is allowed in configuration files like svelte.config.js or svelte.config.ts, as these are Node.js files that run during build time.

3 $env/dynamic/private cannot be used in client-side code

<script lang="ts">
  import { env } from '$env/dynamic/private';
  console.log(env.SECRET_KEY);
</script>

Warning:

$env/dynamic/private cannot be used in client-side code

4 $env/dynamic/private variables must not start with PUBLIC_

import { env } from '$env/dynamic/private';
console.log(env.PUBLIC_API_URL);

Warning:

$env/dynamic/private variables must not start with "PUBLIC_"

5 $env/dynamic/public variables must start with PUBLIC_

import { env } from '$env/dynamic/public';
console.log(env.API_URL);

Warning:

$env/dynamic/public variables must start with "PUBLIC_"

6 $env/static/private variables must not start with PUBLIC_

import { PUBLIC_KEY } from '$env/static/private';

Warning:

$env/static/private variables must not start with "PUBLIC_"

7 $env/static/private cannot be used in client-side code

<script lang="ts">
  import { SECRET_KEY } from '$env/static/private';
</script>

Warning:

$env/static/private variables cannot be used in client-side code

8 $env/static/public variables must start with PUBLIC_

import { API_URL } from '$env/static/public';

Warning:

$env/static/public variables must start with "PUBLIC_"

9 Sensitive-looking PUBLIC_ / VITE_ names trigger exposure warnings

If a client-exposed name contains SECRET, PRIVATE, or PASSWORD, a warning is produced.

<script lang="ts">
  import { env } from '$env/dynamic/public';
  console.log(env.PUBLIC_SECRET_PASSWORD);
</script>

Warning:

Potential sensitive environment variable exposed to the browser

Summary of rules

  • import.meta.env → must use VITE_*
  • process.env → server files only
  • $env/dynamic/private → server-only, never PUBLIC_*
  • $env/dynamic/public → must use PUBLIC_*
  • $env/static/private → server-only, never PUBLIC_*
  • $env/static/public → must use PUBLIC_*
  • Sensitive client-exposed names (PUBLIC_*/VITE_*) → warning

Best practices

  • Use PUBLIC_* only for values intended for the browser
  • Use VITE_* only via import.meta.env
  • Keep private variables in server-only code
  • Never expose secrets via PUBLIC_* or VITE_*