Next.js stability

no-leaked-env-on-client

Flag non-public `process.env.X` reads from `"use client"` or `*.client.{ts,tsx}` files.

Next.js inlines `process.env.X` into the client bundle only when `X` matches a public prefix (`NEXT_PUBLIC_*`, etc.). Referencing a server-only env var from a client component either leaks the secret or silently resolves to `undefined` at runtime.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

'use client';
const k = process.env.OPENAI_API_KEY;

Good:

'use client';
const k = process.env.NEXT_PUBLIC_API_BASE;

Related rules

• no-server-only-in-clientForbid Node-core / DB-driver imports from `"use client"` and `*.client.{ts,tsx}` files.
• no-hardcoded-secretsFlag hardcoded API keys, tokens, and private keys (AWS, GitHub, Stripe, Google, Slack, OpenAI, Anthropic, JWT, PEM).
• no-hydration-mismatchFlag non-deterministic values (`Math.random`, `Date.now`, `new Date()`) inline in JSX.

Use it

Enable no-leaked-env-on-client in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-leaked-env-on-client': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules