You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)
Changed
Tighten up logs: ◇ injecting env (14) from .env (#1003)
Add a new README section on dotenv’s approach to the agentic future.
Changed
Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.
🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Greptile Summary
This PR bumps dotenv from 16.5.0 to 17.4.0 (a major-version increment), updating package.json, package-lock.json, and pnpm-lock.yaml accordingly.
Key observations:
The changelog for v16.5.0 → v17.4.0 shows only documentation rewrites, README updates, a TypeScript type fix (DotenvPopulateInput accepting NodeJS.ProcessEnv), and cosmetic log-message tightening — no breaking API changes were identified.
After the bump, typeorm resolves its own copy of dotenv@16.6.1 as a nested dependency (visible in package-lock.json), leaving two versions in the tree. This is normal npm/pnpm deduplication behavior and does not affect the application.
The pnpm-lock.yaml surfaces a pre-existing deprecation warning on glob@10.4.5, which is unrelated to this PR and was already present in the dependency tree.
Confidence Score: 4/5
Safe to merge — a major-version bump with no breaking API changes and standard lock file updates.
This is a routine automated dependency bump. The v16 → v17 major version increment sounds alarming, but the full changelog between 16.5.0 and 17.4.0 contains only documentation rewrites, a minor TypeScript type improvement, and cosmetic log changes — no breaking changes to the public API. The application's usage pattern of dotenv (calling config() at startup) is unaffected. One point deducted because major bumps carry inherent unknown risk and there are no explicit regression tests for env loading in this PR.
No files require special attention; all changes are auto-generated lock file and manifest updates.
Important Files Changed
Filename
Overview
package.json
Bumps dotenv from 16.5.0 to 17.4.0 (major version bump); changelog shows mostly documentation/README changes and minor TypeScript type fixes with no breaking API changes.
package-lock.json
Lock file updated to dotenv@17.4.0; typeorm now resolves its own dotenv peer to 16.6.1, resulting in two dotenv versions in the tree — expected npm deduplication behavior.
pnpm-lock.yaml
pnpm lockfile updated to dotenv@17.4.0; also exposes a deprecation notice on glob@10.4.5 that was already present in the tree (unrelated to this bump).
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Application] -->|requires| B[dotenv v17.4.0]
C[typeorm] -->|nested peer| D[dotenv v16.6.1]
B --> E[Parse .env and inject into process.env]
D --> E
AI Reviewer: run a review on demand. To trigger the first review automatically, go to your organization or repository integration settings. AI can make mistakes. Always validate suggestions.
TIP This summary will be updated as you push new changes. Give us feedback
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update Javascript code
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
Bumps dotenv from 16.5.0 to 17.4.0.
Changelog
Sourced from dotenv's changelog.
... (truncated)
Commits
a2e31d617.4.04f041eechangelog 🪵bab8b98README516d47eupdatece9b98fadjust quickstartd3a9065update links9a3f955add bannerd35b6a9clean upa115e3aremove version185e641hide as2 for now - very early betaDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Greptile Summary
This PR bumps
dotenvfrom16.5.0to17.4.0(a major-version increment), updatingpackage.json,package-lock.json, andpnpm-lock.yamlaccordingly.Key observations:
DotenvPopulateInputacceptingNodeJS.ProcessEnv), and cosmetic log-message tightening — no breaking API changes were identified.typeormresolves its own copy ofdotenv@16.6.1as a nested dependency (visible inpackage-lock.json), leaving two versions in the tree. This is normal npm/pnpm deduplication behavior and does not affect the application.pnpm-lock.yamlsurfaces a pre-existing deprecation warning onglob@10.4.5, which is unrelated to this PR and was already present in the dependency tree.Confidence Score: 4/5
Safe to merge — a major-version bump with no breaking API changes and standard lock file updates.
This is a routine automated dependency bump. The v16 → v17 major version increment sounds alarming, but the full changelog between 16.5.0 and 17.4.0 contains only documentation rewrites, a minor TypeScript type improvement, and cosmetic log changes — no breaking changes to the public API. The application's usage pattern of dotenv (calling config() at startup) is unaffected. One point deducted because major bumps carry inherent unknown risk and there are no explicit regression tests for env loading in this PR.
No files require special attention; all changes are auto-generated lock file and manifest updates.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[Application] -->|requires| B[dotenv v17.4.0] C[typeorm] -->|nested peer| D[dotenv v16.6.1] B --> E[Parse .env and inject into process.env] D --> EReviews (1): Last reviewed commit: "Bump dotenv from 16.5.0 to 17.4.0" | Re-trigger Greptile