June was packed: varlock@1.5.0 through varlock@1.9.0 landed encrypted deployment controls, a full caching system, and smarter schema imports; secret provider plugins adopted @internal credentials by default; and community contributor @idorozin shipped a new Kubernetes plugin.
🔧 Core Improvements
June releases were focused on deployment security, caching, schema ergonomics, and container-friendly varlock run behavior.
Encrypted deployments
@encryptInjectedEnvand@disableProcessEnvInjection- Root decorators for encrypting the injected env blob at build time and optionally keeping plaintext secrets out ofprocess.enventirely. See the encrypted deployments guide and@encryptInjectedEnv/@disableProcessEnvInjectionreference docs.
Caching, durations, and random generators
- Built-in caching system -
cache()resolver, plugin cache API, encrypted on-disk store, andvarlock cacheCLI (status/clear). See the caching guide andvarlock cache. durationdata type - Shared TTL parser forcache()and plugincacheTtloptions. See thedurationdata type.- Random value generators -
randomNum(),randomUuid(),randomHex(), andrandomString()backed bynode:crypto. See random value generators. - CI disk caching - Set
_VARLOCK_CACHE_KEYto share an encrypted disk cache across CI processes without persisting the key to disk.
Schema and import ergonomics
pick/omitfilters -@setValuesBulk()and@import()now support allowlist/denylist key filters with glob support.- Object and array literals - Standalone
{key=value}and[a, b, c]literals in the env-spec grammar, including multi-line forms with#comments. VS Code extension syntax highlighting updated alongside parser releases. - Per-item leak-detection opt-out -
@sensitive={preventLeaks=false}for secrets that legitimately leave the system. See@sensitive. @internaldecorator - Mark items used only by varlock (for example secret-zero tokens) so they resolve but are not injected into your app. See@internal.
macOS Keychain CLI
varlock keychaincommands - Import plaintext secrets from.envfiles into macOS Keychain, set items interactively, list entries, and fix access controls. See the macOS Keychain plugin docs.
varlock run, audit, and agent workflows
- Smarter stdout redaction - Interactive TTY tools like
psqlandclaudekeep raw terminal behavior; piped/redirected output is still redacted. (PR #770) - Container-friendly signal forwarding -
varlock runforwards SIGTERM/SIGINT/SIGHUP/SIGQUIT to child processes and propagates exit status faithfully — safe as a container ENTRYPOINT / PID 1. - Monorepo-aware scanning -
varlock auditandvarlock initno longer descend into child packages, and skip pure execution-environment plumbing likePATHandnpm_*. Seevarlock audit. - Bundled agent skill - Version-pinned varlock guidance ships inside the npm package for agent discovery. See the AI tools guide.
- Typegen hygiene - Plain
.env-only keys no longer leak into generated types;varlock typegenreports ignored keys.
Fixes and reliability
- Nested override provenance -
varlock run-injected values are no longer treated as true overrides by inner loads. (PR #756) - Circular
@import()detection - Clear errors instead of crashes when schemas import each other. (PR #809) - Biometric session stability - Fixed session fragmentation under turborepo and duplicate daemon races. (PR #754)
- Encryption via stdin - Plaintext no longer passed on argv to the native encryption binary. (PR #577)
🔌 Integrations and Plugins
New plugin
@varlock/kubernetes-plugin- Read Secrets and ConfigMaps from a cluster via kubeconfig, in-cluster service account, or explicit API credentials. Thanks @idorozin.
Secret provider updates
June shipped coordinated 2.0.0 releases across password manager and secrets plugins — breaking: service-account and auth-token data types are now @internal by default so secret-zero credentials stay out of your application env. Override with @internal=false if your app uses the credential directly.
Affected packages include @varlock/1password-plugin, @varlock/bitwarden-plugin, @varlock/dashlane-plugin, @varlock/doppler-plugin, @varlock/hashicorp-vault-plugin, @varlock/infisical-plugin, @varlock/keepass-plugin, @varlock/keeper-plugin, @varlock/passbolt-plugin, @varlock/proton-pass-plugin, @varlock/akeyless-plugin, and @varlock/kubernetes-plugin.
Cloud secret manager plugins also gained opt-in cacheTtl disk caching in their 1.2.x releases — including @varlock/aws-secrets-plugin, @varlock/azure-key-vault-plugin, @varlock/google-secret-manager-plugin, @varlock/hashicorp-vault-plugin, @varlock/infisical-plugin, @varlock/akeyless-plugin, and others — see each plugin’s docs and the caching guide.
Other plugin highlights:
@varlock/proton-pass-plugin- Personal access token login (PROTON_PASS_PERSONAL_ACCESS_TOKEN) for non-interactive CI and headless workflows.@varlock/infisical-plugin- Fixed OIDC auth for@infisical/sdkv5.
Integrations
@varlock/cloudflare-integration- Astro Cloudflare adapter support (including Astro v7), SvelteKit auto-detection invarlockVitePlugin(), and wrangler.envauto-loading disabled so varlock remains the source of truth.@varlock/astro-integration,@varlock/vite-integration,@varlock/nextjs-integration, and@varlock/expo-integration- Compatibility and env-reload updates alongside core releases.env-spec-languageand@env-spec/parser- Parser and editor tooling updates for object/array literals and multi-line decorator syntax.
🐣 Varlock SideQuest: fledgling
SideQuest is our label for sibling projects that extend the Varlock universe without living inside the core repo.
fledgling is the latest: a CLI to create npm packages and configure OIDC trusted publishing in one shot — claim package names, wire GitHub/GitLab/CircleCI as trusted publishers, and keep monorepo settings in sync. Run npx fledgling to get started. We already use it in the Varlock monorepo via fledgling sync.
🌐 Content Highlights
- New mise integration guide - Install varlock with mise and wire validated env into tasks without loading secrets into your shell session.
- Recommended approach for claude code “agents view”? - Community discussion on using varlock with Claude Code’s agent-oriented workflows.
- fledgling launch post - Announcing trusted publishing setup for npm packages.
💬 Community
We’re always looking for feedback and ideas. Join our community:
- Discord - Chat with us and other users.
- GitHub Discussions - Suggestions, questions, and feature ideas.
- GitHub - Star the project and follow updates.
- X - Follow us on X.
- Bluesky - Follow us on Bluesky.