What ENV vars are exposed to the npm scripts?

[danielmahon]

Hello! I'm a tad confused on what/how the Heroku ENV vars are being exposed to the npm scripts. I think I understand about the prefixed REACT_APP_ compile vs runtime variables. But I can't seem to figure out how to expose variables like MY_AUTH_TOKEN to other npm scripts, not react-scripts. For example, I am running scripts after the build is complete, but I dont need or want ENV vars used for those scripts to be shared with create-react-app. Help?

[mars]

Hi @danielmahon 😄

By design, by default, Heroku does not expose any user-configured env vars to the build process. Buildpacks may selectively expose env vars to the build process.

For this buildpack, REACT_APP_, NODE_, & NPM_ prefixed env vars are exposed to the npm build script.

Commands set in package.json scripts.build property (by default simply react-scripts build) can read the values of those prefixed variables.

You can hijack the NODE_ or NPM_ prefix for your own variables. Avoid using the REACT_APP_ prefix for anything sensitive 🤐 like server-side auth tokens, because those variables will be visible when inspecting the app in a web browser.

[danielmahon]

@mars Awesome! Thank you. It all makes sense now... time to start hijacking.