A year ago I'd have told you a .env file was fine. Then we patched a CVSS 10.0 RCE in Next.js ( CVE-2025-66478 ) and spent the next two days rotating every secret we owned — because we couldn't prove which ones an attacker could have read. They were all sitting in process.env. One env dump away from gone. That incident is why I built @faizahmed/secret-keystore . The actual problem isn't committing .env Everyone knows not to commit secrets. The part that hurts you is what happens the moment your