Summary
The .gitignore only excludes .env*.local files. Standard .env, .env.development, .env.production, and .env.staging files would NOT be ignored if created. If a contributor accidentally commits an env file containing secrets (API keys, tokens), those secrets become permanently visible in git history.
Current .gitignore (relevant section)
# local env files
.env*.local
Suggested fix
Replace that block with:
# local env files
.env
.env*.local
.env.development
.env.production
.env.staging
.env.test
Or more concisely, add .env before the existing pattern so it catches all env file variants:
# local env files
.env
.env*.local
Impact
Low likelihood but high impact if triggered. An easy hardening step for any open-source project with external contributors.
Summary
The
.gitignoreonly excludes.env*.localfiles. Standard.env,.env.development,.env.production, and.env.stagingfiles would NOT be ignored if created. If a contributor accidentally commits an env file containing secrets (API keys, tokens), those secrets become permanently visible in git history.Current
.gitignore(relevant section)Suggested fix
Replace that block with:
Or more concisely, add
.envbefore the existing pattern so it catches all env file variants:Impact
Low likelihood but high impact if triggered. An easy hardening step for any open-source project with external contributors.