Developer Productivity
The End of .env Files: Modern Secrets Management for Frontend Teams
A .env file is a plaintext secret taped to your filesystem. After years of supply-chain attacks targeting leaked env files, the industry is finally adopting real secrets management.

A .env file is a plaintext file containing secrets on your filesystem. No encryption, no audit trail, no rotation policy. Leaked .env files account for a measurable share of cloud credential breaches.
Modern secrets management tools Doppler, Infisical, 1Password CLI share a common pattern: secrets live in a central vault injected at runtime. Set dev to doppler run -- next dev. No .env file on disk.
Infisical provides a TypeScript SDK for self-hosted teams. The SDK approach generates typed autocomplete for every secret key.
The DX is better than .env: the first command after cloning is doppler setup, which authenticates and pulls correct variables automatically. No README section explaining which .env.example variables are required.
In CI, doppler run -- build with DOPPLER_TOKEN handles environment scoping automatically. No manual variable mapping.
Migration: 1) Audit current secrets 2) Choose a vault 3) Replace dev script 4) Remove .env files 5) Rotate every old secret 6) Document the one-line setup.
Plaintext secrets on a filesystem were always a bad idea. The tools have caught up to where the secure option is also the simpler one.