chore(deps-dev): bump @dotenvx/dotenvx from 0.37.1 to 0.39.0

[dependabot]

Bumps @dotenvx/dotenvx from 0.37.1 to 0.39.0.

Release notes

Sourced from @​dotenvx/dotenvx's releases.

v0.39.0

see CHANGELOG

v0.38.0

see CHANGELOG

Changelog

Sourced from @​dotenvx/dotenvx's changelog.

0.39.0

Added

• Add --convention flag to get

Removed

• Removed help messages like 'in production' and 'in ci'. Too specific and could lead to confusion.

0.38.0

Changed

• ⚠️ DEPRECATION NOTICE: the following commands are being moved. Please, update any code and muscle memory you have related to these:
  • dotenvx encrypt => dotenvx vault encrypt
  • dotenvx decrypt => dotenvx vault decrypt
  • dotenvx status => dotenvx vault status
• ⚠️ DEPRECATION NOTICE: the beta hub commands are being completely deprecated (they will be fully removed in upcoming 1.0.0 release). We will provide .env.keys tooling at a later time (replacing hub) but in the context of the new --encrypt flag functionality below

Added

• Add encryption to your .env files with a single command. Pass the --encrypt flag. 🎉

$ dotenvx set HELLO World --encrypt
set HELLO with encryption (.env)

A DOTENV_PUBLIC_KEY (encryption key) and a DOTENV_PRIVATE_KEY (decryption key) is generated using the same public-key cryptography as Bitcoin.

Further notes:

• DOTENV_PUBLIC_KEY lives in the .env file. You can safely share this with whomever you wish.
• DOTENV_PRIVATE_KEY lives in your .env.keys file. Share this only with those you trust to decrypt your secrets.
• If using encrypted .env files like this it is safe to commmit them to source code. This makes reviewing PRs that contain secrets much easier.
• Tell your contributors to contribute a secret using the command dotenvx set HELLO world --encrypt.
• Set your DOTENV_PRIVATE_KEY on your server to decrypt these values using dotenvx run -- yourcommand
• You can repeat all this per environment by modifying your set command to dotenvx set HELLO production -f .env.production --encrypt (for example)
• In time we will add better tooling for sharing the private keys living in .env.keys, but until then safely share with team members you trust.
• This mechanism should be particularly useful for open source projects that want to permit secrets contributions without handing out the decryption keys. Now anyone can contribute a secret and only you can decrypt it to see what was changed.
• This solution is brand new, but I intend it to be the future for .env files. It has many benefits over .env.vault files. We will be sunsetting the .env.vault mechanism but its tooling will stay around in dotenvx for at least 1 year to come - under dotenvx vault parent command.
• Be patient as we update our documentation to prioritize this improved encryption format for .env files.

Commits

• 8671fd6 0.39.0
• 5e23001 update changelog
• 65d2943 update README
• f3a3826 place all the advanced usage on the readme
• 6100f9f add genexample
• 2ffd6a4 add ls command examples
• 728dfb3 move ls after set
• 69bc2bf add advanced usage set command
• 983e1b8 call it json
• 3784f0a add to advanced usage
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #421.