The importance of keeping your secret keys secret. Perhaps not always relevant depending on the type of app, but often you'll have database connection credentials or simply some private data required by your backend services that you really don't want exposed in your checked-in source code.
Environment variables are a good solution: not only do they only get exposed within the environment they're in (e.g. your server/VM instance) but won't explicitly sit in your code. You're then free to refer to your environment variables in your code to be used at runtime. In Node this is simply done via: process.env.VAR_NAME.
It also then makes it easy to have different credentials for different environments like your local development server, a staging/testing environment and your production environment.