Skip to content

Commit 7bae585

Browse files
authored
chore: first class support for nuxt (#454)
1 parent 353cacf commit 7bae585

22 files changed

Lines changed: 533 additions & 16 deletions

.changeset/ripe-ducks-flash.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'dotenv-diff': minor
3+
---
4+
5+
added first class support for nuxt

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Scan your codebase to detect every environment variable reference. It helps you catch missing, unused, duplicated, and misused variables early, before they cause runtime errors.
44

5-
First-class support for SvelteKit and Next.js. Also works well in modern JavaScript/TypeScript projects and frameworks like Node.js, Nuxt, and Vue — or any other setup where you want reliable .env file comparison.
5+
First-class support for SvelteKit, Next.js, and Nuxt. Also works well in modern JavaScript/TypeScript projects and frameworks like Node.js and Vue — or any other setup where you want reliable .env file comparison.
66

77
[![Coverage Status](https://codecov.io/gh/Chrilleweb/dotenv-diff/branch/main/graph/badge.svg)](https://codecov.io/gh/Chrilleweb/dotenv-diff)
88
[![npm version](https://img.shields.io/npm/v/dotenv-diff.svg)](https://www.npmjs.com/package/dotenv-diff)
@@ -52,7 +52,7 @@ Easily integrate dotenv-diff into your Git hooks or CI/CD pipelines to enforce e
5252

5353
## Framework-Specific Warnings
5454

55-
In SvelteKit and Next.js projects, dotenv-diff detects framework-specific
55+
In SvelteKit, Next.js, and Nuxt projects, dotenv-diff detects framework-specific
5656
environment variable misuses.
5757

5858
Example warning:

docs/frameworks/index.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ This section explains which framework-specific environment variable are currentl
88

99
- [SvelteKit warnings](./sveltekit_warnings.md)
1010
- [Next.js warnings](./nextjs_warnings.md)
11+
- [Nuxt warnings](./nuxt_warnings.md)
1112

1213
---
1314

@@ -19,6 +20,7 @@ E.g.
1920

2021
- If `@sveltejs/kit` is present, SvelteKit rules are enabled.
2122
- If `next` is present, Next.js rules are enabled.
22-
- If neither is detected, framework-specific warnings are skipped.
23+
- If `nuxt` is present, Nuxt rules are enabled.
24+
- If none is detected, framework-specific warnings are skipped.
2325

2426
---

docs/frameworks/nuxt_warnings.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# Nuxt warnings
2+
3+
`dotenv-diff` includes Nuxt-specific rules to catch unsafe or unreliable environment variable usage.
4+
5+
This page reflects the currently implemented rule behavior and targets Nuxt 3.
6+
7+
## Background
8+
9+
Nuxt exposes runtime configuration through `runtimeConfig` (private, server-only) and `runtimeConfig.public` (exposed to the client), accessed via `useRuntimeConfig()`.
10+
11+
In production, `.env` files are **not** read at runtime, and `process.env` is **not** populated in the browser. Environment variables only override runtime config when prefixed with `NUXT_` (private) or `NUXT_PUBLIC_` (public).
12+
13+
## 1 `process.env` in client/universal code
14+
15+
`process.env` is unreliable outside server code: it is not available in the browser, and `.env` files are not read at runtime in production.
16+
17+
```vue
18+
<script setup lang="ts">
19+
const key = process.env.API_SECRET; // ⚠️
20+
</script>
21+
```
22+
23+
Warning:
24+
25+
`process.env is not available in the browser; use useRuntimeConfig() instead`
26+
27+
## 2 Sensitive-looking `NUXT_PUBLIC_` names trigger exposure warnings
28+
29+
If a `NUXT_PUBLIC_` variable contains `SECRET`, `PRIVATE`, or `PASSWORD`, a warning is produced — these values are exposed to the browser.
30+
31+
```ts
32+
process.env.NUXT_PUBLIC_API_SECRET;
33+
```
34+
35+
Warning:
36+
37+
`Potential sensitive environment variable exposed to the browser`
38+
39+
## What is allowed
40+
41+
`process.env` is allowed in server-only contexts without framework warnings:
42+
43+
- The Nitro `server/` directory (`server/api`, `server/routes`, `server/middleware`, etc.)
44+
- `.server.` suffixed files (for example `plugins/auth.server.ts`)
45+
- `nuxt.config.{ts,js,mjs,cjs}` (where env vars feed `runtimeConfig`)
46+
47+
## Summary of rules
48+
49+
- `process.env` in client/universal code → use `useRuntimeConfig()`
50+
- Sensitive names in `NUXT_PUBLIC_*` → warning
51+
52+
## Best practices
53+
54+
- Use `runtimeConfig` / `useRuntimeConfig()` instead of reading `process.env` directly in app code
55+
- Only put browser-safe values under `runtimeConfig.public` / `NUXT_PUBLIC_*`
56+
- Keep secrets in server-only code paths (`server/`, `.server.` files)

docs/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ If you choose not to create a file, `dotenv-diff` will still scan your codebase
5353
| [Framework Warnings (Index)](./frameworks/index.md) | Framework detection and links to supported framework rules |
5454
| [SvelteKit warnings](./frameworks/sveltekit_warnings.md) | SvelteKit-specific env validation rules |
5555
| [Next.js warnings](./frameworks/nextjs_warnings.md) | Next.js-specific env validation rules |
56+
| [Nuxt warnings](./frameworks/nuxt_warnings.md) | Nuxt-specific env validation rules |
5657

5758
---
5859

packages/cli/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
Scan your codebase to detect every environment variable reference. It helps you catch missing, unused, duplicated, and misused variables early, before they cause runtime errors.
44

5-
First-class support for SvelteKit and Next.js. Also works well in modern JavaScript/TypeScript projects and frameworks like Node.js, Nuxt, and Vue — or any other setup where you want reliable .env file comparison.
5+
First-class support for SvelteKit, Next.js, and Nuxt. Also works well in modern JavaScript/TypeScript projects and frameworks like Node.js and Vue — or any other setup where you want reliable .env file comparison.
66

77
[![Coverage Status](https://codecov.io/gh/Chrilleweb/dotenv-diff/branch/main/graph/badge.svg)](https://codecov.io/gh/Chrilleweb/dotenv-diff)
88
[![npm version](https://img.shields.io/npm/v/dotenv-diff.svg)](https://www.npmjs.com/package/dotenv-diff)
@@ -52,7 +52,7 @@ Easily integrate dotenv-diff into your Git hooks or CI/CD pipelines to enforce e
5252

5353
## Framework-Specific Warnings
5454

55-
In SvelteKit and Next.js projects, dotenv-diff detects framework-specific
55+
In SvelteKit, Next.js, and Nuxt projects, dotenv-diff detects framework-specific
5656
environment variable misuses.
5757

5858
Example warning:

packages/cli/src/config/types.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import { type SecretFinding } from '../core/security/secretDetectors.js';
44
/**
55
* Supported frameworks
66
*/
7-
export type SupportedFramework = 'sveltekit' | 'nextjs';
7+
export type SupportedFramework = 'sveltekit' | 'nextjs' | 'nuxt';
88

99
/**
1010
* Result of framework detection (may be unsupported)

packages/cli/src/core/frameworks/frameworkDetector.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,14 @@ export function detectFramework(cwd: string): FrameworkDetection {
4848
};
4949
}
5050

51+
// Check for Nuxt
52+
if (deps['nuxt']) {
53+
return {
54+
framework: 'nuxt',
55+
version: deps['nuxt'],
56+
};
57+
}
58+
5159
return { framework: 'unknown' };
5260
} catch {
5361
return { framework: 'unknown' };

packages/cli/src/core/frameworks/frameworkValidator.ts

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
import type { EnvUsage, FrameworkWarning } from '../../config/types.js';
22
import { detectFramework } from './frameworkDetector.js';
3-
import { applySvelteKitRules, applyNextJsRules } from './index.js';
3+
import {
4+
applySvelteKitRules,
5+
applyNextJsRules,
6+
applyNuxtRules,
7+
} from './index.js';
48

59
/**
610
* Validates environment variable usages against framework-specific rules
@@ -20,6 +24,7 @@ export function frameworkValidator(
2024
for (const u of usages) {
2125
if (framework === 'sveltekit') applySvelteKitRules(u, warnings);
2226
if (framework === 'nextjs') applyNextJsRules(u, warnings, fileContentMap);
27+
if (framework === 'nuxt') applyNuxtRules(u, warnings);
2328
}
2429

2530
return warnings;
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11
export { applySvelteKitRules } from './sveltekitRules.js';
22
export { applyNextJsRules } from './nextJsRules.js';
3+
export { applyNuxtRules } from './nuxtRules.js';

0 commit comments

Comments
 (0)