[repo-monitor] Medium: Unmaintained dotenv crate (v0.15, last updated 2019)

[Liohtml]

Summary

The project depends on the dotenv crate at v0.15.0, which has been unmaintained since 2019. The actively maintained fork is dotenvy.

Location

• File: Cargo.toml
• Line(s): 15

Severity

Medium

Details

The dotenv crate (last published 2019) is officially unmaintained. It has known parsing limitations (no multi-line values, no \n escape in quoted values) and has had no security patches in 6 years. Using an unmaintained crate that handles credential loading is against security best practices.

Suggested Fix

Replace in Cargo.toml:

# Before:
dotenv = "0.15"
# After:
dotenvy = "0.15"

Update the import:

// Before: dotenv::dotenv().ok();
// After:  dotenvy::dotenv().ok();

---

Automated finding by repo-monitor

[Liohtml]

Analysis

Confirmed. Cargo.toml:15: dotenv = "0.15". This crate hasn't been updated since 2019 and is officially unmaintained. The actively maintained fork is dotenvy.

Honest risk assessment: This is low severity in practice. dotenv 0.15 loads .env files — a simple parsing task — and there are no known CVEs. The MSRV compatibility is fine. The main risks are:

1. No security patches if a vulnerability is discovered
2. Known parsing limitations (no multi-line values, no \n escape in quoted values) that dotenvy fixes
3. Dependency audits (cargo audit) will flag this if a vulnerability is ever published

Migration is trivial:

# Cargo.toml
[dependencies]
# Before:
dotenv = "0.15"
# After:
dotenvy = "0.15"

// src/core/auth.rs:24
// Before: dotenv::dotenv().ok();
// After:  dotenvy::dotenv().ok();

The API is API-compatible. This is a 2-minute change with zero risk.

One consideration: This library is a dependency of the public crate. If downstream users run cargo audit on their projects, they'll get a transitive warning about dotenv if Rust Security Advisory Database ever adds one. Better to fix it proactively.

Effort: 5 min.