SvelteKit warnings

dotenv-diff includes a set of SvelteKit-specific rules designed to detect invalid or unsafe environment variable usage. SvelteKit has strict conventions around which variables are public, which are private, and how they must be accessed. This page explains all warnings that dotenv-diff can produce when scanning your codebase.

1. import.meta.env must use VITE_ prefix

SvelteKit only exposes variables prefixed with VITE_ to the client through import.meta.env. Using any other prefix will produce a warning.

+page.ts
import.meta.env.PUBLIC_URL

This triggers:
Variables accessed through import.meta.env must start with "VITE_"

Correct usage:

+page.ts
import.meta.env.VITE_PUBLIC_URL

2. VITE_ variables may not be accessed via process.env

process.env is server-only. Since VITE_ variables are intended for the client, SvelteKit does not allow mixing the two systems.

index.ts
process.env.VITE_SECRET

dotenv-diff warns:
Variables accessed through process.env cannot start with "VITE_"

3. Private variables cannot start with VITE_

When importing private variables using $env/static/private, the variable must not be client-exposed. dotenv-diff warns if a variable begins with VITE_.

app.ts
import { VITE_KEY } from '$env/static/private/VITE_KEY';

Warning:
$env/static/private variables must not start with "VITE_"

4. PUBLIC_ variables may never be used in private imports

All variables prefixed with PUBLIC_ are safe for the browser. Therefore they must not appear inside $env/static/private as they imply exposing private content.

test.ts
import { PUBLIC_TOKEN } from '$env/static/private/PUBLIC_TOKEN';

Warning:
Variables starting with PUBLIC_ may never be used in private env imports

5. Private variables cannot be used inside .svelte files

Svelte components run partly in the browser. Even if the script is module-scoped, $env/static/private imports are not allowed.

App.svelte
import { SECRET_KEY } from '$env/static/private/SECRET_KEY';

Warning:
Private environment variables cannot be used in Svelte components

6. Private variables must only be used in server files

Pages that run on the client (+page.ts) cannot import server-only variables.

+page.ts
import { SECRET_KEY } from '$env/static/private/SECRET_KEY';

Warning:
Private env vars should only be used in server files

Summary of All Rules

  • import.meta.env → must use VITE_*
  • process.env → cannot use VITE_*
  • $env/static/private → cannot import VITE_*
  • $env/static/private → cannot import PUBLIC_*
  • $env/static/private → allowed only in server files
  • Private env vars → not allowed inside .svelte files

Best Practices

  • Use PUBLIC_* only for values intended for the browser.
  • Use VITE_* only when accessed via import.meta.env.
  • Restrict sensitive variables to server files.
  • Avoid mixing access methods across systems.
← Git Hooks and CI/CD Next.js →