@dotenvx/dotenvx 1.39.1 → 1.40.1

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.39.1...main)
+[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.40.1...main)
+
+## [1.40.1](https://github.com/dotenvx/dotenvx/compare/v1.40.0...v1.40.1)
+
+### Changed
+
+* Patch `ext scan` command ([#570](https://github.com/dotenvx/dotenvx/pull/570))
+
+## [1.40.0](https://github.com/dotenvx/dotenvx/compare/v1.39.1...v1.40.0)
+
+### Added
+
+* Smarter `ext precommit` and `ext prebuild` – catch duplicate KEYs in the same .env file where one is mistakenly left unencrypted ([#567](https://github.com/dotenvx/dotenvx/pull/567))
 
 ## [1.39.1](https://github.com/dotenvx/dotenvx/compare/v1.39.0...v1.39.1)
 

package/LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2024, Scott Motte
+Copyright (c) 2024, Dotenvx LLC
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
@@ -26,3 +26,11 @@ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+---
+
+Dotenvx is an Open Source project licensed under the BSD 3-Clause above.
+
+Dotenvx Pro is source-available with a commercial-friendly license. You can find 
+the full commercial license in `COMMERCIAL-LICENSE.txt`. See https://dotenvx.com 
+for features and purchasing options.

package/README.md

@@ -796,6 +796,59 @@ Advanced CLI commands.
   Hello World
   ```
 
+  </details>
+* <details><summary>`run` - Multiline</summary><br>
+
+  Dotenvx supports multiline values. This is particularly useful in conjunction with Docker - which [does not support multiline values](https://stackoverflow.com/questions/50299617/set-multiline-environment-variable-with-dockerfile/79578348#79578348).
+
+  ```ini
+  # .env
+  MULTILINE_PEM="-----BEGIN PUBLIC KEY-----
+  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNl1tL3QjKp3DZWM0T3u
+  LgGJQwu9WqyzHKZ6WIA5T+7zPjO1L8l3S8k8YzBrfH4mqWOD1GBI8Yjq2L1ac3Y/
+  bTdfHN8CmQr2iDJC0C6zY8YV93oZB3x0zC/LPbRYpF8f6OqX1lZj5vo2zJZy4fI/
+  kKcI5jHYc8VJq+KCuRZrvn+3V+KuL9tF9v8ZgjF2PZbU+LsCy5Yqg1M8f5Jp5f6V
+  u4QuUoobAgMBAAE=
+  -----END PUBLIC KEY-----"
+  ```
+
+  ```js
+  // index.js
+  console.log('MULTILINE_PEM', process.env.MULTILINE_PEM)
+  ```
+
+  ```sh
+  $ dotenvx run -- node index.js
+  MULTILINE_PEM -----BEGIN PUBLIC KEY-----
+  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNl1tL3QjKp3DZWM0T3u
+  LgGJQwu9WqyzHKZ6WIA5T+7zPjO1L8l3S8k8YzBrfH4mqWOD1GBI8Yjq2L1ac3Y/
+  bTdfHN8CmQr2iDJC0C6zY8YV93oZB3x0zC/LPbRYpF8f6OqX1lZj5vo2zJZy4fI/
+  kKcI5jHYc8VJq+KCuRZrvn+3V+KuL9tF9v8ZgjF2PZbU+LsCy5Yqg1M8f5Jp5f6V
+  u4QuUoobAgMBAAE=
+  -----END PUBLIC KEY-----
+  ```
+
+  </details>
+* <details><summary>`run` - Contextual Help</summary><br>
+
+  Unlike other dotenv libraries, dotenvx attempts to unblock you with contextual help.
+
+  For example, when missing a custom .env file:
+
+  ```sh
+  $ dotenvx run -f .env.missing -- echo $HELLO
+  [MISSING_ENV_FILE] missing .env.missing file (/Users/scottmotte/Code/dotenvx/playground/apr-16/.env.missing)
+  [MISSING_ENV_FILE] https://github.com/dotenvx/dotenvx/issues/484 and re-run [dotenvx run -- echo]
+  ```
+
+  or when missing a KEY:
+
+  ```sh
+  $ echo "HELLO=World" > .env
+  $ dotenvx get GOODBYE
+  [MISSING_KEY] missing GOODBYE key
+  ```
+
   </details>
 * <details><summary>`run` - multiple `-f` flags</summary><br>
 
@@ -2289,7 +2342,7 @@ Use dotenvx directly in code.
 
 ### Pro 🏆
 
-*Secrets Management – Done Right. Cloak your private keys and treat secrets like code.*
+*Secrets Management – Done Right. Encrypted, Cloaked, Secrets as Code.*
 
 * <details><summary>`pro keypair`</summary><br>
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.39.1",
+  "version": "1.40.1",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/cli/actions/ext/scan.js

@@ -1,6 +1,7 @@
 const childProcess = require('child_process')
 
 const { logger } = require('./../../../shared/logger')
+const chomp = require('./../../../lib/helpers/chomp')
 
 function scan () {
   const options = this.opts()
@@ -17,11 +18,14 @@ function scan () {
     return
   }
 
+  let output = ''
   try {
-    const output = childProcess.execSync('gitleaks detect -v 2>&1', { stdio: 'pipe' }).toString() // gitleaks sends output as stderr for strange reason
-    logger.blank(output)
+    output = childProcess.execSync('gitleaks detect --no-banner --verbose 2>&1').toString() // gitleaks sends exit code 1 but puts data on stdout for failures, so we catch later and resurface the stdout
+    logger.blank(chomp(output))
   } catch (error) {
-    console.error(error.message)
+    if (error.stdout) {
+      console.error(chomp(error.stdout.toString()))
+    }
 
     process.exit(1)
   }

package/src/lib/helpers/dotenvParse.js

@@ -1,7 +1,7 @@
 // historical dotenv.parse - https://github.com/motdotla/dotenv)
 const LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg
 
-function dotenvParse (src, skipExpandForDoubleQuotes = false, skipConvertingWindowsNewlines = false) {
+function dotenvParse (src, skipExpandForDoubleQuotes = false, skipConvertingWindowsNewlines = false, collectAllValues = false) {
   const obj = {}
 
   // Convert buffer to string
@@ -35,8 +35,18 @@ function dotenvParse (src, skipExpandForDoubleQuotes = false, skipConvertingWind
       value = value.replace(/\\t/g, '\t') // tabs
     }
 
-    // Add to object
-    obj[key] = value
+    if (collectAllValues) {
+      // handle scenario where user mistakenly includes plaintext duplicate in .env:
+      //
+      // # .env
+      // HELLO="World"
+      // HELLO="enrypted:1234"
+      obj[key] = obj[key] || []
+      obj[key].push(value)
+    } else {
+      // Add to object
+      obj[key] = value
+    }
   }
 
   return obj

package/src/lib/helpers/isFullyEncrypted.js

@@ -3,12 +3,21 @@ const isEncrypted = require('./isEncrypted')
 const isPublicKey = require('./isPublicKey')
 
 function isFullyEncrypted (src) {
-  const parsed = dotenvParse(src)
+  const parsed = dotenvParse(src, false, false, true) // collect all values
 
-  for (const [key, value] of Object.entries(parsed)) {
-    const result = isEncrypted(value) || isPublicKey(key, value)
-    if (!result) {
-      return false
+  for (const [key, values] of Object.entries(parsed)) {
+    // handle scenario where user mistakenly includes plaintext duplicate in .env:
+    //
+    // # .env
+    // HELLO="World"
+    // HELLO="enrypted:1234"
+    //
+    // key => [value1, ...]
+    for (const value of values) {
+      const result = isEncrypted(value) || isPublicKey(key, value)
+      if (!result) {
+        return false
+      }
     }
   }
 

package/src/lib/services/precommit.js

@@ -93,11 +93,24 @@ class Precommit {
     }
   }
 
+  _isInGitRepo () {
+    try {
+      childProcess.execSync('git rev-parse --is-inside-work-tree', { stdio: 'ignore' })
+      return true
+    } catch {
+      return false
+    }
+  }
+
   _isFileToBeCommitted (filePath) {
     try {
+      if (!this._isInGitRepo()) {
+        // consider file to be committed if there is an error (not a git repo)
+        return true
+      }
+
       const output = childProcess.execSync('git diff HEAD --name-only').toString()
       const files = output.split('\n')
-
       return files.includes(filePath)
     } catch (error) {
       // consider file to be committed if there is an error (not using git)