Skip to content

chore(deps): Bump dotenv from 16.6.1 to 17.2.3 #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mchestr merged 1 commit into from
Dec 30, 2025
Merged

chore(deps): Bump dotenv from 16.6.1 to 17.2.3 #247

mchestr merged 1 commit into from
Dec 30, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 29, 2025
edited
Loading

Bumps dotenv from 16.6.1 to 17.2.3.

Changelog

Sourced from dotenv's changelog.

17.2.3 (2025-09-29)

Changed

  • Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

  • 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

  • Fix clickable tip links by removing parentheses (#897)

17.2.0 (2025-07-09)

Added

  • Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
  • Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})
# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"
// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)
$ node index.js
Hello World
or
$ DOTENV_CONFIG_QUIET=true node index.js

17.1.0 (2025-07-07)

Added

  • Add additional security and configuration tips to the runtime log (#884)
  • Dim the tips text from the main injection information text

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@mchestr
Copy link
Owner

mchestr commented Dec 30, 2025

@dependabot rebase

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/dotenv-17.2.3 branch from 10709dc to 41e786c Compare December 30, 2025 04:20
@dependabot @mchestr
chore(deps): Bump dotenv from 16.6.1 to 17.2.3
80d5e06 
Bumps [dotenv](https://github.com/motdotla/dotenv) from 16.6.1 to 17.2.3.
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v16.6.1...v17.2.3)

---
updated-dependencies:
- dependency-name: dotenv
  dependency-version: 17.2.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@mchestr mchestr force-pushed the dependabot/npm_and_yarn/dotenv-17.2.3 branch from 41e786c to 80d5e06 Compare December 30, 2025 04:24
@claude
Copy link

claude bot commented Dec 30, 2025
edited
Loading

Claude finished @dependabot[bot]'s task in 1m 43s —— View job

Reviewing dotenv upgrade PR

Tasks

  • Read changed files
  • Search for dotenv usage in codebase
  • Review changelog for breaking changes
  • Check TypeScript compatibility
  • Provide review feedback

✅ Review Complete

I've analyzed the dotenv upgrade from v16.6.1 to v17.2.3. The upgrade is safe to merge with no breaking changes or code modifications required.

Key Findings:

  • ✅ No breaking changes - v17.x is fully backward compatible
  • ✅ TypeScript improvements included (error definition fixes)
  • ✅ All existing usage patterns remain supported
  • ✅ Dual version with c12 dependency is expected and safe

What Changed:

  • TypeScript error definition fixes (v17.2.3)
  • New optional quiet mode feature (v17.2.0)
  • Enhanced runtime tips for security/config (v17.1.0+)

Full review details posted in the comments above.

@claude
Copy link

claude bot commented Dec 30, 2025

Code Review: dotenv v16.6.1 → v17.2.3 Upgrade

✅ Summary

This dependency upgrade is safe to merge. The update from dotenv 16.6.1 to 17.2.3 includes helpful improvements with no breaking changes affecting this codebase.

📋 Analysis

Usage Patterns in Codebase:

  • import 'dotenv/config' in playwright.config.ts:1 and prisma.config.ts:1
  • import dotenv from 'dotenv' + dotenv.config() in scripts/register-discord-metadata.ts:17-19

Changes in v17.x:

  1. TypeScript Error Definition Fix (v17.2.3) - Improves type safety
  2. Quiet Mode (v17.2.0) - New DOTENV_CONFIG_QUIET=true option to suppress runtime logs
  3. Enhanced Runtime Tips (v17.1.0+) - Better security/configuration guidance in console output

Compatibility:

  • ✅ No breaking changes - v17.x is backward compatible with v16.x
  • ✅ All existing usage patterns (dotenv/config and dotenv.config()) remain supported
  • ✅ TypeScript improvements enhance type safety without requiring code changes

Dual Version Note:
The package-lock shows two dotenv versions:

  • node_modules/dotenv: v17.2.3 (main dependency - this PR)
  • node_modules/c12/node_modules/dotenv: v16.6.1 (nested dependency via @prisma/config)

This is expected and safe. The c12 package (used by Prisma v7) has its own dotenv v16.x dependency isolated in its own node_modules subdirectory, so there's no conflict.

🔍 Code Quality

  • No code changes required - upgrade is drop-in compatible
  • Type safety improved - v17.2.3 fixes TypeScript error definitions
  • No security concerns - this is a standard Dependabot upgrade
  • Test coverage - existing tests remain valid

💡 Recommendations

  1. Merge as-is - no additional changes needed
  2. Optional enhancement - Consider using the new quiet mode in production by setting DOTENV_CONFIG_QUIET=true in .env if runtime logs become noisy (not required for this PR)
  3. CI will validate - existing tests should pass without modification

📚 References

  • dotenv changelog
  • Files reviewed: package.json:36, playwright.config.ts:1, prisma.config.ts:1, scripts/register-discord-metadata.ts:17-19

@mchestr mchestr merged commit f3b2213 into main Dec 30, 2025
6 checks passed
@mchestr mchestr deleted the dependabot/npm_and_yarn/dotenv-17.2.3 branch December 30, 2025 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies npm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mchestr