npm - @dotenvx/dotenvx - Versions diffs - 1.24.3 → 1.24.5 - Mend

@dotenvx/dotenvx 1.24.3 → 1.24.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,27 +2,39 @@
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
-## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.24.3...main)
+[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.24.5...main)
-## [1.24.3](https://github.com/dotenvx/dotenvx/compare/v1.24.2...1.24.3)
+## [1.24.5](https://github.com/dotenvx/dotenvx/compare/v1.24.4...v1.24.5)
+### Changed
+* 🐞 do not expand prior literal values ([#458](https://github.com/dotenvx/dotenvx/pull/458))
+## [1.24.4](https://github.com/dotenvx/dotenvx/compare/v1.24.3...v1.24.4)
+### Changed
+* do not expand command substitution ([#456](https://github.com/dotenvx/dotenvx/pull/456))
+## [1.24.3](https://github.com/dotenvx/dotenvx/compare/v1.24.2...v1.24.3)
 ### Changed
 * 🐞 fix command substitution for more complex commands ([#455](https://github.com/dotenvx/dotenvx/pull/455))
-## [1.24.2](https://github.com/dotenvx/dotenvx/compare/v1.24.1...1.24.2)
+## [1.24.2](https://github.com/dotenvx/dotenvx/compare/v1.24.1...v1.24.2)
 ### Changed
 * treat pre-existing expandable values as literal in `process.env` ([#450](https://github.com/dotenvx/dotenvx/pull/450))
-## [1.24.1](https://github.com/dotenvx/dotenvx/compare/v1.24.0...1.24.1)
+## [1.24.1](https://github.com/dotenvx/dotenvx/compare/v1.24.0...v1.24.1)
 ### Changed
 * bump `cross-spawn` to prevent potential ReDoS [CVE-2024-21538](https://github.com/advisories/ghsa-3xgq-45jj-v275) ([#449](https://github.com/dotenvx/dotenvx/pull/449))
-## 1.24.0
+## [1.24.0](https://github.com/dotenvx/dotenvx/compare/v1.23.0...v1.24.0)
 ### Added

package/package.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": "1.24.3",
+  "version": "1.24.5",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/lib/helpers/parse.js CHANGED Viewed

@@ -20,6 +20,8 @@ class Parse {
     // for use with progressive expansion
     this.runningParsed = {}
+    // for use with stopping expansion for literals
+    this.literals = {}
   }
   run () {
@@ -44,15 +46,24 @@ class Parse {
       }
       // eval empty, double, or backticks
+      let evaled = false
       if (quote !== "'" && (!this.inProcessEnv(key) || this.processEnv[key] === this.parsed[key])) {
-        this.parsed[key] = this.eval(this.parsed[key])
+        const priorEvaled = this.parsed[key]
+        this.parsed[key] = this.eval(priorEvaled)
+        if (priorEvaled !== this.parsed[key]) {
+          evaled = true
+        }
       }
       // expand empty, double, or backticks
-      if (quote !== "'" && !this.processEnv[key]) {
+      if (!evaled && quote !== "'" && !this.processEnv[key]) {
         this.parsed[key] = resolveEscapeSequences(this.expand(this.parsed[key]))
       }
+      if (quote === "'") {
+        this.literals[key] = this.parsed[key]
+      }
       // for use with progressive expansion
       this.runningParsed[key] = this.parsed[key]
@@ -157,7 +168,6 @@ class Parse {
       let defaultValue
       let value
       const key = r.shift()
       if ([':+', '+'].includes(splitter)) {
@@ -179,6 +189,11 @@ class Parse {
         break
       }
+      // if the result came from what was a literal value then stop expanding
+      if (this.literals[key]) {
+        break
+      }
       regex.lastIndex = 0 // reset regex search position to re-evaluate after each replacement
     }