Skip to content
varlock

April 2026 Recap

← Back to blog
April 2026 Recap

April 2026 Recap

Varlock Team

April was a big month for Varlock: local encryption landed, integrations and plugins saw meaningful updates, and we shipped our first Varlock SideQuestbumpy.

🔧 Core Improvements

April’s biggest core drop was varlock@1.0.0, with stronger config behavior guarantees and broader stability work across the stack.

🫆 Local encryption

  • Built-in local encryption utilities - Added a built-in varlock() resolver for local device-bound encryption on MacOS, Windows (Native and WSL), and Linux.
  • New CLI encryption workflow - Added varlock encrypt (with stdin support), varlock reveal, and varlock lock commands.
  • Built-in Keychain support (macOS) - Added keychain() resolver support for macOS workflows.

🐸 Varlock SideQuest: bumpy

SideQuest is our label for sibling projects that extend the Varlock universe without living inside the core repo.

bumpy is the first: modern monorepo-friendly version management and changelog tooling built as a successor to the changesets workflow (bump files, consolidated releases, changelog generation), with a different engine tuned for workspace protocols, dependency propagation, and CI without an extra app or action.

We’re already using bumpy to manage the Varlock monorepo and we’re excited to see it grow into a community-driven tool.

🔌 Integrations and Plugins

April shipped substantive updates across integrations and tooling:

  • @varlock/astro-integration - Added post-build leak detection for static HTML output and expanded framework test coverage across Astro v5/v6.
  • @varlock/vite-integration - Improved invalid-config behavior: better partial JSON output from varlock load --format json-full, safer dev-mode handling, and clearer build-time error details.
  • @varlock/nextjs-integration - Fixed duplicate-import/diamond-dependency behavior to prevent duplicate plugin initialization and preserve import precedence.
  • @varlock/cloudflare-integration - Introduced SvelteKit + Cloudflare Workers support via varlockSvelteKitCloudflarePlugin, plus guardrails against conflicting plugin registration.
  • @varlock/1password-plugin - Added self-hosted 1Password Connect support (connectHost/connectToken) and improved Connect-specific resolver/error handling.
  • env-spec-language and @env-spec/parser - Improved regex/path parsing behavior and diagnostics around decorators and completions.

Many other integrations/plugins also received April stability releases alongside these feature-focused updates.

Fixes and Reliability

  • Decorator precedence - Explicit per-item decorators now correctly take priority over @defaultSensitive/@defaultRequired from other files. (PR #666)
  • varlock run and sensitive graphs - Added --no-inject-graph to avoid putting the serialized config graph (__VARLOCK_ENV) in the child process environment when you need stricter secrecy (interactive shells, long-lived workers, agents). (PR #615)
  • Leak scanning - Leak detection now covers binary bodies (Uint8Array / ArrayBuffer), which matters for runtimes like Cloudflare Workers where secrets sometimes move as bytes. (PR #622)
  • Language + tooling edge cases - Fixed path-vs-regex ambiguity (POSIX paths mistaken for /pattern/ regex), tightened noTrailingSlash validation for URLs, and improved generated TypeScript when descriptions contain awkward */ sequences. (PR #620, PR #610, PR #627)
  • Windows hardening - Fixed varlock run spawning for .cmd/.bat, Pathext-aware resolution (pnpm/tsx-style shims), and pnpm binary detection (varlock.cmd). (PR #618, PR #590)
  • Built-in typings and DX - VARLOCK_IS_CI is now a real boolean; declare module 'varlock/env' no longer collides across multiple packages’ generated env.d.ts. (PR #583, PR #594)
  • varlock init - No longer crashes on Linux when git isn’t installed; terminal colors behave better under redaction via FORCE_COLOR when stdout is piped behind Varlock. (PR #581, PR #575)

Earlier in April, CLI and tooling work also landed partial json-full loads on validation failure, multiple --path flags, multi-entry package.json loadPath, varlock explain plus clearer override indicators in varlock load, third‑party plugins with trust rules keyed to JS installs vs standalone binary, standalone-vs-node_modules version mismatch warnings, plus Vitest projects / monorepo root resolution, .git + lockfile root detection, binary resolution when cwd ≠ package root, and diamond dependency / duplicate schema imports.

🌐 Content Highlights

A few highlights from around the ecosystem this month:

  • Operation Varlock demo project - a game/security-focused community project exploring prompt-injection simulation with Varlock concepts: operation-varlock.
  • Q1 momentum recognition - DMNO/Varlock was highlighted in OSSCAR’s Q1 2026 scaling rankings as one of the fastest growing open source orgs on GitHub: OSSCAR - DMNO.

💬 Community

April discussions helped surface practical DX improvements and edge cases:

We’re always looking for feedback and ideas. Join our community:

  • Discord - Chat with us and other users.
  • GitHub Discussions - Suggestions, questions, and feature ideas.
  • GitHub - Star the project and follow updates.
  • X - Follow us on X.
  • Bluesky - Follow us on Bluesky.
← Back to blog
Come chat with us

© 2026 DMNO Inc. All rights reserved.