@dotenvx/dotenvx 1.22.2 → 1.23.0

package/CHANGELOG.md

@@ -2,7 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.22.2...main)
+## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.23.0...main)
+
+## 1.23.0
+
+### Added
+
+* deeper variable expansion support and protection against self-referencing variables 🛡️ ([#439](https://github.com/dotenvx/dotenvx/pull/439))
 
 ## 1.22.2
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.22.2",
+  "version": "1.23.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/lib/helpers/dotenvExpand.js

@@ -1,44 +1,39 @@
-// * /
-// *   (\\)?            # is it escaped with a backslash?
-// *   (\$)             # literal $
-// *   (?!\()           # shouldnt be followed by parenthesis
-// *   (\{?)            # first brace wrap opening
-// *   ([\w.]+)         # key
-// *   (?::-((?:\$\{(?:\$\{(?:\$\{[^}]*\}|[^}])*}|[^}])*}|[^}])+))? # optional default nested 3 times
-// *   (\}?)            # last brace warp closing
-// * /xi
-
-const DOTENV_SUBSTITUTION_REGEX = /(\\)?(\$)(?!\()(\{?)([\w.]+)(?::?-((?:\$\{(?:\$\{(?:\$\{[^}]*\}|[^}])*}|[^}])*}|[^}])+))?(\}?)/gi
-
 function _resolveEscapeSequences (value) {
   return value.replace(/\\\$/g, '$')
 }
 
-function interpolate (value, lookups) {
-  return value.replace(DOTENV_SUBSTITUTION_REGEX, (match, escaped, dollarSign, openBrace, key, defaultValue, closeBrace) => {
-    if (escaped === '\\') {
-      return match.slice(1)
-    } else {
-      if (lookups[key]) {
-        // avoid recursion from EXPAND_SELF=$EXPAND_SELF
-        if (lookups[key] === value) {
-          return lookups[key]
-        } else {
-          return interpolate(lookups[key], lookups)
-        }
-      }
+function interpolate (value, env) {
+  const regex = /(?<!\\)\${([^{}]+)}|(?<!\\)\$([A-Za-z_][A-Za-z0-9_]*)/g
 
-      if (defaultValue) {
-        if (defaultValue.startsWith('$')) {
-          return interpolate(defaultValue, lookups)
-        } else {
-          return defaultValue
-        }
-      }
+  let result = value
+  let match
+  const seen = new Set() // self-referential checker
+
+  while ((match = regex.exec(result)) !== null) {
+    seen.add(result)
+
+    const [template, bracedExpression, unbracedExpression] = match
+    const expression = bracedExpression || unbracedExpression
+    const r = expression.split(/:-|-/)
+    const key = r.shift()
+    const defaultValue = r.join('-')
+    const value = env[key]
 
-      return ''
+    if (value) {
+      // self-referential check
+      if (seen.has(value)) {
+        result = result.replace(template, defaultValue)
+      } else {
+        result = result.replace(template, value)
+      }
+    } else {
+      result = result.replace(template, defaultValue)
     }
-  })
+
+    regex.lastIndex = 0 // reset regex search position to re-evaluate after each replacement
+  }
+
+  return result
 }
 
 function expand (options) {