Skip to content

v2: secure-by-default loader + discoverability, quality & project-health overhaul#3

Merged
jaavier merged 3 commits into
mainfrom
claude/alo-zWSmg
May 29, 2026
Merged

v2: secure-by-default loader + discoverability, quality & project-health overhaul#3
jaavier merged 3 commits into
mainfrom
claude/alo-zWSmg

Conversation

@jaavier
Copy link
Copy Markdown
Owner

@jaavier jaavier commented May 29, 2026

Summary

Makes dotenv lighter, safer, and far more discoverable, released as a v2 module (github.com/jaavier/dotenv/v2).

This PR has three parts:

1. Secure-by-default loader (code)

  • Breaking: Load no longer overrides variables already present in the process environment (12-factor). Use the new Overload / Options.Override to opt in.
  • Atomic apply: each file is fully parsed before any variable is set — a malformed file never leaves a half-applied environment.
  • Correct POSIX-ish quoting: double quotes expand escapes (\n \r \t \\ \"), single quotes are literal, unquoted values support inline # comments, optional leading export, UTF-8 BOM and CRLF.
  • Multi-line quoted values (e.g. PEM keys); removed the bufio.Scanner 64 KB line cap.
  • Hardening: size limit enforced on bytes actually read; configurable Options.MaxFileSize + ErrFileTooLarge.
  • New API (additive, zero deps): Parse(io.Reader) / ParseBytes([]byte) (pure, no global side effects), Overload(...), DefaultMaxFileSize.

2. Discoverability (pkg.go.dev / Go Report Card / search)

  • Keyword-optimized package synopsis (the sentence pkg.go.dev indexes).
  • Testable Example functions (rendered on pkg.go.dev) and benchmarks (~4.6 µs/parse).
  • README: 8 badges, a "Why dotenv? (vs godotenv)" comparison table, performance numbers, and an FAQ targeting common queries.

3. Quality & project health

  • GitHub Actions CI: build/vet/test matrix across Go 1.17–1.23 on Linux/macOS/Windows, race + coverage (Codecov), and gofmt + golangci-lint.
  • CodeQL security scanning, golangci-lint v2 config (repo is lint-clean), Dependabot.
  • CHANGELOG, CONTRIBUTING, SECURITY, CODE_OF_CONDUCT, issue forms, PR template, Makefile.

Verification

  • go build, go vet, golangci-lint run — all clean (0 issues)
  • go test -race passes; coverage 90%
  • gofmt -l . empty; all CI YAML validated

Breaking changes

  • Import path is now github.com/jaavier/dotenv/v2.
  • Load no longer overrides pre-existing environment variables (use Overload).

Follow-up (manual, no API available)

After merge, to complete discoverability:

  1. Tag and publish v2.0.0 from main (triggers Go proxy re-indexing).
  2. Set repo topics + description + website (values in the PR discussion / chat).
  3. Submit the entry to awesome-go (Configuration section).

https://claude.ai/code/session_01P1nZkYKTFp9CRKDUEysphw

Generated by Claude Code

claude added 3 commits May 29, 2026 01:59
@claude
feat: harden dotenv with secure-by-default loading and correct parsing
0b4b536 
Redesign the loader to be lighter and security-first while keeping the
public API backward compatible (existing tests still pass).

Security & correctness:
- Default no longer overrides existing env vars (12-factor): the process
  environment is authoritative. Add Overload / Options.Override for opt-in.
- Files are applied atomically: parse fully before setting any variable,
  so a malformed file never leaves a half-applied environment.
- POSIX-ish quoting fixed: double quotes expand escapes (\n \r \t \\ \"),
  single quotes are literal, unquoted values support inline "# comments".
- Reject trailing garbage after a closing quote (ErrInvalidFormat).
- Support optional leading "export " token and UTF-8 BOM.
- Multi-line quoted values (e.g. PEM keys) are supported.
- Replace bufio.Scanner (64KB line cap) with byte-based parsing.
- Enforce size limit on bytes actually read (safe for pipes/special files);
  add configurable Options.MaxFileSize and ErrFileTooLarge sentinel.

New API (additive, zero dependencies, single file):
- Parse(io.Reader) / ParseBytes([]byte): pure parsing into a map with no
  global side effects.
- Overload(...): explicit override loader.
- DefaultMaxFileSize constant.

Docs & tests:
- Rewrite README (EN/ES) for the new behavior; drop the misleading
  "path sanitization prevents directory traversal" claim.
- Update example to showcase Parse and Overload.
- Add parse_test.go covering quoting, comments, export, BOM/CRLF,
  multi-line, override semantics, atomicity, size limits, and no-side-effect
  parsing.

https://claude.ai/code/session_01P1nZkYKTFp9CRKDUEysphw
@claude
chore: maximize discoverability, quality signals and project health
1c530b4 
Add the infrastructure and documentation that drive a Go package's
discoverability on pkg.go.dev, Go Report Card and search engines.

Discoverability & docs:
- README: pkg.go.dev / Go Report Card / CI / codecov / license / version /
  zero-deps badges, keyword-rich tagline, a "Why dotenv? (vs godotenv)"
  comparison table, performance numbers, and an FAQ targeting common queries.
- Keyword-optimized package synopsis (the first sentence pkg.go.dev indexes).
- Testable Example functions (rendered on pkg.go.dev) and benchmarks.

Quality & trust signals:
- GitHub Actions CI: build/vet/test matrix across Go 1.17–1.23 on
  Linux/macOS/Windows, a race+coverage job (Codecov), and a gofmt+golangci-lint
  job.
- CodeQL security scanning workflow.
- golangci-lint v2 config; repo is lint-clean and gofmt-clean (incl. existing
  test file).
- Dependabot for modules and GitHub Actions.

Project health:
- CHANGELOG, CONTRIBUTING, SECURITY (private advisory reporting + design
  notes), CODE_OF_CONDUCT, issue forms, PR template, and a Makefile.

Coverage is 90%; all examples and benchmarks pass.

https://claude.ai/code/session_01P1nZkYKTFp9CRKDUEysphw
@claude
feat!: release as v2 module (github.com/jaavier/dotenv/v2)
808a00c 
The secure-by-default behavior change (Load no longer overrides existing
environment variables) is a breaking change, so the module is promoted to
major version 2 per semantic import versioning.

- go.mod module path -> github.com/jaavier/dotenv/v2
- Update all imports (examples, tests) and doc comment
- README: install/import snippets and pkg.go.dev / Go Report Card badges -> /v2,
  add a "How do I upgrade from v1?" FAQ entry
- CHANGELOG: frame as 2.0.0 with BREAKING notes (module path + security default)
- SECURITY: mark 2.x as supported

BREAKING CHANGE: import path is now github.com/jaavier/dotenv/v2 and Load no
longer overrides pre-existing environment variables (use Overload to opt in).

https://claude.ai/code/session_01P1nZkYKTFp9CRKDUEysphw
@codesandbox
Copy link
Copy Markdown

codesandbox Bot commented May 29, 2026

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 29, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@jaavier jaavier merged commit 381b83e into main May 29, 2026
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jaavier @github-advanced-security @claude