April 1, 2026

March 2026 Recap

Varlock Team

March was a huge month for Varlock! Thanks to everyone who discovered, tried out, and shared Varlock with the world. Special thanks for all of the new contributions and feedback from the community.

scott-tweet Be like Scott!

🔧 Core Improvements

March included a large set of core changes across features, reliability, and DX (including improvements in varlock@0.7.0).

Features

Single-file ESM and TypeScript plugins - Plugin authors can now write single-file plugins in .mjs and .ts (in addition to .js/.cjs). See the plugin guide.
Explicit plugin imports - Plugins now import plugin directly from varlock/plugin-lib, with better compatibility across regular installs and Bun-compiled binaries.
varlock typegen command - Added environment-independent type generation as a first-class command. See varlock typegen docs.
ifs() function and improved remap() - New Excel-style conditional function plus positional arg pairs for remap(). See ifs() docs and remap() docs.
@setValuesBulk(enabled=...) - Bulk value loading can now be conditionally enabled. See @setValuesBulk() docs.
Custom env load path via package.json - More flexible loading behavior for app/workspace setups. See varlock.loadPath docs.
Plugin standard variable detection - Plugins can declare expected env vars to surface better wiring warnings.
Relaxed header divider requirement - Header comment blocks no longer require a trailing divider before first config item. See root decorator header docs.

Fixes and Reliability

Import condition correctness - @import(enabled=...) and @disable now correctly see values from auto-loaded files such as .env, .env.local, and env-specific variants.
Shell output safety - varlock load --format shell now safely escapes special characters to avoid shell expansion/injection issues.
Plugin loading stability - Multiple fixes for plugin loading in SEA binaries, Windows file URL handling, and monorepo/workspace resolution.
Container and runtime resilience - Fixed crashes when config directories are not writable (common in containers/Kubernetes) and added XDG_CONFIG_HOME support.
CLI behavior consistency - Improved invalid load path handling (CliExitError), corrected printenv positional argument resolution, and fixed telemetry-disable messaging.
Docker on Alpine - Added required runtime libraries to avoid startup failures.
Runtime edge-case fixes - Addressed issues like deferred auth/error handling in plugin resolution and patchGlobalResponse behavior impacting fetch checks.

Developer Experience

Bun/runtime checks - Enforced minimum Bun version checks at runtime and improved version-check behavior.
Type generation polish - Added a ts-nocheck directive to generated type output. Thanks @developerzeke.
Improved docs/help quality - Lots of docs updates and integration guidance improvements, including the direnv integration docs and the CLI reference.

🚀 New Integrations and Plugins

The Varlock ecosystem grew this month with new integrations and plugins, plus major updates to existing ones:

@varlock/nextjs-integration - Major updates: the integration now fully supports Turbopack for Next.js 15 and 16 (alongside webpack).
@varlock/cloudflare-integration - New Cloudflare Workers integration, including a Vite plugin and varlock-wrangler workflow for safer secret handling in deploys and local dev.
@varlock/expo-integration - First Expo integration release. Thanks @andychallis.
@varlock/dashlane-plugin - New Dashlane plugin for resolving secrets via the Dashlane CLI. Thanks @LucasPicoli.
@varlock/keepass-plugin - Added KeePass support with flexible resolver options for KDBX-based workflows. Thanks @qades.
@varlock/pass-plugin - Added Pass (pass) plugin for the standard Unix password manager.
@varlock/passbolt-plugin - Added Passbolt plugin for loading secrets from Passbolt Secrets Manager. Thanks @PaddeK.
@varlock/proton-pass-plugin - Added Proton Pass plugin via the Proton Pass CLI.
@varlock/hashicorp-vault-plugin - Added HashiCorp Vault plugin for KV v2 / OpenBao.
dmno-dev/varlock-action - GitHub Action for validating and loading env vars with Varlock in CI.
env-spec-language - New language tooling release with IntelliSense and inline diagnostics support for editor workflows. Thanks @voiys.

🌐 Content Highlights

We loved seeing strong community engagement this month:

Varlock was featured on Syntax, and we saw a wave of new users and stars.
Better Stack published a video on why Varlock is better than .env: Watch here.
We were featured in One Tip a Week, a newsletter we really enjoy by Nick Taylor.
Schalk Neethling published Stop Storing Secrets on Disk - Replace Your .env With Varlock and 1Password, a great walkthrough of moving secrets out of local .env files.
Jesse.ID shared Using varlock to pull secrets from 1Password at runtime, including a practical setup and lessons learned.

💬 Community

We’re always looking for feedback and ideas. Join our growing community:

Discord - Chat with us and other users.
GitHub Discussions - Suggestions, questions, and feature ideas.
GitHub - Star the project and follow us on GitHub.
X - Follow us on X.
Bluesky - Follow us on Bluesky.