fix: false warning + destructering env (#345)

Chrilleweb · web-flow · commit 495e282ff378 · 2026-03-27T16:17:17.000+01:00
diff --git a/.changeset/slimy-jokes-know.md b/.changeset/slimy-jokes-know.md
@@ -0,0 +1,5 @@
+---
+'dotenv-diff': patch
+---
+
+fixed false warning in sveltekit config files
diff --git a/.changeset/smart-planes-wash.md b/.changeset/smart-planes-wash.md
@@ -0,0 +1,5 @@
+---
+'dotenv-diff': patch
+---
+
+sveltekit object destructering from env
diff --git a/docs/capabilities.md b/docs/capabilities.md
@@ -25,6 +25,8 @@ import.meta.env['MY_KEY']
 import { env } from '$env/dynamic/private';
 import { env } from '$env/dynamic/public';
 env.MY_KEY
+const { MY_KEY } = env
+const { MY_KEY: alias, OTHER_KEY = "fallback" } = env
 
 // SvelteKit – static (named imports)
 import { MY_KEY } from '$env/static/private';
diff --git a/docs/frameworks/sveltekit_warnings.md b/docs/frameworks/sveltekit_warnings.md
@@ -23,13 +23,21 @@ import.meta.env.VITE_PUBLIC_URL
 ## 2 `process.env` should only be used in server files
 
 ```ts
-process.env.VITE_SECRET
+// Warning in client file
+const apiUrl = process.env.API_URL;
+
+// No warning in server file
+export async function load() {
+  const secret = process.env.DATABASE_PASSWORD;
+}
 ```
 
 Warning:
 
 `process.env should only be used in server files`
 
+**Note:** `process.env` is allowed in configuration files like `svelte.config.js` or `svelte.config.ts`, as these are Node.js files that run during build time.
+
 ## 3 `$env/dynamic/private` cannot be used in client-side code
 
 ```svelte
diff --git a/packages/cli/src/core/frameworks/sveltekitRules.ts b/packages/cli/src/core/frameworks/sveltekitRules.ts
@@ -18,6 +18,9 @@ export function applySvelteKitRules(
     return;
   }
 
+  // Config files are allowed to use process.env
+  const isConfigFile = /svelte\.config\.(ts|js)$/.test(normalizedFile);
+
   const isServerFile =
     // SvelteKit route server files
     normalizedFile.includes('/+server.') ||
@@ -50,7 +53,7 @@ export function applySvelteKitRules(
 
   // process.env
   if (u.pattern === 'process.env') {
-    if (!isServerFile) {
+    if (!isServerFile && !isConfigFile) {
       warnings.push({
         variable: u.variable,
         reason: 'process.env should only be used in server files',
diff --git a/packages/cli/src/core/scan/patterns.ts b/packages/cli/src/core/scan/patterns.ts
@@ -94,6 +94,30 @@ export const ENV_PATTERNS: Pattern[] = [
     regex: /(?<![.\w])env\.([A-Z_][A-Z0-9_]*)/g,
   },
 
+  // SvelteKit object destructuring from env
+  // const { VAR1, VAR2 } = env; (destructured from $env/dynamic/* or $env/static/*)
+  {
+    name: 'sveltekit' as const,
+    regex: /\{([^}]*)\}\s*=\s*env\b/g,
+    processor: (match) => {
+      const content = match[1];
+      if (!content) return [];
+
+      return content
+        .split(',')
+        .map((part) => part.trim())
+        .filter(Boolean)
+        .map((part) => {
+          // Handle aliases: VAR: alias
+          // Handle defaults: VAR = "value"
+          // We want the left-most identifier
+          const [key] = part.split(/[:=]/);
+          return key ? key.trim() : '';
+        })
+        .filter((key) => /^[A-Z_][A-Z0-9_]*$/.test(key));
+    },
+  },
+
   // named import from dynamic is invalid in SvelteKit
   // import { env } from '$env/dynamic/private';
   {
diff --git a/packages/cli/test/unit/core/frameworks/sveltekitRules.test.ts b/packages/cli/test/unit/core/frameworks/sveltekitRules.test.ts
@@ -66,6 +66,16 @@ describe('applySvelteKitRules', () => {
     expect(warnings).toHaveLength(0);
   });
 
+  it('allows process.env in svelte.config.js', () => {
+    applySvelteKitRules({ ...baseUsage, file: 'svelte.config.js' }, warnings);
+    expect(warnings).toHaveLength(0);
+  });
+
+  it('allows process.env in svelte.config.ts', () => {
+    applySvelteKitRules({ ...baseUsage, file: 'svelte.config.ts' }, warnings);
+    expect(warnings).toHaveLength(0);
+  });
+
   // dynamic private
   it('warns dynamic/private in svelte file', () => {
     applySvelteKitRules(
diff --git a/packages/cli/test/unit/core/scan/patterns.test.ts b/packages/cli/test/unit/core/scan/patterns.test.ts
@@ -180,4 +180,81 @@ describe('scanFile - Pattern Detection', () => {
       });
     });
   });
+
+  describe('SvelteKit env Object Access', () => {
+    it('detects env.VARIABLE_NAME access', () => {
+      const code = 'const token = env.KEYCLOAK_SECRET;';
+      const result = scanFile('test.ts', code, baseOpts);
+
+      expect(result).toHaveLength(1);
+      expect(result[0]).toMatchObject({
+        variable: 'KEYCLOAK_SECRET',
+        pattern: 'sveltekit',
+      });
+    });
+
+    it('detects destructuring from env: const { VAR1, VAR2 } = env', () => {
+      const code = 'const { KEYCLOAK_URL, KEYCLOAK_REALM } = env;';
+      const result = scanFile('test.ts', code, baseOpts);
+
+      expect(result).toHaveLength(2);
+      const variables = result.map((u) => u.variable).sort();
+      expect(variables).toEqual(['KEYCLOAK_REALM', 'KEYCLOAK_URL']);
+    });
+
+    it('detects destructuring with aliasing: const { VAR: alias } = env', () => {
+      const code = 'const { KEYCLOAK_URL: url } = env;';
+      const result = scanFile('test.ts', code, baseOpts);
+
+      expect(result).toHaveLength(1);
+      expect(result[0]).toMatchObject({
+        variable: 'KEYCLOAK_URL',
+        pattern: 'sveltekit',
+      });
+    });
+
+    it('detects destructuring with default values: const { VAR = "default" } = env', () => {
+      const code = 'const { KEYCLOAK_URL = "http://localhost:8080" } = env;';
+      const result = scanFile('test.ts', code, baseOpts);
+
+      expect(result).toHaveLength(1);
+      expect(result[0]).toMatchObject({
+        variable: 'KEYCLOAK_URL',
+        pattern: 'sveltekit',
+      });
+    });
+
+    it('detects multiple mixed destructuring from env', () => {
+      const code =
+        'const { KEYCLOAK_URL, KEYCLOAK_REALM: realm, CLIENT_SECRET = "default" } = env;';
+      const result = scanFile('test.ts', code, baseOpts);
+
+      expect(result).toHaveLength(3);
+      const variables = result.map((u) => u.variable).sort();
+      expect(variables).toEqual([
+        'CLIENT_SECRET',
+        'KEYCLOAK_REALM',
+        'KEYCLOAK_URL',
+      ]);
+    });
+
+    it('detects multiline destructuring from env', () => {
+      const code = `
+        const { 
+          KEYCLOAK_URL,
+          KEYCLOAK_REALM,
+          CLIENT_ID
+        } = env;
+      `;
+      const result = scanFile('test.ts', code, baseOpts);
+
+      expect(result).toHaveLength(3);
+      const variables = result.map((u) => u.variable).sort();
+      expect(variables).toEqual([
+        'CLIENT_ID',
+        'KEYCLOAK_REALM',
+        'KEYCLOAK_URL',
+      ]);
+    });
+  });
 });

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'dotenv-diff': patch
 +---
++
 +fixed false warning in sveltekit config files