DEV Community

Discussion on: How to dynamically change your React Environment variables without re-building

elugens profile image
Stacey Wilson

What are the security implications when you set the dot env in an external script, are we risking any exposure to outside actors.

eslynn profile image
lynn Author • Edited on

Good question! The biggest risk is that the current instructions provided does not lock it to any specific version. This means that if my npm account was compromised by a malicious attacker, they could add in additional line of code that sends all the data to a remote server. They could then publish a new version on npm, and everyone will execute the new malicious code instead.

To guard yourself against this, you can lock the version by installing and specifying it in your package.json. This will ensure that you will always run the same version of the script, where the source code can be verified at GitHub. This is good practice in general anyway, so I'll be editing the article to add instructions on how to do this.

On a side note, React webpages are typically public and client-side, which means that they are typically not able to guard secrets. In general, they should not have any sensitive information being passed to them at build time.