chore(deps-dev): bump dotenv from 17.2.0 to 17.4.0

[dependabot]

Bumps dotenv from 17.2.0 to 17.4.0.

Changelog

Sourced from dotenv's changelog.

17.4.0 (2026-04-01)

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#1003)

17.3.1 (2026-02-12)

Changed

• Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

17.2.3 (2025-09-29)

Changed

• Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

• Fix clickable tip links by removing parentheses (#897)

Commits

• a2e31d6 17.4.0
• 4f041ee changelog 🪵
• bab8b98 README
• 516d47e update
• ce9b98f adjust quickstart
• d3a9065 update links
• 9a3f955 add banner
• d35b6a9 clean up
• a115e3a remove version
• 185e641 hide as2 for now - very early beta
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Disclaimer: Experimental PR review

Greptile Summary

This PR bumps the dev dependency dotenv from 17.2.0 to 17.4.0, updating both package.json and the pnpm-lock.yaml lockfile. The intermediate versions (17.2.1–17.3.1) contain only documentation, log formatting, and README changes; 17.4.0 adds AI agent skill files and tightens log output. No runtime behavior changes affect the project.

Confidence Score: 5/5

Safe to merge — purely a dev dependency bump with no runtime or API changes.

dotenv is a devDependency used only for loading env vars in tests/local development. The 17.2.0→17.4.0 changelog contains only docs updates, a TypeScript type fix, log formatting tweaks, and addition of agent skill files. No breaking changes, no security advisories, and Dependabot reports full compatibility.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Dev dependency specifier for dotenv bumped from ^17.2.0 to ^17.4.0; no other changes.
pnpm-lock.yaml	Lockfile updated to reflect dotenv 17.4.0 with new integrity hash; snapshot entry updated accordingly.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[dependabot detects dotenv 17.4.0] --> B[Update package.json specifier\n^17.2.0 → ^17.4.0]
    B --> C[Regenerate pnpm-lock.yaml\nNew integrity hash for 17.4.0]
    C --> D{Changes in 17.2.0 → 17.4.0}
    D --> E[17.2.1–17.2.4: README & TypeScript fixes]
    D --> F[17.3.0–17.3.1: README rewrite & docs]
    D --> G[17.4.0: skills/ folder added\nLog output tightened]
    E --> H[devDependency only — no prod impact]
    F --> H
    G --> H

Loading

_{Reviews (1): Last reviewed commit: "chore(deps-dev): bump dotenv from 17.2.0..." | Re-trigger Greptile}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
langfuse-js	Ready	Preview	Apr 15, 2026 8:24am

[claude]

LGTM — routine Dependabot dev-dependency bump with no functional changes.

Extended reasoning...

Overview

This PR bumps dotenv from 17.2.0 to 17.4.0 in package.json and pnpm-lock.yaml. The dependency is listed under devDependencies, meaning it is only used during development/testing and is not shipped in the published SDK.

Security risks

No security risks. This is a minor version bump of a dev-only dependency. The changelog shows only additive changes (skills folder, log formatting, README updates, TypeScript type fix). No breaking changes, no security fixes, no production code paths affected.

Level of scrutiny

Minimal scrutiny warranted. This is a purely mechanical Dependabot update touching only the version specifier and lockfile hash. The dotenv package is used solely for loading environment variables in tests/integration scripts, not in any production code path.

Other factors

No bugs were found by the automated bug hunting system. No prior reviews exist on this PR. The diff is exactly 4 lines changed across two files (version string and integrity hash), following the standard Dependabot pattern seen in recent sibling PRs (e.g., #778).

[dependabot]

Superseded by #785.