POC Walkthrough — dotenv (npm)
Last updated: 2026-05-24
The dotenv package is the canonical healthy config loader with secrets-handling sensitivity walkthrough in the CleanLibrary POC. It demonstrates clean ALLOW across a major-version transition for a widely-used utility package — useful for validating that CleanLibrary doesn't add friction for low-risk dependencies.
Versions covered
| Version | Decision | Severity | Confidence |
|---|---|---|---|
| 16.0.0 | ALLOW | None | 0.91 |
| 16.4.5 | ALLOW | None | 0.94 |
| 17.0.0 | ALLOW | None | 0.95 |
| 17.1.0 | ALLOW | None | 0.96 |
| 17.4.2 | ALLOW | None | 0.97 |
All ALLOW. Confidence rises modestly with version recency.
1. Query a verdict
$ curl -sH "Authorization: Bearer your-poc-key" \
https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/dotenv/17.4.2 | jq
{
"verdict_id": "01KDVDNA0000000000000020F0",
"verdict": "ALLOWED_NO_FINDINGS",
"source": "ALLOWED_NO_FINDINGS",
"confidence": 0.97,
"composite_score": 10,
"severity": "NONE",
"reasoning": "dotenv 17.4.2 — config loader; no findings; widely used",
...
}
2. Cross-major-version consistency check
for v in 16.0.0 16.4.5 17.0.0 17.1.0 17.4.2; do
echo -n "dotenv@$v: "
curl -sH "Authorization: Bearer your-poc-key" \
https://cleanapp.clnstrt.dev/v1/customer/verdicts/npm/dotenv/$v | jq -r .verdict
done
# All ALLOWED_NO_FINDINGS
The 16.x → 17.x major-version transition does not introduce a verdict shift. CleanLibrary's signal is supply-chain risk-grounded, not version-arbitrary.
3. SDK flow
from cleanlib_sdk import CleanlibClient
client = CleanlibClient(endpoint="https://cleanapp.clnstrt.dev", api_key="your-poc-key")
verdict = client.fetch_verdict("npm", "dotenv", "17.4.2")
# → ALLOWED_NO_FINDINGS, confidence 0.97
4. VS Code flow
CleanLibrary: Fetch verdict for package → npm → dotenv → 17.4.2.
Expected: Green check, ALLOW, "config loader; no findings; widely used".
5. What this walkthrough validates
| Capability | Demonstrated by dotenv |
|---|---|
| Stable ALLOW across major version | 16.x and 17.x both ALLOW; no false major-version risk signal |
| Low-friction signal for widely-used utility | composite_score 10-18 (very low risk band); high confidence |
| Pinning-friendly | Specific versions queryable individually; no false "always upgrade" pressure |
6. What to look for during evaluation
- Does dotenv's clean ALLOW match your existing risk posture for this package?
- For your secrets-handling sensitivity practices, is the verdict surface adequate for your needs?
- Does the cross-major-version stability give your team confidence that CleanLibrary's signal isn't version-noise?
Feedback channel: see API Key Onboarding §7.