Keep secrets and settings out of your code. Read configuration from process.env and load it from a .env file with dotenv.
Why: environment variables are settings passed in from outside your code — perfect for secrets (API keys, passwords) that should NOT be hardcoded. process.env holds them. The dotenv package loads them from a local .env file during development.
$ pnpm add dotenv// .env (keep this file out of version control)
API_KEY=secret123
PORT=3000// app.js
import 'dotenv/config' // loads .env into process.env
console.log(process.env.API_KEY) // secret123
console.log(process.env.PORT) // 3000