dotenv-expand

Extends dotenv with variable expansion support. Allows .env files to reference other variables: DATABASE_URL=postgres://${DB_USER}:${DB_PASS}@${DB_HOST}/${DB_NAME}. Works as a post-processor on top of dotenv's parsed output. Enables DRY configuration files where base variables are reused in composite values.

Evaluated Mar 06, 2026 (0d ago) v10.x / 11.x
Homepage ↗ Repo ↗ Developer Tools dotenv environment-variables variable-expansion configuration node
⚙ Agent Friendliness
65
/ 100
Can an agent use this?
🔒 Security
89
/ 100
Is it safe for agents?
⚡ Reliability
86
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
82
Error Messages
72
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
100
Auth Strength
88
Scope Granularity
88
Dep. Hygiene
92
Secret Handling
78

BSD 2-Clause licensed. .env files with secrets should be in .gitignore. Variable expansion may expose secret values in composed variables — log with care.

⚡ Reliability

Uptime/SLA
95
Version Stability
88
Breaking Changes
82
Error Recovery
80
AF Security Reliability

Best When

You use dotenv and want to compose environment variable values from other variables to reduce duplication in .env files.

Avoid When

You don't need variable composition — plain dotenv is simpler. For production secrets, use dedicated secrets management.

Use Cases

  • Compose environment variable values from base variables in agent .env files (connection strings, URLs)
  • Reduce duplication in agent configuration files by referencing shared variables in composite values
  • Support multiple environments where DATABASE_URL is built from shared host/user/password variables
  • Enable hierarchical configuration where base URL components are combined into full API endpoint URLs
  • Build deployment configurations where agent API URLs reference base DOMAIN and API_VERSION variables

Not For

  • Production secrets management — .env files with dotenv-expand still need to be secured; use Vault or cloud secrets for production
  • Complex templating — use mustache or handlebars for rich variable templates; dotenv-expand only handles ${VAR} substitution
  • Non-Node.js environments — dotenv-expand is Node.js only

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Local library — no authentication required. BSD 2-Clause licensed.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

BSD 2-Clause licensed. Zero cost.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Must call after dotenv.config(): const dotenv = require('dotenv'); const expand = require('dotenv-expand'); expand.expand(dotenv.config())
  • Circular references silently produce empty values — ${A}=${B} and ${B}=${A} will expand to empty strings without error
  • Undefined variable references expand to empty string — ${UNDEFINED_VAR} becomes '' without warning; validate required variables after expansion
  • Existing environment variables take precedence over .env file by default — dotenv-expand respects the override:false default of dotenv
  • v10+ changed API: dotenv.config() output passed to expand.expand() — check version if using older documentation
  • Windows PATH separator awareness: variable values with file paths containing backslashes may need manual handling

Alternatives

dotenv-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for dotenv-expand.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered