> Is this... normal? I don't understand why they might want to serialize/access all of my env vars. Does anyone have a suggestion for that behaviour?<p>All processes get a copy of all environment variables [edit for clarity: all environment variables, from the global environment].<p>Unless one goes out of one's way to prevent this from happening.<p>> the process args included "JSON.stringify(process.env)" part<p>And this app choses to receive the env vars in a JSON format. NBD really, in light of the above points.<p>Environment variables are not secret at all. Quite the opposite: because all processes get a copy of them. They're just variables that are associated with- / stored in- the environment, instead of e.g. in code itself. They absolutely should not be considered to be secure in any way.<p>Managing secrets is always tricky. Even a naive attempt at trying to avoid using env vars generally leaks stuff in some way - shell command history will record secrets passed-in at launch time, plus any running process (with sufficient permissions) can get a list of running processes, and can see the command line used to invoke a process.<p>And once one gets past the naive solutions, it usually adds some friction somewhere along the line. There's no easy, transparent, way to do things, as far as I am aware. They all have some cost.<p>There are quite a few articles on the web about stuff this topic as a whole. I don't think anything particularly new will come from HN users here, it'll mostly be repeating the same already known/discussed stuff. As I myself am doing here, really.<p>You might find it helpful to consider something like Hashicorp's Vault, or similar, for proper management of secrets.