SvelteKit warnings

dotenv-diff includes a set of SvelteKit-specific rules designed to detect invalid or unsafe environment variable usage. SvelteKit has strict conventions around which variables are public, which are private, and how they must be accessed. This page explains all warnings that dotenv-diff can produce when scanning your codebase.

1. import.meta.env must use VITE_ prefix

SvelteKit only exposes variables prefixed with VITE_ to the client through import.meta.env. Using any other prefix will produce a warning.

+page.ts
import.meta.env.PUBLIC_URL

This triggers:
Variables accessed through import.meta.env must start with "VITE_"

Correct usage:

+page.ts
import.meta.env.VITE_PUBLIC_URL

2. process.env must only be used in server files

process.env is server-only in SvelteKit. Using it in client files will trigger a warning, regardless of variable prefix.

index.ts
process.env.VITE_SECRET

dotenv-diff warns:
process.env should only be used in server files

3. $env/dynamic/private cannot be used in client-side code

SvelteKit provides access to private environment variables through $env/dynamic/private. These variables must not be used in client-side code.

+page.svelte
import { env } from '$env/dynamic/private';

dotenv-diff warns:
$env/dynamic/private cannot be used in client-side code

4. $env/dynamic/public variables must start with "PUBLIC_"

Environment variables intended for the client must be accessed through $env/dynamic/public and must start with PUBLIC_.

+page.svelte
import { env } from '$env/dynamic/public';

dotenv-diff warns:
$env/dynamic/public variables must start with "PUBLIC_"

5. Private variables cannot start with PUBLIC_

When importing private variables using $env/static/private, the variable must not be client-exposed. dotenv-diff warns if a variable begins with PUBLIC_ .

app.ts
import { PUBLIC_KEY } from '$env/static/private';

Warning:
$env/static/private variables must not start with "PUBLIC_"

6. Private variables cannot be used inside client files

client files run in the browser. $env/static/private imports are not allowed.

App.svelte
import { SECRET_KEY } from '$env/static/private';

Warning:
$env/static/private variables cannot be used in client-side code

7. PUBLIC_ variables cannot be accessed through private imports

Environment variables intended for the client start with PUBLIC_. These cannot be accessed through $env/dynamic/private or $env/static/private.

hooks.server.ts
import { env } from '$env/dynamic/private';

dotenv-diff warns:
Private environment variables must not start with "PUBLIC_"

8. Sensitive data must not be marked as PUBLIC_ or VITE_

dotenv-diff warns if a PUBLIC_ or VITE_ variable appears to contain sensitive data based on common keywords such as SECRET, PRIVATE or PASSWORD. This can be tricky and sometimes cause false positives, so review these warnings carefully.

+page.svelte 
import { env } from '$env/dynamic/public';
console.log(env.PUBLIC_SECRET_PASSWORD);

Warning:
Potential sensitive environment variable exposed to the browser

Summary of All Rules

  • import.meta.env → must use VITE_*
  • process.env → allowed only in server files
  • $env/dynamic/private → server-only, never PUBLIC_*
  • $env/dynamic/public → must use PUBLIC_*
  • $env/static/private → server-only, never PUBLIC_*
  • $env/static/public → must use PUBLIC_*
  • Private env vars → not allowed in client-side code
  • Sensitive data → never use PUBLIC_* or VITE_*

Best Practices

  • Use PUBLIC_* only for values intended for the browser.
  • Use VITE_* only when accessed via import.meta.env.
  • Use private variables only in server-side code.
  • Never expose sensitive data through PUBLIC_ or VITE_.
← Git Hooks and CI/CD Next.js →