fix(deps): vuln python-dotenv (major → 1.2.2)

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• . (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
python-dotenv	0.13.0	1.2.2	major	Direct	1 MODERATE

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

ℹ️ Other Vulnerabilities (1)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
python-dotenv	GHSA-mf9w-mj56-hr94	MODERATE	python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback	0.13.0	1.2.2

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
python-dotenv	0.13.0	-	1.2.2	requirements.in

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

python-dotenv (0.13.0 → 1.2.2) — GitHub Release

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @bbc2 in Make dotenv run forward flags to given command theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @bbc2 in https://github.com/theskumar/python-dotenv/issues/790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @JYOuyang in fix: Add missing 3.14 PyPI classifier. theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some
  situations. This is no longer the case. For that behavior to be restored in
  all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This
  is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset
  used to reset the file mode of the modified .env file to 0o600 in some
  situations. This is no longer the case: The original mode of the file is now
  preserved. Is the file needed to be created or wasn't a regular file, mode
  0o600 is used.

Misc

• skip 000 permission tests for root user by @burnout-projects in skip 000 permission tests for root user theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @dependabot[bot] in Bump actions/checkout from 5 to 6 in the github-actions group theskumar/python-dotenv#593
• Add Windows testing to CI by @bbc2 in Add Windows testing to CI theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @theskumar in ci: improve workflow efficiency with best practices theskumar/python-dotenv#609
• Remove the use of `

(truncated)

v1.2.1

What's Changed

• Support reading .env from FIFOs (Unix) by @sidharth-sudhir in Support reading .env from FIFOs (Unix) theskumar/python-dotenv#586
• Update CI to use trusted publishing on PyPI

New Contributors

• @sidharth-sudhir made their first contribution in Support reading .env from FIFOs (Unix) theskumar/python-dotenv#586

Full Changelog: theskumar/python-dotenv@v1.2.0...v1.2.1

v1.2.0

What's Changed

• style: upgrade to use ruff by @theskumar in style: upgrade to use ruff theskumar/python-dotenv#567
• Use sys.exit() instead of exit() by @theskumar in Use sys.exit() instead of exit() theskumar/python-dotenv#568
• feat: add PYTHON_DOTENV_DISABLED flag to disable load_dotenv (fixes How to disable python-dotenv theskumar/python-dotenv#510) by @matthewfranglen in feat: add PYTHON_DOTENV_DISABLED flag to disable load_dotenv (fixes #510) theskumar/python-dotenv#569
• Added Python@3.14: Github CI & tox.ini by @23f3001135 in Added Python@3.14: Github CI & tox.ini theskumar/python-dotenv#579
• ocs: clarify what load_dotenv() does in README by @cybercoded in ocs: clarify what load_dotenv() does in README theskumar/python-dotenv#575
• Bump the github-actions group across 1 directory with 2 updates by @dependabot[bot] in Bump the github-actions group across 1 directory with 2 updates theskumar/python-dotenv#577
• Move project metadata and config to pyproject.toml by @EpicWink in Move project metadata and config to pyproject.toml theskumar/python-dotenv#583

New Contributors

• @matthewfranglen made their first contribution in feat: add PYTHON_DOTENV_DISABLED flag to disable load_dotenv (fixes #510) theskumar/python-dotenv#569
• @23f3001135 made their first contribution in Added Python@3.14: Github CI & tox.ini theskumar/python-dotenv#579
• @cybercoded made their first contribution in ocs: clarify what load_dotenv() does in README theskumar/python-dotenv#575
• @EpicWink made their first contribution in Move project metadata and config to pyproject.toml theskumar/python-dotenv#583

Full Changelog: theskumar/python-dotenv@v1.1.1...v1.2.0

v1.1.1

What's Changed

• fix: ensure find_dotenv work reliably on python 3.13 by @theskumar in fix: ensure find_dotenv work reliably on python 3.13 theskumar/python-dotenv#563
• fix(cli): issue with execvpe on Windows by @wrongontheinternet in fix(cli): issue with execvpe on Windows theskumar/python-dotenv#566

New Contributors

• @wrongontheinternet made their first contribution in fix(cli): issue with execvpe on Windows theskumar/python-dotenv#566

Full Changelog: theskumar/python-dotenv@v1.1.0...v1.1.1

v1.1.0

What's Changed

• Add a security policy by @bbc2 in Add a security policy theskumar/python-dotenv#512
• Keep GitHub Actions up to date with GitHub's Dependabot by @cclauss in Keep GitHub Actions up to date with GitHub's Dependabot theskumar/python-dotenv#506
• ci: fix multiline string in test.yml & use fail-fast strategy by @cclauss in ci: fix multiline string in test.yml & use fail-fast strategy theskumar/python-dotenv#514
• Enhance dotenv run: Switch to execvpe for better resource management and signal handling by @eekstunt in Enhance dotenv run: Switch to execvpe for better resource management and signal handling theskumar/python-dotenv#523
• ci: add py3.13 to test.yml by @waketzheng in ci: add py3.13 to test.yml theskumar/python-dotenv#527
• Add Python 3.13 trove classifier by @edgarrmondragon in Add Python 3.13 trove classifier theskumar/python-dotenv#535
• Bump the github-actions group with 2 updates by @dependabot in Bump the github-actions group with 2 updates theskumar/python-dotenv#529
• Add support for python 3.13 and drop 3.8 by @theskumar in Add support for python 3.13 and drop 3.8 theskumar/python-dotenv#551
• docs: Update README.md by @chapeupreto in docs: Update README.md theskumar/python-dotenv#516
• Some more s/Python-dotenv/python-dotenv/ by @theskumar in Some more s/Python-dotenv/python-dotenv/ theskumar/python-dotenv#552
• add _is_debugger so load_dotenv will work in pdb by @randomseed42 in add _is_debugger so load_dotenv will work in pdb theskumar/python-dotenv#553

New Contributors

• @eekstunt made their first contribution in Enhance dotenv run: Switch to execvpe for better resource management and signal handling theskumar/python-dotenv#523
• @waketzheng made their first contribution in ci: add py3.13 to test.yml theskumar/python-dotenv#527
• @edgarrmondragon made their first contribution in Add Python 3.13 trove classifier theskumar/python-dotenv#535
• @dependabot made their first contribution in Bump the github-actions group with 2 updates theskumar/python-dotenv#529
• @chapeupreto made their first contribution in docs: Update README.md theskumar/python-dotenv#516
• @randomseed42 made their first contribution in add _is_debugger so load_dotenv will work in pdb theskumar/python-dotenv#553

Full Changelog: https://github.com/theskumar/python-dotenv/comp

(truncated)

v1.0.1

What's Changed

• FIx year in release date in changelog.md by @jankislinger in FIx year in release date in changelog.md theskumar/python-dotenv#453
• Gracefully handle code which has been imported from a zipfile by @samwyma in Gracefully handle code which has been imported from a zipfile theskumar/python-dotenv#456
• Use pathlib.Path in tests by @eumiro in Use pathlib.Path in tests theskumar/python-dotenv#466
• fixes The 12-factor principles link is broken theskumar/python-dotenv#473 Use https in README links by @Nicals in fixes #473 Use https in README links theskumar/python-dotenv#474
• Allow modules using load_dotenv to be reloaded when launched in a separate thread by @freddyaboulton in Allow modules using load_dotenv to be reloaded when launched in a separate thread theskumar/python-dotenv#497
• Fix error handling in the rewrite function by @Qwerty-133 in Fix error handling in the rewrite function theskumar/python-dotenv#468
• Add python 3.12 and pypy3.10 to test suite by @theskumar in Release prep for 1.0.1 theskumar/python-dotenv#498

New Contributors

• @jankislinger made their first contribution in FIx year in release date in changelog.md theskumar/python-dotenv#453
• @samwyma made their first contribution in Gracefully handle code which has been imported from a zipfile theskumar/python-dotenv#456
• @eumiro made their first contribution in Use pathlib.Path in tests theskumar/python-dotenv#466
• @Nicals made their first contribution in fixes #473 Use https in README links theskumar/python-dotenv#474
• @freddyaboulton made their first contribution in Allow modules using load_dotenv to be reloaded when launched in a separate thread theskumar/python-dotenv#497

(truncated — see source for full notes)

---

Generated by ADMS Sources: 1 GitHub Release.

[cclauss]

Downgrade? https://pypi.org/project/gevent

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.