Some links
- https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/
- https://movingfast.io/articles/environment-variables-considered-harmful/
- HN: first comment offers a rebuttal, but the first child comment of that explains what's wrong with that rebuttal: https://news.ycombinator.com/item?id=8826024
- Example where the leak wasn't a security issue in the specific case, but could very easily have been (leaked encryption key): https://exceptionshub.com/php-laravel-environment-variables-leaking-between-applications-when-they-call-each-other-through-guzzlehttp.html
A simple alternative is to put your sensitive (or all) config in a .json file that is gitignored. This also has the advantage of being easily generated using tools which can retrieve the sensitive data from a secure store (e.g., via ssh using user ssh key). With Node.js, .json files can be directly require()d, which is an additional convenience.