Summary

Mirror the parser rewrite that upstream motdotla/dotenv shipped in v16, in a compact form. Replaces the old line-by-line ^\s*([\w.-]+)\s*=\s*(.*)?\s*$ regex — flagged by CodeQL as a polynomial-time / ReDoS-prone pattern — with the upstream single multiline LINE regex.

Changes

packages/dotenv/src/index.ts

• New LINE regex handles export prefix, KEY= and KEY: separators, quoted (', \", `) and unquoted values, and trailing inline # comments — all in one pass with no catastrophic backtracking.
• Normalize \r\n? → \n once, then loop with LINE.exec().
• Strip surrounding matching quotes via a single replace; expand \n and \r escapes only inside double quotes (parity with upstream).
• Added __proto__ / constructor / prototype guard so a malicious .env cannot pollute the prototype chain (small extra hardening on top of upstream).
• config() gained override and processEnv options, matching upstream's API surface.

packages/dotenv/src/types.ts

• Added override and processEnv to DotenvConfigOptions.
• Marked DotenvParseOptions.debug deprecated — the new parser has no concept of an "unmatched line" so per-line debug warnings are gone.

tests/modules/dotenv.test.ts

• Replaced the obsolete debug test with coverage for the rewrite: ignored non-pair lines, inline comments, export prefix, backtick quotes, __proto__ pollution safety, override, and custom processEnv.

Verification

• `pnpm vitest run tests/modules/dotenv.test.ts` — 25/25 passing
• Full suite via pre-commit hook — 805 passed, 3 skipped
• `pnpm --filter @tinyhttp/dotenv build` — clean

Notes

Existing behavior is preserved for every case covered by the previous test suite. The `debug` option on `parse()` is now a no-op but kept for backwards compatibility.