Skip to content

Chore: add .env to gitignore to prevent accidental secret leaks #268

Description

@spaciousejar

Summary

The .gitignore only excludes .env*.local files. Standard .env, .env.development, .env.production, and .env.staging files would NOT be ignored if created. If a contributor accidentally commits an env file containing secrets (API keys, tokens), those secrets become permanently visible in git history.

Current .gitignore (relevant section)

# local env files
.env*.local

Suggested fix

Replace that block with:

# local env files
.env
.env*.local
.env.development
.env.production
.env.staging
.env.test

Or more concisely, add .env before the existing pattern so it catches all env file variants:

# local env files
.env
.env*.local

Impact

Low likelihood but high impact if triggered. An easy hardening step for any open-source project with external contributors.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinggood first issueGood for newcomers

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions