Skip to content

June 2026 Recap

← Back to blog
June 2026 Recap

June 2026 Recap

June was packed: varlock@1.5.0 through varlock@1.9.0 landed encrypted deployment controls, a full caching system, and smarter schema imports; secret provider plugins adopted @internal credentials by default; and community contributor @idorozin shipped a new Kubernetes plugin.

🔧 Core Improvements

June releases were focused on deployment security, caching, schema ergonomics, and container-friendly varlock run behavior.

Encrypted deployments

Caching, durations, and random generators

  • Built-in caching system - cache() resolver, plugin cache API, encrypted on-disk store, and varlock cache CLI (status / clear). See the caching guide and varlock cache.
  • duration data type - Shared TTL parser for cache() and plugin cacheTtl options. See the duration data type.
  • Random value generators - randomNum(), randomUuid(), randomHex(), and randomString() backed by node:crypto. See random value generators.
  • CI disk caching - Set _VARLOCK_CACHE_KEY to share an encrypted disk cache across CI processes without persisting the key to disk.

Schema and import ergonomics

  • pick / omit filters - @setValuesBulk() and @import() now support allowlist/denylist key filters with glob support.
  • Object and array literals - Standalone {key=value} and [a, b, c] literals in the env-spec grammar, including multi-line forms with # comments. VS Code extension syntax highlighting updated alongside parser releases.
  • Per-item leak-detection opt-out - @sensitive={preventLeaks=false} for secrets that legitimately leave the system. See @sensitive.
  • @internal decorator - Mark items used only by varlock (for example secret-zero tokens) so they resolve but are not injected into your app. See @internal.

macOS Keychain CLI

  • varlock keychain commands - Import plaintext secrets from .env files into macOS Keychain, set items interactively, list entries, and fix access controls. See the macOS Keychain plugin docs.

varlock run, audit, and agent workflows

  • Smarter stdout redaction - Interactive TTY tools like psql and claude keep raw terminal behavior; piped/redirected output is still redacted. (PR #770)
  • Container-friendly signal forwarding - varlock run forwards SIGTERM/SIGINT/SIGHUP/SIGQUIT to child processes and propagates exit status faithfully — safe as a container ENTRYPOINT / PID 1.
  • Monorepo-aware scanning - varlock audit and varlock init no longer descend into child packages, and skip pure execution-environment plumbing like PATH and npm_*. See varlock audit.
  • Bundled agent skill - Version-pinned varlock guidance ships inside the npm package for agent discovery. See the AI tools guide.
  • Typegen hygiene - Plain .env-only keys no longer leak into generated types; varlock typegen reports ignored keys.

Fixes and reliability

  • Nested override provenance - varlock run-injected values are no longer treated as true overrides by inner loads. (PR #756)
  • Circular @import() detection - Clear errors instead of crashes when schemas import each other. (PR #809)
  • Biometric session stability - Fixed session fragmentation under turborepo and duplicate daemon races. (PR #754)
  • Encryption via stdin - Plaintext no longer passed on argv to the native encryption binary. (PR #577)

🔌 Integrations and Plugins

New plugin

Secret provider updates

June shipped coordinated 2.0.0 releases across password manager and secrets plugins — breaking: service-account and auth-token data types are now @internal by default so secret-zero credentials stay out of your application env. Override with @internal=false if your app uses the credential directly.

Affected packages include @varlock/1password-plugin, @varlock/bitwarden-plugin, @varlock/dashlane-plugin, @varlock/doppler-plugin, @varlock/hashicorp-vault-plugin, @varlock/infisical-plugin, @varlock/keepass-plugin, @varlock/keeper-plugin, @varlock/passbolt-plugin, @varlock/proton-pass-plugin, @varlock/akeyless-plugin, and @varlock/kubernetes-plugin.

Cloud secret manager plugins also gained opt-in cacheTtl disk caching in their 1.2.x releases — including @varlock/aws-secrets-plugin, @varlock/azure-key-vault-plugin, @varlock/google-secret-manager-plugin, @varlock/hashicorp-vault-plugin, @varlock/infisical-plugin, @varlock/akeyless-plugin, and others — see each plugin’s docs and the caching guide.

Other plugin highlights:

Integrations

🐣 Varlock SideQuest: fledgling

SideQuest is our label for sibling projects that extend the Varlock universe without living inside the core repo.

fledgling is the latest: a CLI to create npm packages and configure OIDC trusted publishing in one shot — claim package names, wire GitHub/GitLab/CircleCI as trusted publishers, and keep monorepo settings in sync. Run npx fledgling to get started. We already use it in the Varlock monorepo via fledgling sync.

🌐 Content Highlights

💬 Community

We’re always looking for feedback and ideas. Join our community:

  • Discord - Chat with us and other users.
  • GitHub Discussions - Suggestions, questions, and feature ideas.
  • GitHub - Star the project and follow updates.
  • X - Follow us on X.
  • Bluesky - Follow us on Bluesky.
← Back to blog