Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency dotenv to v16.4.5 #64

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency dotenv to v16.4.5 #64

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 20, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
dotenv 16.3.1 -> 16.4.5 age adoption passing confidence

Release Notes

motdotla/dotenv (dotenv)

v16.4.5

Compare Source

Changed
  • 🐞 fix recent regression when using path option. return to historical behavior: do not attempt to auto find .env if path set. (regression was introduced in 16.4.3) #​814

v16.4.4

Compare Source

Changed
  • 🐞 Replaced chaining operator ?. with old school && (fixing node 12 failures) #​812

v16.4.3

Compare Source

Changed
  • Fixed processing of multiple files in options.path #​805

v16.4.2

Compare Source

Changed

v16.4.1

Compare Source

  • Patch support for array as path option #​797

v16.4.0

Compare Source

  • Add error.code to error messages around .env.vault decryption handling #​795
  • Add ability to find .env.vault file when filename(s) passed as an array #​784

v16.3.2

Compare Source

Added
  • Add debug message when no encoding set #​735
Changed

Configuration

πŸ“… Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions GitHub Actions
Copy link

[puLL-Merge] - motdotla/dotenv@v16.3.1..v16.4.5

Description

This PR introduces several updates to the dotenv library. It includes changes to funding URLs, incorporation of code coverage reporting using Codecov, additions and updates to .gitignore and .npmignore files, extensive updates to the README and documentation files, introduction of handling multiple .env files, and various minor code improvements and bug fixes.

Changes

Changes

Funding and Documentation URLs

  • .github/FUNDING.yml: URL modified to point to https://www.dotenvx.com.
  • README.md, README-es.md, and other documentation files: Various changes including the announcement of dotenvx, updates to sponsor links, and changes to documented URLs to use https and point to updated resources.

CI and Code Coverage

  • .github/workflows/ci.yml: Added steps for generating test coverage reports and uploading them to Codecov.

Git and NPM Ignore Files

  • .gitignore: Added coverage/ and .idea/ directories.
  • .npmignore: Added coverage/ to the ignore list.

Changelog

  • CHANGELOG.md: Extensive update listing new versions and changes, including bug fixes, new features, and improvements.

Library and TypeScript Definitions

  • lib/main.d.ts: Adjustments for TypeScript definitions including corrections and updates to comments.
  • lib/main.js: Various improvements and bug fixes, including error handling and support for handling multiple .env files.

Package Metadata

  • package.json: Updated package version to 16.4.5, modified funding URL, and added a test:coverage script.

Tests

  • Adjustments to test files to align with the changes and new features introduced in the library.

Security Hotspots

  1. Use of Secrets in CI Workflow (.github/workflows/ci.yml): The change introduces a CODECOV_TOKEN secret for uploading coverage data to Codecov. Ensure that the secret is securely managed and has limited permissions.

  2. Loading of Environment Variables from Multiple Sources (lib/main.js): With the added capability to load .env files from multiple paths, care should be taken to ensure that sensitive information is not unintentionally exposed or overwritten.

  3. Error Handling and Messaging (lib/main.js): The modifications include throwing and logging errors for various cases (e.g., missing DOTENV_KEY, decryption failures). It's important to verify that these error messages do not inadvertently disclose sensitive information about the application's configuration or environment.

  4. HTTPS URLs in Documentation: Ensure that all external links are valid, point to trusted sources, and use HTTPS to prevent MITM attacks.

These hotspots should be reviewed carefully to avoid introducing vulnerabilities or exposing sensitive information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants