[pull] master from ohmyzsh:master

.github/workflows/dependencies/updater.py

@@ -219,6 +219,7 @@ def update_or_notify(self):
             if status["has_updates"] is True:
                 short_sha = status["head_ref"][:8]
                 new_version = status["version"] if is_tag else short_sha
+                source_ref = new_version if is_tag else status["head_ref"]
 
                 try:
                     branch_name = f"update/{self.path}/{new_version}"
@@ -227,7 +228,7 @@ def update_or_notify(self):
                     branch = Git.checkout_or_create_branch(branch_name)
 
                     # Update dependency files
-                    self.__apply_upstream_changes()
+                    self.__apply_upstream_changes(source_ref)
 
                     if not Git.repo_is_clean():
                         # Update dependencies.yml file
@@ -297,7 +298,7 @@ def __update_yaml(self, new_version: str) -> None:
         dep_yaml = DependencyStore.update_dependency_version(self.path, new_version)
         DependencyStore.write_store(DEPS_YAML_FILE, dep_yaml)
 
-    def __apply_upstream_changes(self) -> None:
+    def __apply_upstream_changes(self, ref: str) -> None:
         # Patterns to ignore in copying files from upstream repo
         GLOBAL_IGNORE = [".git", ".github", ".gitignore"]
 
@@ -306,12 +307,11 @@ def __apply_upstream_changes(self) -> None:
         postcopy = self.values.get("postcopy")
 
         repo = self.values["repo"]
-        branch = self.values["branch"]
         remote_url = f"https://github.com/{repo}.git"
         repo_dir = os.path.join(TMP_DIR, repo)
 
         # Clone repository
-        Git.clone(remote_url, branch, repo_dir, reclone=True)
+        Git.clone(remote_url, ref, repo_dir, reclone=True)
 
         # Run precopy on tmp repo
         if precopy is not None:
@@ -392,13 +392,15 @@ def repo_is_clean() -> bool:
         Returns `False` if the repo is dirty.
         """
         try:
-            CommandRunner.run_or_fail(
-                ["git", "diff", "--exit-code"], stage="CheckRepoClean"
+            result = CommandRunner.run_or_fail(
+                ["git", "status", "--porcelain", "--untracked-files=normal"],
+                stage="CheckRepoClean",
             )
-            return True
         except CommandRunner.Exception:
             return False
 
+        return result.stdout.strip() == b""
+
     @staticmethod
     def add_and_commit(scope: str, version: str) -> bool:
         """

plugins/bedtools/README.md

@@ -1,5 +1,5 @@
 # Bedtools plugin
 
-This plugin adds support for the [bedtools suite](http://bedtools.readthedocs.org/en/latest/):
+This plugin adds support for the [bedtools suite](https://bedtools.readthedocs.io/en/latest/):
 
 * Adds autocomplete options for all bedtools sub commands.

plugins/celery/README.md

@@ -1,6 +1,6 @@
 # Celery
 
-This plugin provides completion for [Celery](http://www.celeryproject.org/).
+This plugin provides completion for [Celery](https://docs.celeryq.dev/en/stable/).
 
 To use it add celery to the plugins array in your zshrc file.
 

plugins/dotenv/.zunit.yml

@@ -0,0 +1,9 @@
+tap: false
+directories:
+  tests: tests
+  output: tests/_output
+  support: tests/_support
+time_limit: 0
+fail_fast: false
+allow_risky: false
+verbose: false

plugins/dotenv/README.md

@@ -34,6 +34,25 @@ PORT=3001
 
 You can even mix both formats, although it's probably a bad idea.
 
+Multi-line values are supported using quoted strings:
+
+```sh
+PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA...
+-----END RSA PRIVATE KEY-----"
+```
+
+Variables defined earlier in the file can be referenced by later entries:
+
+```sh
+BASE_URL=https://example.com
+API_URL=$BASE_URL/api
+ASSETS_URL=${BASE_URL}/assets
+```
+
+Note: only variables defined within the same `.env` file are expanded this way —
+shell environment variables that already exist are **not** substituted.
+
 ## Settings
 
 ### ZSH_DOTENV_FILE
@@ -86,13 +105,37 @@ mount `.env` files as named pipes to inject secrets on-the-fly without writing t
 
 No additional configuration is required — the plugin automatically detects and sources named pipes.
 
+## Tests
+
+The tests use [zunit](https://github.com/zunit-zsh/zunit). Install it per its [documentation](https://github.com/zunit-zsh/zunit#installation), then run:
+
+```sh
+cd plugins/dotenv && zunit
+```
+
+> [NOTE!]
+> zunit also requires installing [Revolver](https://github.com/molovo/revolver).
+
 ## Version Control
 
 **It's strongly recommended to add `.env` file to `.gitignore`**, because usually it contains sensitive information such as your credentials, secret keys, passwords etc. You don't want to commit this file, it's supposed to be local only.
 
-## Disclaimer
+## Security
+
+The plugin applies several best-effort safeguards when loading a `.env` file:
+
+- **Size limit** — files larger than 10 MiB are rejected to prevent DoS.
+- **Syntax check** — the file is validated with `zsh -fn` before any variables are set.
+- **No command substitution** — entries containing `$(...)` or backtick constructs are skipped.
+- **Forbidden variables** — the following variables are never overwritten, regardless of what the
+  `.env` file contains: `NODE_OPTIONS`, `BASH_ENV`, `ENV`, `ZDOTDIR`, `ZSH`, `LD_PRELOAD`,
+  `LD_LIBRARY_PATH`, `DYLD_INSERT_LIBRARIES`, `GIT_CONFIG_GLOBAL`, `GIT_DIR`, `GIT_EDITOR`,
+  `GIT_EXTERNAL_DIFF`, `GIT_EXEC_PATH`, `GIT_PAGER`, `GIT_SSH`, `GIT_SSH_COMMAND`,
+  `GIT_SSL_NO_VERIFY`, `GIT_TEMPLATE_DIR`, `VISUAL`, `PAGER`, `EDITOR`, and all zsh special
+  parameters.
 
-This plugin only sources the `.env` file. Nothing less, nothing more. It doesn't do any checks. It's designed to be the fastest and simplest option. You're responsible for the `.env` file content. You can put some code (or weird symbols) there, but do it on your own risk. `dotenv` is the basic tool, yet it does the job.
+These measures are **best-effort** — you are still responsible for the content of your `.env`
+file. Do not use this plugin as a security boundary.
 
 If you need more advanced and feature-rich ENV management, check out these awesome projects: