@dotenvx/dotenvx 1.24.0 → 1.24.1

package/CHANGELOG.md

@@ -2,7 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.24.0...main)
+## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.24.1...main)
+
+## 1.24.1
+
+### Changed
+
+* bump `cross-spawn` to prevent potential ReDoS [CVE-2024-21538](https://github.com/advisories/ghsa-3xgq-45jj-v275) ([#449](https://github.com/dotenvx/dotenvx/pull/449))
 
 ## 1.24.0
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.24.0",
+  "version": "1.24.1",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/lib/helpers/parse.js

@@ -157,16 +157,21 @@ class Parse {
 
       const r = expression.split(splitter)
 
-      let key
       let defaultValue
       let value
 
+      const key = r.shift()
+
+      // short-circuit if exact value already in process.env already
+      // const inProcessEnv = Object.prototype.hasOwnProperty.call(this.processEnv, key)
+      // if (!this.overload && !!this.processEnv[key] && (env[key] === this.processEnv[key])) {
+      //   return this.processEnv[key]
+      // }
+
       if ([':+', '+'].includes(splitter)) {
-        key = r.shift()
         defaultValue = env[key] ? r.join(splitter) : ''
         value = null
       } else {
-        key = r.shift()
         defaultValue = r.join(splitter)
         value = env[key]
       }