@dotenvx/dotenvx 1.7.0 → 1.9.0

package/CHANGELOG.md

@@ -2,7 +2,40 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.7.0...main)
+## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.9.0...main)
+
+## 1.9.0
+
+### Added
+
+* add `--exclude-key` (`-ek`) option to `dotenvx encrypt` and `dotenvx decrypt` ([#344](https://github.com/dotenvx/dotenvx/pull/344))
+
+### Changed
+
+* preserve comments and spacing on first-time generation of .env.example file ([#346](https://github.com/dotenvx/dotenvx/pull/346))
+
+### Removed
+
+* removed `winston` - logger simplified to use `console.log` going forward ([#347](https://github.com/dotenvx/dotenvx/pull/347))
+
+## 1.8.0
+
+### Added
+
+* warn when decryption fails on `run` ([#339](https://github.com/dotenvx/dotenvx/pull/339))
+* decrypt expanded values as necessary ([#336](https://github.com/dotenvx/dotenvx/pull/336))
+
+### Changed
+
+* use `ansi` colors over `rgb` - for wider terminal coverage ([#340](https://github.com/dotenvx/dotenvx/pull/340))
+* replace `chalk` with `picocolors` and `color-name` - cutting down on 5 dependencies ([#335](https://github.com/dotenvx/dotenvx/pull/335))
+* replace `execa` with `tinyexec` - cutting down on 15 dependencies ([#328](https://github.com/dotenvx/dotenvx/pull/328))
+* optimize `Ls._filepaths` ([#317](https://github.com/dotenvx/dotenvx/pull/317/))
+
+### Removed
+
+* remove `picocolors` and `color-name` - cutting down on 2 dependencies ([#340](https://github.com/dotenvx/dotenvx/pull/340))
+* remove `ext hub` from extension list (you can still install it as an extension [here](https://github.com/dotenvx/dotenvx-ext-hub)) ([#337](https://github.com/dotenvx/dotenvx/pull/337))
 
 ## 1.7.0
 

package/README.md

@@ -27,31 +27,31 @@ console.log(`Hello ${process.env.HELLO}`)
 
 or install globally - *unlocks dotenv for any language, framework, or platform!*
 
-<details><summary>with brew 🍺</summary><br>
+<details><summary>with curl 🌐 </summary><br>
 
 ```sh
-brew install dotenvx/brew/dotenvx
+curl -sfS https://dotenvx.sh | sh
 dotenvx help
 ```
 
-[![brew installs](https://img.shields.io/github/downloads/dotenvx/dotenvx/total?label=brew%20installs)](https://github.com/dotenvx/homebrew-brew/blob/main/Formula/dotenvx.rb)
-<sup>*homebrew installs sourced from github releases - <a href="https://github.com/dotenvx/homebrew-brew/blob/main/Formula/dotenvx.rb">formula</a></sup>
+[![mac](https://img.shields.io/endpoint?url=https://dotenvx.sh/stats/curl/darwin&label=mac)](https://github.com/dotenvx/dotenvx.sh/blob/main/install.sh)
+[![linux](https://img.shields.io/endpoint?url=https://dotenvx.sh/stats/curl/linux&label=linux)](https://github.com/dotenvx/dotenvx.sh/blob/main/install.sh)
+[![windows](https://img.shields.io/endpoint?url=https://dotenvx.sh/stats/curl/windows&label=windows)](https://github.com/dotenvx/dotenvx.sh/blob/main/install.sh)
+<sup>*curl installs sourced from npm binary packages - <a href="https://www.npmjs.com/package/@dotenvx/dotenvx-linux-x86_64">example</a></sup>
 
 &nbsp;
 
 </details>
 
-<details><summary>with curl 🌐 </summary><br>
+<details><summary>with brew 🍺</summary><br>
 
 ```sh
-curl -sfS https://dotenvx.sh | sh
+brew install dotenvx/brew/dotenvx
 dotenvx help
 ```
 
-[![mac](https://img.shields.io/endpoint?url=https://dotenvx.sh/stats/curl/darwin&label=mac)](https://github.com/dotenvx/dotenvx.sh/blob/main/install.sh)
-[![linux](https://img.shields.io/endpoint?url=https://dotenvx.sh/stats/curl/linux&label=linux)](https://github.com/dotenvx/dotenvx.sh/blob/main/install.sh)
-[![windows](https://img.shields.io/endpoint?url=https://dotenvx.sh/stats/curl/windows&label=windows)](https://github.com/dotenvx/dotenvx.sh/blob/main/install.sh)
-<sup>*curl installs sourced from npm binary packages - <a href="https://www.npmjs.com/package/@dotenvx/dotenvx-linux-x86_64">example</a></sup>
+[![brew installs](https://img.shields.io/github/downloads/dotenvx/dotenvx/total?label=brew%20installs)](https://github.com/dotenvx/homebrew-brew/blob/main/Formula/dotenvx.rb)
+<sup>*homebrew installs sourced from github releases - <a href="https://github.com/dotenvx/homebrew-brew/blob/main/Formula/dotenvx.rb">formula</a></sup>
 
 &nbsp;
 
@@ -866,7 +866,7 @@ More examples
   </details>
 * <details><summary>`run --verbose`</summary><br>
 
-  Set log level to `verbose`. ([log levels](https://github.com/winstonjs/winston?tab=readme-ov-file#logging))
+  Set log level to `verbose`. ([log levels](https://docs.npmjs.com/cli/v8/using-npm/logging#setting-log-levels))
 
   ```sh
   $ echo "HELLO=production" > .env.production
@@ -882,7 +882,7 @@ More examples
   </details>
 * <details><summary>`run --debug`</summary><br>
 
-  Set log level to `debug`. ([log levels](https://github.com/winstonjs/winston?tab=readme-ov-file#logging))
+  Set log level to `debug`. ([log levels](https://docs.npmjs.com/cli/v8/using-npm/logging#setting-log-levels))
 
   ```sh
   $ echo "HELLO=production" > .env.production
@@ -904,7 +904,7 @@ More examples
   </details>
 * <details><summary>`run --quiet`</summary><br>
 
-  Use `--quiet` to suppress all output (except errors). ([log levels](https://github.com/winstonjs/winston?tab=readme-ov-file#logging))
+  Use `--quiet` to suppress all output (except errors). ([log levels](https://docs.npmjs.com/cli/v8/using-npm/logging#setting-log-levels))
 
   ```sh
   $ echo "HELLO=production" > .env.production
@@ -927,7 +927,7 @@ More examples
   Hello production
   ```
 
-  Available log levels are `error, warn, info, verbose, debug, silly` ([source](https://github.com/winstonjs/winston?tab=readme-ov-file#logging))
+  Available log levels are `error, warn, info, verbose, debug, silly` ([source](https://docs.npmjs.com/cli/v8/using-npm/logging#setting-log-levels))
 
   </details>
 * <details><summary>`run --convention=nextjs`</summary><br>

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.7.0",
+  "version": "1.9.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -36,18 +36,16 @@
   },
   "funding": "https://dotenvx.com",
   "dependencies": {
-    "chalk": "^4.1.2",
     "commander": "^11.1.0",
     "diff": "^5.2.0",
     "dotenv": "^16.4.5",
     "eciesjs": "^0.4.6",
-    "execa": "^5.1.1",
-    "fdir": "^6.1.1",
+    "fdir": "^6.2.0",
     "ignore": "^5.3.0",
     "object-treeify": "1.1.33",
-    "picomatch": "^3.0.1",
+    "picomatch": "^4.0.2",
+    "tinyexec": "^0.2.0",
     "which": "^4.0.0",
-    "winston": "^3.11.0",
     "xxhashjs": "^0.2.2"
   },
   "devDependencies": {

package/src/cli/actions/decrypt.js

@@ -13,7 +13,7 @@ function decrypt () {
   if (options.stdout) {
     const {
       processedEnvFiles
-    } = main.decrypt(options.envFile, options.key)
+    } = main.decrypt(options.envFile, options.key, options.excludeKey)
 
     for (const processedEnvFile of processedEnvFiles) {
       process.stdout.write(processedEnvFile.envSrc)
@@ -25,7 +25,7 @@ function decrypt () {
         processedEnvFiles,
         changedFilepaths,
         unchangedFilepaths
-      } = main.decrypt(options.envFile, options.key)
+      } = main.decrypt(options.envFile, options.key, options.excludeKey)
 
       for (const processedEnvFile of processedEnvFiles) {
         logger.verbose(`decrypting ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)

package/src/cli/actions/encrypt.js

@@ -15,7 +15,7 @@ function encrypt () {
   if (options.stdout) {
     const {
       processedEnvFiles
-    } = main.encrypt(options.envFile, options.key)
+    } = main.encrypt(options.envFile, options.key, options.excludeKey)
 
     for (const processedEnvFile of processedEnvFiles) {
       process.stdout.write(processedEnvFile.envSrc)
@@ -27,7 +27,7 @@ function encrypt () {
         processedEnvFiles,
         changedFilepaths,
         unchangedFilepaths
-      } = main.encrypt(options.envFile, options.key)
+      } = main.encrypt(options.envFile, options.key, options.excludeKey)
 
       for (const processedEnvFile of processedEnvFiles) {
         logger.verbose(`encrypting ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)

package/src/cli/actions/ext/genexample.js

@@ -20,9 +20,6 @@ function genexample (directory) {
 
     logger.verbose(`loading env from ${envFile}`)
 
-    // TODO: display pre-existing
-    // TODO: display added/appended/injected
-
     fs.writeFileSync(exampleFilepath, envExampleFile, ENCODING)
 
     if (addedKeys.length > 0) {

package/src/cli/actions/ext/vault/status.js

@@ -58,7 +58,7 @@ function status (directory) {
 
     if (untrackedFilenames.length > 0) {
       logger.warn(`untracked (${untrackedFilenames.join(', ')})`)
-      logger.help(`? track them with [dotenvx encrypt ${directory}]`)
+      logger.help(`? track them with [dotenvx ext vault encrypt ${directory}]`)
     }
   } catch (error) {
     logger.error(error.message)

package/src/cli/actions/run.js

@@ -60,6 +60,15 @@ async function run () {
           logger.warnv(processedEnv.error.message)
         }
       } else {
+        if (processedEnv.warnings) {
+          for (const warning of processedEnv.warnings) {
+            logger.warn(warning.message)
+            if (warning.help) {
+              logger.help(warning.help)
+            }
+          }
+        }
+
         // debug parsed
         const parsed = processedEnv.parsed
         logger.debug(parsed)

package/src/cli/commands/ext.js

@@ -9,8 +9,6 @@ ext
   .description('🔌 extensions')
   .allowUnknownOption()
 
-ext.addHelpText('after', '  hub                               🚫 DEPRECATED: to be replaced by [dotenvx pro]')
-
 ext
   .argument('[command]', 'dynamic ext command')
   .argument('[args...]', 'dynamic ext command arguments')

package/src/cli/dotenvx.js

@@ -100,6 +100,7 @@ program.command('encrypt')
   .description('convert .env file(s) to encrypted .env file(s)')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
   .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)')
+  .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)')
   .option('--stdout', 'send to stdout')
   .action(encryptAction)
 
@@ -109,6 +110,7 @@ program.command('decrypt')
   .description('convert encrypted .env file(s) to plain .env file(s)')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
   .option('-k, --key <keys...>', 'keys(s) to decrypt (default: all keys in file)')
+  .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from decryption (default: none)')
   .option('--stdout', 'send to stdout')
   .action(decryptAction)
 
@@ -132,40 +134,8 @@ program.command('help [command]')
 program.addCommand(require('./commands/ext'))
 
 //
-// DEPRECATED or MOVED
+// MOVED
 //
-const lsAction = require('./actions/ext/ls')
-program.command('ls')
-  .description('DEPRECATED: moved to [dotenvx ext ls]')
-  .argument('[directory]', 'directory to list .env files from', '.')
-  .option('-f, --env-file <filenames...>', 'path(s) to your env file(s)', '.env*')
-  .action(function (...args) {
-    logger.warn('DEPRECATION NOTICE: [ls] has moved to [dotenvx ext ls]')
-
-    lsAction.apply(this, args)
-  })
-
-const genexampleAction = require('./actions/ext/genexample')
-program.command('genexample')
-  .description('DEPRECATED: moved to [dotenvx ext genexample]')
-  .argument('[directory]', 'directory to generate from', '.')
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', '.env')
-  .action(function (...args) {
-    logger.warn('DEPRECATION NOTICE: [genexample] has moved to [dotenvx ext genexample]')
-
-    genexampleAction.apply(this, args)
-  })
-
-const gitignoreAction = require('./actions/ext/gitignore')
-program.command('gitignore')
-  .description('DEPRECATED: moved to [dotenvx ext gitignore]')
-  .addHelpText('after', examples.gitignore)
-  .action(function (...args) {
-    logger.warn('DEPRECATION NOTICE: [gitignore] has moved to [dotenvx ext gitignore]')
-
-    gitignoreAction.apply(this, args)
-  })
-
 const prebuildAction = require('./actions/ext/prebuild')
 program.command('prebuild')
   .description('DEPRECATED: moved to [dotenvx ext prebuild]')
@@ -187,15 +157,6 @@ program.command('precommit')
     precommitAction.apply(this, args)
   })
 
-const scanAction = require('./actions/ext/scan')
-program.command('scan')
-  .description('DEPRECATED: moved to [dotenvx ext scan]')
-  .action(function (...args) {
-    logger.warn('DEPRECATION NOTICE: [scan] has moved to [dotenvx ext scan]')
-
-    scanAction.apply(this, args)
-  })
-
 // overide helpInformation to hide DEPRECATED commands
 program.helpInformation = function () {
   const originalHelp = Command.prototype.helpInformation.call(this)

package/src/lib/helpers/colorDepth.js

@@ -0,0 +1,4 @@
+const { WriteStream } = require('tty')
+const getColorDepth = () => WriteStream.prototype.getColorDepth()
+
+module.exports = { getColorDepth }

package/src/lib/helpers/decryptValue.js

@@ -10,6 +10,7 @@ function decryptValue (value, privateKey) {
   const privateKeys = privateKey.split(',')
 
   let decryptedValue
+  let decryptionError
   for (const key of privateKeys) {
     const secret = Buffer.from(key, 'hex')
     const encoded = value.substring(PREFIX.length)
@@ -17,15 +18,25 @@ function decryptValue (value, privateKey) {
 
     try {
       decryptedValue = decrypt(secret, ciphertext).toString()
+      decryptionError = null // reset to null error (scenario for multiple private keys)
       break
-    } catch (_error) {
-      // TODO: somehow surface these errors to the user's logs
+    } catch (e) {
+      if (e.message === 'Invalid private key') {
+        decryptionError = new Error('private key looks invalid')
+      } else if (e.message === 'Unsupported state or unable to authenticate data') {
+        decryptionError = new Error('private key looks wrong')
+      } else if (e.message === 'Point of length 65 was invalid. Expected 33 compressed bytes or 65 uncompressed bytes') {
+        decryptionError = new Error('encrypted data looks malformed')
+      } else {
+        decryptionError = new Error(`${e.message}`)
+      }
+
+      decryptionError.code = 'DECRYPTION_FAILED'
     }
   }
 
-  // return 'encrypted:string' value if undefined or null
-  if (decryptedValue === undefined || decryptedValue === null) {
-    return value
+  if (decryptionError) {
+    throw decryptionError
   }
 
   return decryptedValue

package/src/lib/helpers/dotenvExpand.js

@@ -42,30 +42,27 @@ function interpolate (value, lookups) {
 }
 
 function expand (options) {
-  let processEnv = process.env
-  if (options && options.processEnv != null) {
-    processEnv = options.processEnv
-  }
+  const processEnv = options.processEnv || {}
+  const parsed = options.parsed || {}
 
-  const combined = { ...processEnv, ...options.parsed }
-  const combinedReversed = { ...options.parsed, ...processEnv }
+  const combined = { ...processEnv, ...parsed }
+  const combinedReversed = { ...parsed, ...processEnv }
 
-  for (const key in options.parsed) {
-    const value = options.parsed[key]
+  for (const key in parsed) {
+    const value = parsed[key]
 
     // interpolate using both file and processEnv (file interpolation wins. used for --overload later)
     const fileValue = _resolveEscapeSequences(interpolate(value, combined))
-    options.parsed[key] = fileValue
+    parsed[key] = fileValue
 
     if (fileValue === _resolveEscapeSequences(value)) {
       continue // no change means no expansion, move on
     }
 
     if (processEnv[key]) {
-      continue // already has a value in process.env, move on
+      continue // already has a value in processEnv, move on
     }
 
-    // interpolate with processEnv only (used for default no overload)
     const processEnvValue = interpolate(value, combinedReversed) // could be empty string ''
     if (processEnvValue) {
       processEnv[key] = _resolveEscapeSequences(processEnvValue) // set it
@@ -73,7 +70,7 @@ function expand (options) {
   }
 
   return {
-    parsed: options.parsed,
+    parsed,
     processEnv
   }
 }

package/src/lib/helpers/execute.js

@@ -1,9 +1,3 @@
-const execa = require('execa')
+const { exec } = require('tinyexec')
 
-const execute = {
-  execa (command, args, options) {
-    return execa(command, args, options)
-  }
-}
-
-module.exports = execute
+module.exports = { exec }

package/src/lib/helpers/executeCommand.js

@@ -13,6 +13,8 @@ async function executeCommand (commandArgs, env) {
 
   // handler for SIGINT
   let commandProcess
+  // workaround until error.signal gets added https://github.com/tinylibs/tinyexec/issues/28
+  let signal
   const sigintHandler = () => {
     logger.debug('received SIGINT')
     logger.debug('checking command process')
@@ -20,6 +22,7 @@ async function executeCommand (commandArgs, env) {
 
     if (commandProcess) {
       logger.debug('sending SIGINT to command process')
+      signal = 'SIGINT'
       commandProcess.kill('SIGINT') // Send SIGINT to the command process
     /* c8 ignore start */
     } else {
@@ -37,6 +40,7 @@ async function executeCommand (commandArgs, env) {
 
     if (commandProcess) {
       logger.debug('sending SIGTERM to command process')
+      signal = 'SIGTERM'
       commandProcess.kill('SIGTERM') // Send SIGTEM to the command process
     } else {
       logger.debug('no command process to send SIGTERM to')
@@ -73,9 +77,11 @@ async function executeCommand (commandArgs, env) {
       }
     }
 
-    commandProcess = execute.execa(commandArgs[0], commandArgs.slice(1), {
-      stdio: 'inherit',
-      env: { ...process.env, ...env }
+    commandProcess = execute.exec(commandArgs[0], commandArgs.slice(1), {
+      nodeOptions: {
+        stdio: 'inherit',
+        env: { ...process.env, ...env }
+      }
     })
 
     process.on('SIGINT', sigintHandler)
@@ -86,7 +92,9 @@ async function executeCommand (commandArgs, env) {
     })
 
     // Wait for the command process to finish
-    const { exitCode } = await commandProcess
+    // exitCode is not in the awaited result, see https://github.com/tinylibs/tinyexec/issues/27
+    await commandProcess
+    const { exitCode } = commandProcess
 
     if (exitCode !== 0) {
       logger.debug(`received exitCode ${exitCode}`)
@@ -94,11 +102,11 @@ async function executeCommand (commandArgs, env) {
     }
   } catch (error) {
     // no color on these errors as they can be standard errors for things like jest exiting with exitCode 1 for a single failed test.
-    if (error.signal !== 'SIGINT' && error.signal !== 'SIGTERM') {
+    if (signal !== 'SIGINT' && signal !== 'SIGTERM') {
       if (error.code === 'ENOENT') {
-        logger.errornocolor(`Unknown command: ${error.command}`)
+        logger.errornocolor(`Unknown command: ${error.path}${error.spawnargs ? ' ' + error.spawnargs.join(' ') : ''}`)
       } else if (error.message.includes('Command failed with exit code 1')) {
-        logger.errornocolor(`Command exited with exit code 1: ${error.command}`)
+        logger.errornocolor(`Command exited with exit code 1: ${error.path}${error.spawnargs ? ' ' + error.spawnargs.join(' ') : ''}`)
       } else {
         logger.errornocolor(error.message)
       }

package/src/lib/helpers/executeExtension.js

@@ -22,9 +22,10 @@ function executeExtension (ext, command, rawArgs) {
 
   const result = childProcess.spawnSync(`dotenvx-ext-${command}`, forwardedArgs, { stdio: 'inherit', env })
   if (result.error) {
-    if (command === 'hub') {
-      logger.warn(`[INSTALLATION_NEEDED] install dotenvx-ext-${command} to use [dotenvx ext ${command}] commands`)
-      logger.help('? see installation instructions [https://github.com/dotenvx/dotenvx-ext-hub]')
+    if (command === 'vault') {
+      // when ready, uncomment to deprecate ext vault
+      // logger.warn(`[INSTALLATION_NEEDED] install dotenvx-ext-${command} to use [dotenvx ext ${command}] commands`)
+      // logger.help('? see installation instructions [https://github.com/dotenvx/dotenvx-ext-vault]')
     } else {
       logger.info(`error: unknown command '${command}'`)
     }

package/src/lib/helpers/inject.js

@@ -1,16 +1,16 @@
-function inject (processEnv = {}, parsed = {}, overload = false) {
+function inject (clonedProcessEnv = {}, parsed = {}, overload = false, processEnv = process.env) {
   const injected = {}
   const preExisted = {}
 
   // set processEnv
   for (const key of Object.keys(parsed)) {
-    if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
+    if (Object.prototype.hasOwnProperty.call(clonedProcessEnv, key)) {
       if (overload === true) {
         processEnv[key] = parsed[key]
-
         injected[key] = parsed[key] // track injected key/value
       } else {
-        preExisted[key] = processEnv[key] // track preExisted key/value
+        processEnv[key] = clonedProcessEnv[key]
+        preExisted[key] = clonedProcessEnv[key] // track preExisted key/value
       }
     } else {
       processEnv[key] = parsed[key]

package/src/lib/helpers/packageJson.js

@@ -1,8 +1,3 @@
-const fs = require('fs')
-const path = require('path')
+const { name, version, description } = require('../../../package.json')
 
-const packageJsonPath = path.join(__dirname, '../../../package.json')
-
-const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'))
-
-module.exports = packageJson
+module.exports = { name, version, description }

package/src/lib/helpers/parseDecryptEvalExpand.js

@@ -2,16 +2,29 @@ const dotenv = require('dotenv')
 const dotenvEval = require('./dotenvEval')
 const dotenvExpand = require('./dotenvExpand')
 const decryptValue = require('./decryptValue')
+const truncate = require('./truncate')
+
+function warning (e, key, privateKey) {
+  const warning = new Error(`[${e.code}] could not decrypt ${key} using private key ${truncate(privateKey)}`)
+  warning.code = e.code
+  warning.help = `[${e.code}] ? ${e.message}`
+
+  return warning
+}
 
 function parseDecryptEvalExpand (src, privateKey = null, processEnv = process.env) {
+  const warnings = []
+
   // parse
   const parsed = dotenv.parse(src)
-
-  // handle inline encrypted values
   if (privateKey && privateKey.length > 0) {
     for (const key in parsed) {
-      const value = parsed[key]
-      parsed[key] = decryptValue(value, privateKey)
+      try {
+        const decryptedValue = decryptValue(parsed[key], privateKey)
+        parsed[key] = decryptedValue
+      } catch (_e) {
+        // do nothing. warnings tracked further below.
+      }
     }
   }
 
@@ -28,6 +41,24 @@ function parseDecryptEvalExpand (src, privateKey = null, processEnv = process.en
     parsed: evaled
   }
   const expanded = dotenvExpand.expand(inputEvaled)
+  if (privateKey && privateKey.length > 0) {
+    for (const key in expanded.parsed) {
+      try {
+        const decryptedValue = decryptValue(expanded.parsed[key], privateKey)
+        expanded.parsed[key] = decryptedValue
+      } catch (e) {
+        warnings.push(warning(e, key, privateKey))
+      }
+    }
+    for (const key in processEnv) {
+      try {
+        const decryptedValue = decryptValue(processEnv[key], privateKey)
+        processEnv[key] = decryptedValue
+      } catch (e) {
+        warnings.push(warning(e, key, privateKey))
+      }
+    }
+  }
 
   // for logging only log the original keys existing in parsed. this feels unnecessarily complex - like dotenv-expand should support the ability to inject additional `process.env` or objects as it sees fit to the object it wants to expand
   const result = {}
@@ -35,7 +66,7 @@ function parseDecryptEvalExpand (src, privateKey = null, processEnv = process.en
     result[key] = expanded.parsed[key]
   }
 
-  return { parsed: result, processEnv }
+  return { parsed: result, processEnv, warnings }
 }
 
 module.exports = parseDecryptEvalExpand

package/src/lib/helpers/truncate.js

@@ -0,0 +1,6 @@
+function truncate (str, showChar = 7) {
+  const visiblePart = str.slice(0, showChar)
+  return visiblePart + '…'
+}
+
+module.exports = truncate

package/src/lib/main.js

@@ -189,13 +189,13 @@ const set = function (key, value, envFile, encrypt) {
 }
 
 /** @type {import('./main').encrypt} */
-const encrypt = function (envFile, key) {
-  return new Encrypt(envFile, key).run()
+const encrypt = function (envFile, key, excludeKey) {
+  return new Encrypt(envFile, key, excludeKey).run()
 }
 
 /** @type {import('./main').encrypt} */
-const decrypt = function (envFile, key) {
-  return new Decrypt(envFile, key).run()
+const decrypt = function (envFile, key, excludeKey) {
+  return new Decrypt(envFile, key, excludeKey).run()
 }
 
 /** @type {import('./main').status} */

package/src/lib/services/decrypt.js

@@ -14,10 +14,12 @@ class Decrypt {
   /**
    * @param {string|string[]} [envFile]
    * @param {string|string[]} [key]
+   * @param {string|string[]} [excludeKey]
    **/
-  constructor (envFile = '.env', key = []) {
+  constructor (envFile = '.env', key = [], excludeKey = []) {
     this.envFile = envFile
     this.key = key
+    this.excludeKey = excludeKey
     this.processedEnvFiles = []
     this.changedFilepaths = new Set()
     this.unchangedFilepaths = new Set()
@@ -26,6 +28,7 @@ class Decrypt {
   run () {
     const envFilepaths = this._envFilepaths()
     const keys = this._keys()
+    const excludeKeys = this._excludeKeys()
     for (const envFilepath of envFilepaths) {
       const filepath = path.resolve(envFilepath)
 
@@ -49,17 +52,25 @@ class Decrypt {
         // iterate over all non-encrypted values and encrypt them
         const parsed = dotenv.parse(src)
         for (const [key, value] of Object.entries(parsed)) {
-          if (keys.length < 1 || keys.includes(key)) { // optionally control which key to decrypt
-            const encrypted = isEncrypted(key, value)
-            if (encrypted) {
-              row.keys.push(key) // track key(s)
+          // key excluded - don't decrypt it
+          if (excludeKeys.includes(key)) {
+            continue
+          }
+
+          // key effectively excluded (by not being in the list of includes) - don't encrypt it
+          if (keys.length > 0 && !keys.includes(key)) {
+            continue
+          }
+
+          const encrypted = isEncrypted(key, value)
+          if (encrypted) {
+            row.keys.push(key) // track key(s)
 
-              const plainValue = decryptValue(value, privateKey)
-              // once newSrc is built write it out
-              src = replace(src, key, plainValue)
+            const decryptedValue = decryptValue(value, privateKey)
+            // once newSrc is built write it out
+            src = replace(src, key, decryptedValue)
 
-              row.changed = true // track change
-            }
+            row.changed = true // track change
           }
         }
 
@@ -106,6 +117,14 @@ class Decrypt {
 
     return this.key
   }
+
+  _excludeKeys () {
+    if (!Array.isArray(this.excludeKey)) {
+      return [this.excludeKey]
+    }
+
+    return this.excludeKey
+  }
 }
 
 module.exports = Decrypt

package/src/lib/services/encrypt.js

@@ -15,10 +15,12 @@ class Encrypt {
   /**
    * @param {string|string[]} [envFile]
    * @param {string|string[]} [key]
+   * @param {string|string[]} [excludeKey]
    **/
-  constructor (envFile = '.env', key = []) {
+  constructor (envFile = '.env', key = [], excludeKey = []) {
     this.envFile = envFile
     this.key = key
+    this.excludeKey = excludeKey
     this.processedEnvFiles = []
     this.changedFilepaths = new Set()
     this.unchangedFilepaths = new Set()
@@ -27,6 +29,7 @@ class Encrypt {
   run () {
     const envFilepaths = this._envFilepaths()
     const keys = this._keys()
+    const excludeKeys = this._excludeKeys()
     for (const envFilepath of envFilepaths) {
       const filepath = path.resolve(envFilepath)
 
@@ -63,19 +66,25 @@ class Encrypt {
         // iterate over all non-encrypted values and encrypt them
         const parsed = dotenv.parse(src)
         for (const [key, value] of Object.entries(parsed)) {
-          if (keys.length < 1 || keys.includes(key)) {
-            // optionally control which key to encrypt
-            const encrypted =
-              isEncrypted(key, value) || isPublicKey(key, value)
-            if (!encrypted) {
-              row.keys.push(key) // track key(s)
-
-              const encryptedValue = encryptValue(value, publicKey)
-              // once newSrc is built write it out
-              src = replace(src, key, encryptedValue)
-
-              row.changed = true // track change
-            }
+          // key excluded - don't encrypt it
+          if (excludeKeys.includes(key)) {
+            continue
+          }
+
+          // key effectively excluded (by not being in the list of includes) - don't encrypt it
+          if (keys.length > 0 && !keys.includes(key)) {
+            continue
+          }
+
+          const encrypted = isEncrypted(key, value) || isPublicKey(key, value)
+          if (!encrypted) {
+            row.keys.push(key) // track key(s)
+
+            const encryptedValue = encryptValue(value, publicKey)
+            // once newSrc is built write it out
+            src = replace(src, key, encryptedValue)
+
+            row.changed = true // track change
           }
         }
 
@@ -122,6 +131,14 @@ class Encrypt {
 
     return this.key
   }
+
+  _excludeKeys () {
+    if (!Array.isArray(this.excludeKey)) {
+      return [this.excludeKey]
+    }
+
+    return this.excludeKey
+  }
 }
 
 module.exports = Encrypt

package/src/lib/services/genexample.js

@@ -5,11 +5,15 @@ const dotenv = require('dotenv')
 const ENCODING = 'utf8'
 
 const findEnvFiles = require('../helpers/findEnvFiles')
+const replace = require('../helpers/replace')
 
 class Genexample {
   constructor (directory = '.', envFile) {
     this.directory = directory
     this.envFile = envFile || findEnvFiles(directory)
+
+    this.exampleFilename = '.env.example'
+    this.exampleFilepath = path.resolve(this.directory, this.exampleFilename)
   }
 
   run () {
@@ -27,6 +31,12 @@ class Genexample {
     const keys = new Set()
     const addedKeys = new Set()
     const envFilepaths = this._envFilepaths()
+    /** @type {Record<string, string>} */
+    const injected = {}
+    /** @type {Record<string, string>} */
+    const preExisted = {}
+
+    let exampleSrc = `# ${this.exampleFilename} - generated with dotenvx\n`
 
     for (const envFilepath of envFilepaths) {
       const filepath = path.resolve(this.directory, envFilepath)
@@ -41,43 +51,51 @@ class Genexample {
         throw error
       }
 
-      const parsed = dotenv.configDotenv({ path: filepath }).parsed
-      for (const key of Object.keys(parsed)) {
+      // get the original src
+      let src = fs.readFileSync(filepath, { encoding: ENCODING })
+      const parsed = dotenv.parse(src)
+      for (const key in parsed) {
+        // used later
         keys.add(key)
+
+        // once newSrc is built write it out
+        src = replace(src, key, '') // empty value
       }
-    }
 
-    let envExampleFile = ''
-    const exampleFilename = '.env.example'
-    const exampleFilepath = path.resolve(this.directory, exampleFilename)
-    if (!fs.existsSync(exampleFilepath)) {
-      envExampleFile += `# ${exampleFilename} - generated with dotenvx\n`
-    } else {
-      envExampleFile = fs.readFileSync(exampleFilepath, ENCODING)
+      exampleSrc += `\n${src}`
     }
 
-    const currentEnvExample = dotenv.configDotenv({ path: exampleFilepath }).parsed
-    /** @type {Record<string, string>} */
-    const injected = {}
-    /** @type {Record<string, string>} */
-    const preExisted = {}
-
-    for (const key of [...keys]) {
-      if (key in currentEnvExample) {
-        preExisted[key] = currentEnvExample[key]
-      } else {
-        envExampleFile += `${key}=""\n`
-
+    if (!fs.existsSync(this.exampleFilepath)) {
+      // it doesn't exist so just write this first generated one
+      // exampleSrc - already written to from the prior loop
+      for (const key of [...keys]) {
+        // every key is added since it's the first time generating .env.example
         addedKeys.add(key)
 
         injected[key] = ''
       }
+    } else {
+      // it already exists (which means the user might have it modified a way in which they prefer, so replace exampleSrc with their existing .env.example)
+      exampleSrc = fs.readFileSync(this.exampleFilepath, ENCODING)
+
+      const parsed = dotenv.parse(exampleSrc)
+      for (const key of [...keys]) {
+        if (key in parsed) {
+          preExisted[key] = parsed[key]
+        } else {
+          exampleSrc += `${key}=""\n`
+
+          addedKeys.add(key)
+
+          injected[key] = ''
+        }
+      }
     }
 
     return {
-      envExampleFile,
+      envExampleFile: exampleSrc,
       envFile: this.envFile,
-      exampleFilepath,
+      exampleFilepath: this.exampleFilepath,
       addedKeys: [...addedKeys],
       injected,
       preExisted

package/src/lib/services/ls.js

@@ -15,15 +15,17 @@ class Ls {
   }
 
   _filepaths () {
-    const ignoreMatchers = this.ignore.map(pattern => picomatch(pattern))
-    const pathMatchers = this._patterns().map(pattern => picomatch(pattern))
+    const exclude = picomatch(this.ignore)
+    const include = picomatch(this._patterns(), {
+      ignore: this.ignore
+    })
 
-    const api = new Fdir()
+    return new Fdir()
       .withRelativePaths()
-      .exclude((dir, path) => ignoreMatchers.some(matcher => matcher(path)))
-      .filter((path) => pathMatchers.some(matcher => matcher(path)))
-
-    return api.crawl(this.cwd).sync()
+      .exclude((dir, path) => exclude(path))
+      .filter((path) => include(path))
+      .crawl(this.cwd)
+      .sync()
   }
 
   _patterns () {

package/src/lib/services/run.js

@@ -63,12 +63,12 @@ class Run {
     row.string = env
 
     try {
-      const { parsed } = parseDecryptEvalExpand(env, null, this.processEnv)
-
+      const { parsed, processEnv, warnings } = parseDecryptEvalExpand(env, null, this.processEnv)
       row.parsed = parsed
+      row.warnings = warnings
       this.readableStrings.add(env)
 
-      const { injected, preExisted } = this._inject(this.processEnv, parsed, this.overload)
+      const { injected, preExisted } = this._inject(processEnv, parsed, this.overload, this.processEnv)
       row.injected = injected
       row.preExisted = preExisted
 
@@ -94,10 +94,11 @@ class Run {
 
       // if DOTENV_PRIVATE_KEY_* already set in process.env then use it
       const privateKey = smartDotenvPrivateKey(envFilepath)
-      const { parsed } = parseDecryptEvalExpand(src, privateKey, this.processEnv)
+      const { parsed, processEnv, warnings } = parseDecryptEvalExpand(src, privateKey, this.processEnv)
       row.parsed = parsed
+      row.warnings = warnings
 
-      const { injected, preExisted } = this._inject(this.processEnv, parsed, this.overload)
+      const { injected, preExisted } = this._inject(processEnv, parsed, this.overload, this.processEnv)
       row.injected = injected
       row.preExisted = preExisted
 
@@ -163,10 +164,11 @@ class Run {
 
     try {
       // parse this. it's the equivalent of the .env file
-      const { parsed } = parseDecryptEvalExpand(decrypted, null, this.processEnv)
+      const { parsed, processEnv, warnings } = parseDecryptEvalExpand(decrypted, null, this.processEnv)
       row.parsed = parsed
+      row.warnings = warnings
 
-      const { injected, preExisted } = this._inject(this.processEnv, parsed, this.overload)
+      const { injected, preExisted } = this._inject(processEnv, parsed, this.overload, this.processEnv)
       row.injected = injected
       row.preExisted = preExisted
 
@@ -180,8 +182,8 @@ class Run {
     this.processedEnvs.push(row)
   }
 
-  _inject (processEnv, parsed, overload) {
-    return inject(processEnv, parsed, overload)
+  _inject (clonedProcessEnv, parsed, overload, processEnv) {
+    return inject(clonedProcessEnv, parsed, overload, processEnv)
   }
 
   _determineEnvsFromDotenvPrivateKey () {

package/src/lib/services/status.js

@@ -1,13 +1,13 @@
 const fs = require('fs')
 const path = require('path')
 const diff = require('diff')
-const chalk = require('chalk')
 
 const Ls = require('./ls')
 const VaultDecrypt = require('./vaultDecrypt')
 
 const containsDirectory = require('./../helpers/containsDirectory')
 const guessEnvironment = require('./../helpers/guessEnvironment')
+const { getColor } = require('./../../shared/colors')
 
 const ENCODING = 'utf8'
 
@@ -94,12 +94,12 @@ class Status {
   _colorizeDiff (part) {
     // If the part was added, color it green
     if (part.added) {
-      return chalk.green(part.value)
+      return getColor('green')(part.value)
     }
 
     // If the part was removed, color it red
     if (part.removed) {
-      return chalk.red(part.value)
+      return getColor('red')(part.value)
     }
 
     // No color for unchanged parts

package/src/lib/services/vaultDecrypt.js

@@ -23,7 +23,7 @@ class VaultDecrypt {
     if (!fs.existsSync(this.envVaultFilepath)) {
       const code = 'MISSING_ENV_VAULT_FILE'
       const message = `missing .env.vault (${this.envVaultFilepath})`
-      const help = `? generate one with [dotenvx encrypt ${this.directory}]`
+      const help = `? generate one with [dotenvx ext vault encrypt ${this.directory}]`
 
       const error = new Error(message)
       error.code = code

package/src/shared/colors.js

@@ -0,0 +1,50 @@
+const depth = require('../lib/helpers/colorDepth')
+
+const colors16 = new Map([
+  ['blue', 34],
+  ['gray', 37],
+  ['green', 32],
+  ['olive', 33],
+  ['orangered', 31], // mapped to red
+  ['plum', 35], // mapped to magenta
+  ['red', 31]
+])
+
+const colors256 = new Map([
+  ['blue', 21],
+  ['gray', 244],
+  ['green', 34],
+  ['olive', 142],
+  ['orangered', 202],
+  ['plum', 182],
+  ['red', 196]
+])
+
+function getColor (color) {
+  const colorDepth = depth.getColorDepth()
+  if (!colors256.has(color)) {
+    throw new Error(`Invalid color ${color}`)
+  }
+  if (colorDepth >= 8) {
+    const code = colors256.get(color)
+    return (message) => `\x1b[38;5;${code}m${message}\x1b[39m`
+  }
+  if (colorDepth >= 4) {
+    const code = colors16.get(color)
+    return (message) => `\x1b[${code}m${message}\x1b[39m`
+  }
+  return (message) => message
+}
+
+function bold (message) {
+  if (depth.getColorDepth() >= 4) {
+    return `\x1b[1m${message}\x1b[22m`
+  }
+
+  return message
+}
+
+module.exports = {
+  getColor,
+  bold
+}

package/src/shared/logger.js

@@ -1,12 +1,5 @@
-const winston = require('winston')
-const chalk = require('chalk')
-
-const printf = winston.format.printf
-const combine = winston.format.combine
-const createLogger = winston.createLogger
-const transports = winston.transports
-
-const packageJson = require('./../lib/helpers/packageJson')
+const packageJson = require('../lib/helpers/packageJson')
+const { getColor, bold } = require('./colors')
 
 const levels = {
   error: 0,
@@ -26,26 +19,38 @@ const levels = {
   help: 2,
   help2: 2,
   blank: 2,
-  http: 3,
   verbose: 4,
   debug: 5,
   silly: 6
 }
 
-const error = chalk.bold.red
-const warn = chalk.keyword('orangered')
-const success = chalk.keyword('green')
-const successv = chalk.keyword('olive') // yellow-ish tint that 'looks' like dotenv
-const help = chalk.keyword('blue')
-const help2 = chalk.keyword('gray')
-const http = chalk.keyword('green')
-const verbose = chalk.keyword('plum')
-const debug = chalk.keyword('plum')
+const error = (m) => bold(getColor('red')(m))
+const warn = getColor('orangered')
+const success = getColor('green')
+const successv = getColor('olive') // yellow-ish tint that 'looks' like dotenv
+const help = getColor('blue')
+const help2 = getColor('gray')
+const verbose = getColor('plum')
+const debug = getColor('plum')
+
+let currentLevel = levels.info // default log level
+
+function log (level, message) {
+  if (levels[level] === undefined) {
+    throw new Error(`MISSING_LOG_LEVEL: '${level}'. implement in logger.`)
+  }
+
+  if (levels[level] <= currentLevel) {
+    const formattedMessage = formatMessage(level, message)
+    console.log(formattedMessage)
+  }
+}
 
-const dotenvxFormat = printf(({ level, message, label, timestamp }) => {
+function formatMessage (level, message) {
   const formattedMessage = typeof message === 'object' ? JSON.stringify(message) : message
 
   switch (level.toLowerCase()) {
+    // errors
     case 'error':
       return error(formattedMessage)
     case 'errorv':
@@ -56,6 +61,7 @@ const dotenvxFormat = printf(({ level, message, label, timestamp }) => {
       return error(`[dotenvx@${packageJson.version}][prebuild] ${formattedMessage}`)
     case 'errornocolor':
       return formattedMessage
+    // warns
     case 'warn':
       return warn(formattedMessage)
     case 'warnv':
@@ -64,6 +70,7 @@ const dotenvxFormat = printf(({ level, message, label, timestamp }) => {
       return warn(`[dotenvx@${packageJson.version}][precommit] ${formattedMessage}`)
     case 'warnvpb':
       return warn(`[dotenvx@${packageJson.version}][prebuild] ${formattedMessage}`)
+    // successes
     case 'success':
       return success(formattedMessage)
     case 'successv': // success with 'version'
@@ -72,35 +79,66 @@ const dotenvxFormat = printf(({ level, message, label, timestamp }) => {
       return success(`[dotenvx@${packageJson.version}][precommit] ${formattedMessage}`)
     case 'successvpb': // success with 'version' and precommit
       return success(`[dotenvx@${packageJson.version}][prebuild] ${formattedMessage}`)
+    // info
     case 'info':
       return formattedMessage
+    // help
     case 'help':
       return help(formattedMessage)
     case 'help2':
       return help2(formattedMessage)
-    case 'http':
-      return http(formattedMessage)
+    // verbose
     case 'verbose':
       return verbose(formattedMessage)
+    // debug
     case 'debug':
       return debug(formattedMessage)
+    // blank
     case 'blank': // custom
       return formattedMessage
   }
-})
+}
 
-const logger = createLogger({
+const logger = {
+  // track level
   level: 'info',
-  levels,
-  format: combine(
-    dotenvxFormat
-  ),
-  transports: [
-    new transports.Console()
-  ]
-})
 
-const setLogLevel = options => {
+  // errors
+  error: (msg) => log('error', msg),
+  errorv: (msg) => log('errorv', msg),
+  errorvp: (msg) => log('errorvp', msg),
+  errorvpb: (msg) => log('errorvpb', msg),
+  errornocolor: (msg) => log('errornocolor', msg),
+  // warns
+  warn: (msg) => log('warn', msg),
+  warnv: (msg) => log('warnv', msg),
+  warnvp: (msg) => log('warnvp', msg),
+  warnvpb: (msg) => log('warnvpb', msg),
+  // success
+  success: (msg) => log('success', msg),
+  successv: (msg) => log('successv', msg),
+  successvp: (msg) => log('successvp', msg),
+  successvpb: (msg) => log('successvpb', msg),
+  // info
+  info: (msg) => log('info', msg),
+  // help
+  help: (msg) => log('help', msg),
+  help2: (msg) => log('help2', msg),
+  // verbose
+  verbose: (msg) => log('verbose', msg),
+  // debug
+  debug: (msg) => log('debug', msg),
+  // blank
+  blank: (msg) => log('blank', msg),
+  setLevel: (level) => {
+    if (levels[level] !== undefined) {
+      currentLevel = levels[level]
+      logger.level = level
+    }
+  }
+}
+
+function setLogLevel (options) {
   const logLevel = options.debug
     ? 'debug'
     : options.verbose
@@ -110,7 +148,7 @@ const setLogLevel = options => {
         : options.logLevel
 
   if (!logLevel) return
-  logger.level = logLevel
+  logger.setLevel(logLevel)
   // Only log which level it's setting if it's not set to quiet mode
   if (!options.quiet || (options.quiet && logLevel !== 'error')) {
     logger.debug(`Setting log level to ${logLevel}`)
@@ -119,5 +157,7 @@ const setLogLevel = options => {
 
 module.exports = {
   logger,
-  setLogLevel
+  getColor,
+  setLogLevel,
+  levels
 }