Replace dotenv with native Node.js API

The Problem

The NodeSecure CLI, a security analysis tool for Node.js projects, relied on the dotenv package to load environment variables from .env files. While dotenv is a widely-used package, Node.js 20.6.0 introduced a native API for this exact purpose: process.loadEnvFile().

Using an external dependency for functionality that’s now built into Node.js has several drawbacks:

• Increased dependency footprint - Every additional dependency is a potential security surface and maintenance burden
• Unnecessary complexity - For a security-focused tool like NodeSecure, minimizing external dependencies aligns with the project’s philosophy
• Native alternatives exist - Node.js now provides first-class support for .env file loading

This issue was labeled as a “good first issue” by the maintainer @fraxken, making it an ideal opportunity to contribute to the project.

The Solution

I replaced the dotenv dependency with Node.js’s native process.loadEnvFile() API. The key challenge was maintaining the same behavior as the original implementation, specifically the “quiet” mode that silently ignores missing .env files.

The original code used:

dotenv.config({ quiet: true });

This was replaced with:

try {
  process.loadEnvFile();
} catch {
  // Silently ignore missing .env files
}

The try/catch block ensures that if a .env file doesn’t exist, the application continues without error - matching the original quiet: true behavior.

Additionally, I removed the dotenv package from package.json, reducing the project’s dependency count.

Files Changed

Timeline

Verification

All automated checks passed with strong results:

• 100% test coverage on all modified and coverable lines
• 8 automated checks completed (7 passed, 1 skipped)
• Merged into master branch with commit f1669f2

This contribution demonstrates how Node.js’s evolving native capabilities can simplify codebases by replacing external dependencies with built-in alternatives.