Hi Hitt, sorry for the late reply. I have personally never used the "env-cmd" library in any of my project yet. But I did a quick search on npm and realise it is a very popular .env file package manager.

Using "env-cmd" alone cannot guarantee that you environment variables will be safe(hidden) when you push to a version control system like Github. You will have to personally cross-check your .gitignore file to confirm if you environment variable file has been added to the files that are not supposed to be committed when you make a push to Github or any version control management system.

I hope this answers your question.

To the second problem on making api calls to third-party endpoints. Your go to solution will be firebase cloud functions.

You can create cloud functions that make https calls to third-party endpoints inside of a node/express.js server. You can find more information about that inside firebase official documentation.

Thank you.