{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreib24qlzihpvaxg3p5yzjykfvq3gwbbsjj4zifz7dzzvjgyvkfk6ze",
"uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mow2twvvcld2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreig75mujnfaos5yignziystosp3alvkpcpn5jv5db5igwk2mau4g2m"
},
"mimeType": "image/webp",
"size": 165224
},
"path": "/ctrotech/ctroenv-vs-zod-envalid-t3-env-which-env-validator-should-you-use-4aln",
"publishedAt": "2026-06-22T23:25:31.000Z",
"site": "https://dev.to",
"tags": [
"typescript",
"node",
"javascript",
"webdev",
"CtroEnv on GitHub",
"CtroEnv on npm",
"Documentation",
"@t3-oss",
"@ctroenv"
],
"textContent": "I've built enough projects to know that environment variable validation isn't glamorous — until your app silently uses `undefined` as a database URL. There are a bunch of tools for this now, and picking the wrong one means either fighting your tool or fighting your own config. Here's how they stack up.\n\n## The candidates\n\nTool | Size | Dependencies | CLI | Framework support\n---|---|---|---|---\n**CtroEnv** | under 5 KB gzip | 0 | Yes | Node, Vite, Next.js\n**Zod + manual** | 50 KB+ | 0 (Zod itself is ~13 KB gzip, plus your glue) | No | You build it\n**envalid** | 8 KB gzip | 6 (legacy deps) | No | Node only\n**t3-env** | ~15 KB | Depends on Zod | No | Next.js only\n\nLet's look at each one.\n\n## Zod + manual parsing\n\nZod is great for runtime validation in general, and lots of people use it for env vars because they already have it in their project.\n\n\n\n import { z } from \"zod\";\n\n const schema = z.object({\n DATABASE_URL: z.string().url(),\n PORT: z.coerce.number().int().min(0).max(65535).default(\"3000\"),\n NODE_ENV: z.enum([\"dev\", \"prod\"]),\n });\n\n const parsed = schema.safeParse(process.env);\n if (!parsed.success) {\n console.error(parsed.error.format());\n process.exit(1);\n }\n\n const env = parsed.data;\n\n\n**What it does well:** If you're already using Zod, this is zero extra dependencies. Zod's type inference is excellent. The error formatting is detailed.\n\n**What it doesn't do:** No CLI, no `.env.example` generation, no secret masking, no framework adapters. You write your own `process.exit(1)` boilerplate every time. Coercion for numbers/booleans is manual — `z.coerce.number()` doesn't reject non-numeric strings gracefully. No way to generate docs from your schema.\n\n**When to pick it:** You already have Zod in your project, you only have 3-4 env vars, and you don't mind writing the glue code. For anything bigger, the boilerplate gets annoying fast.\n\n## envalid\n\nenvalid was the early leader here. It's been around since the days of `dotenv` and has a simple API.\n\n\n\n import { cleanEnv, str, port, num, makeValidator } from \"envalid\";\n\n const env = cleanEnv(process.env, {\n DATABASE_URL: str(),\n PORT: port({ default: 3000 }),\n NODE_ENV: str({ choices: [\"dev\", \"prod\"] }),\n });\n\n\n**What it does well:** Dead simple. The `makeValidator` API for custom types is straightforward. Reports all errors at once instead of failing on the first one.\n\n**What it doesn't do:** It's Node-only, so no Vite or Next.js integrations. The error messages are pretty basic — you get a string like `\"DATABASE_URL\" is missing`, but no grouped or colored output. The `choices` option is oddly attached to `str()` rather than being a proper `pick` type. It has 6 legacy dependencies (some unmaintained). No CLI, no env file generation, no ENVIRONMENT.md generation. Secret masking isn't built in.\n\n**When to pick it:** You need something simple for a Node backend and don't want to learn a new API. It works, but you'll outgrow it quickly if your project grows.\n\n## t3-env\n\nCreated by the t3-stack team, this one wraps Zod with nice DX and is tightly coupled to Next.js.\n\n\n\n import { createEnv } from \"@t3-oss/env-nextjs\";\n import { z } from \"zod\";\n\n export const env = createEnv({\n server: {\n DATABASE_URL: z.string().url(),\n },\n client: {\n NEXT_PUBLIC_API_URL: z.string().url(),\n },\n runtimeEnv: process.env,\n });\n\n\n**What it does well:** The server/client split is genius for Next.js. It prevents accidentally leaking server-only vars to the client bundle. Great integration with Next.js build process.\n\n**What it doesn't do:** It's Next-only. If you extract it for other frameworks, you're fighting it. It depends on Zod (15 KB+ added). No CLI, no `.env.example` generation, no docs generation. The `runtimeEnv` option is annoying — you have to manually pass `process.env` in development and inline values in production. Secret masking isn't built in.\n\n**When to pick it:** You're all-in on the Next.js / t3-stack ecosystem. If you ever leave Next, you'll need to replace it.\n\n## CtroEnv\n\nFull disclosure: I built this one. I wanted something that worked everywhere without dragging in a schema library I didn't need.\n\n\n\n import { defineEnv, string, number, pick } from \"@ctroenv/core\";\n\n const env = defineEnv({\n DATABASE_URL: string().url(),\n PORT: number().port().default(3000),\n NODE_ENV: pick([\"dev\", \"prod\"] as const),\n });\n\n env.DATABASE_URL; // typed as string\n\n\nZero dependencies. under 5 KB gzipped. Validators are chainable and self-contained — no Zod dependency.\n\n\n\n // Secret masking is built in\n const env = defineEnv({\n JWT_SECRET: string().min(32).secret(),\n });\n\n console.log(env.JWT_SECRET); // \"********\"\n env.meta.get(\"JWT_SECRET\"); // actual value\n\n\n\n # CLI is included\n npx @ctroenv/cli validate # validate current env\n npx @ctroenv/cli generate # create .env.example from schema\n npx @ctroenv/cli docs # generate ENVIRONMENT.md\n npx @ctroenv/cli check # CI-friendly diff\n\n\n\n // Framework adapters\n // @ctroenv/node — reads process.env + .env files\n // @ctroenv/vite — reads import.meta.env, build plugin\n // @ctroenv/nextjs — server/client split like t3-env\n\n\n**What it does well:** Framework-agnostic core, but has adapters when you need them. CLI for everyday tasks. Generates `.env.example` and docs from schema so they can't drift. Secret masking is built into the runtime, not bolted on. Error grouping and colored output for CI.\n\n**What it doesn't do:** It's newer, so smaller ecosystem. No Zod compatibility layer (and that's by design — the APIs are different). The custom validator API uses a different pattern than Zod's.\n\n**When to pick it:** You want zero-dependency validation that works across frameworks. You hate maintaining `.env.example` by hand. You want one tool for dev, CI, and docs.\n\n## Which one should you use?\n\nIf you're on Next.js and already have Zod, t3-env is fine. If you just need 3 vars validated, envalid works. If you love Zod and want to own your parsing pipeline, go for it.\n\nIf you want something that handles the whole lifecycle — validation, docs generation, CI checks, secret masking — CtroEnv does that without pulling in a 50 KB schema library. But it's also the newest option, so weigh that.\n\nPick based on your project, not hype. Each of these tools solves the same problem differently, and none of them are wrong.\n\n * CtroEnv on GitHub\n * CtroEnv on npm\n * Documentation\n\n",
"title": "CtroEnv vs Zod, envalid, t3-env, Which Env Validator Should You Use?"
}