Integrated ESLint rule for safe Environment Variable usage

[jasongerbes]

Describe the feature you'd like to request

Add a lint rule to ensure safe usage of process.env, as per Next's requirements.

Valid:

• process.env.PUBLISHABLE_KEY
• process.env['PUBLISHABLE_KEY']

Invalid:

• const { PUBLISHABLE_KEY } = process.env
• process.env[varName]

From the Next.js docs:

Note: In order to keep server-only secrets safe, environment variables are evaluated at build time, so only environment variables actually used will be included. This means that process.env is not a standard JavaScript object, so you’re not able to use object destructuring. Environment variables must be referenced as e.g. process.env.PUBLISHABLE_KEY, not const { PUBLISHABLE_KEY } = process.env.

And:

Note that dynamic lookups will not be inlined, such as:

// This will NOT be inlined, because it uses a variable
const varName = 'NEXT_PUBLIC_ANALYTICS_ID'
setupAnalyticsService(process.env[varName])

// This will NOT be inlined, because it uses a variable
const env = process.env
setupAnalyticsService(env.NEXT_PUBLIC_ANALYTICS_ID)

Describe the solution you'd like

A new custom Next ESLint rule to @next/eslint-plugin-next that ensures safe usage of environment variables.

{
  "extends": "next",
  "rules": {
    "@next/next/no-unsafe-process-env": "error"
  }
}

Describe alternatives you've considered

There don't appear to be any existing lint rules that prevent destructuring assignment and dynamic property access of process.env.

I've created a local custom lint rule that works with the valid/invalid scenarios above. Happy to create a PR to add this to @next/eslint-plugin-next if you think this may be useful.

[bjornsnoen]

@jasongerbes could you share the local custom lint rule you created, if you still have it?

[GiovanniColonni]

Hi, since im also interested to this feature, here is the rule:

module.exports = {
    meta: {
        type: 'problem',
        docs: {
            description: 'disallow use of process.env',
            category: 'Best Practices',
            recommended: true
        },
        messages: {
            noProcessEnv: "Using 'process.env' is not allowed. Use a safe alternative like getenv."
        },
        schema: [] 
    },
    create: function (context) {
        return {
            MemberExpression(node) {
                if (
                    node.object.name === 'process' &&
                    node.property.name === 'env'
                ) {
                    context.report({
                        node,
                        messageId: 'noProcessEnv'
                    });
                }
            }
        };
    }
};