chore(deps): bump dotenv from 17.3.1 to 17.4.0

[dependabot]

Bumps dotenv from 17.3.1 to 17.4.0.

Changelog

Sourced from dotenv's changelog.

17.4.0 (2026-04-01)

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#1003)

Commits

• a2e31d6 17.4.0
• 4f041ee changelog 🪵
• bab8b98 README
• 516d47e update
• ce9b98f adjust quickstart
• d3a9065 update links
• 9a3f955 add banner
• d35b6a9 clean up
• a115e3a remove version
• 185e641 hide as2 for now - very early beta
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3dcf317.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
npm/dotenv	17.4.0	🟢 4.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 4/18 approved changesets -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json

[github-actions]

📸 Automated UI Screenshots

📋 Screenshots Captured (8)

#	Screenshot
1	01-splash-screen.png - 01 splash screen.png
2	02-intro-screen-menu.png - 02 intro screen menu.png
3	03-intro-screen-archetype-selector.png - 03 intro screen archetype selector.png
4	04-controls-screen.png - 04 controls screen.png
5	05-philosophy-screen.png - 05 philosophy screen.png
6	06-training-screen.png - 06 training screen.png
7	07-combat-screen-practice.png - 07 combat screen practice.png
8	08-combat-screen-versus.png - 08 combat screen versus.png

📦 Download Screenshots

📥 Download all screenshots from workflow artifacts

Screenshots are preserved as workflow artifacts for 30 days.

---

🤖 Generated by Playwright automation