[Changesets] Versioned release

[varlock-bot]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

varlock@0.7.0

Minor Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

Patch Changes

• #503 6fe325d - Fix Docker image failing to run due to missing libstdc++ and libgcc_s shared libraries on Alpine Linux. The bun-compiled binary dynamically links against these C++ runtime libraries, which are now installed in the Docker image via apk add libstdc++.

• #507 76c17f8 - Fix @import(enabled=...) and @disable conditions not seeing values from .env, .env.local, and env-specific files

  Previously, import conditions and imported file @disable decorators were evaluated during .env.schema's initialization, before other files (.env, .env.local, .env.ENV, .env.ENV.local) were loaded. This meant that variables set in those files were not available when resolving conditions like enabled=eq($AUTH_MODE, "azure") or @disable=not(eq($AUTH_MODE, "azure")).

  Now, DirectoryDataSource loads all auto-loaded files first (registering their config items), then processes imports in a separate pass. This ensures all file values are available when import/disable conditions are evaluated.

• #495 7f32751 - Fix: error messages in varlock load now go to stderr instead of stdout.

  Previously, error output from checkForSchemaErrors and checkForConfigErrors was written to stdout via console.log, which polluted the JSON output when using --format json-full. This caused import 'varlock/config' to fail with a JSON parse error when a plugin (e.g. AWS secrets) encountered an error. Error messages are now written to stderr, keeping stdout clean for JSON output.

@varlock/astro-integration@0.2.6

Patch Changes

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:
  • varlock@0.7.0

@varlock/cloudflare-integration@0.0.1

Patch Changes

• #480 39d88a9 - New @varlock/cloudflare-integration package for Cloudflare Workers

  • varlockCloudflareVitePlugin() — Vite plugin that reads secrets from Cloudflare bindings at runtime instead of bundling them into worker code
  • varlock-wrangler CLI — drop-in wrangler replacement that uploads non-sensitive values as vars and sensitive values as secrets on deploy; injects env into miniflare via Unix named pipe in dev; watches .env files for changes; generates correct Env types
  • @varlock/cloudflare-integration/init — standalone init module for non-Vite workers
    Refactors @varlock/vite-integration to remove Cloudflare-specific logic and add generic extension points (ssrEntryCode, ssrEdgeRuntime, ssrEntryModuleIds) for platform integrations.

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/expo-integration@0.0.1

Patch Changes

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:
  • varlock@0.7.0

@varlock/nextjs-integration@0.3.2

Patch Changes

• #508 04b81a3 Thanks @melkir! - - fix: public ENV.* replacement now works in 'use client' components under Turbopack — the loader previously bailed out early for client modules, skipping the static replacement pass entirely

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/vite-integration@0.2.8

Patch Changes

• #480 39d88a9 - New @varlock/cloudflare-integration package for Cloudflare Workers

  • varlockCloudflareVitePlugin() — Vite plugin that reads secrets from Cloudflare bindings at runtime instead of bundling them into worker code
  • varlock-wrangler CLI — drop-in wrangler replacement that uploads non-sensitive values as vars and sensitive values as secrets on deploy; injects env into miniflare via Unix named pipe in dev; watches .env files for changes; generates correct Env types
  • @varlock/cloudflare-integration/init — standalone init module for non-Vite workers
    Refactors @varlock/vite-integration to remove Cloudflare-specific logic and add generic extension points (ssrEntryCode, ssrEdgeRuntime, ssrEntryModuleIds) for platform integrations.

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/1password-plugin@0.3.1

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• #513 3a480b2 - - fix: checkOpCliAuth() now always returns a completion callback (a no-op after the mutex is already settled) so follow-up op CLI paths still signal success/failure correctly; previously only the first call returned the deferred resolve function.

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/aws-secrets-plugin@0.0.6

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/azure-key-vault-plugin@0.0.6

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/bitwarden-plugin@0.0.6

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/google-secret-manager-plugin@0.2.1

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/hashicorp-vault-plugin@0.0.4

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/infisical-plugin@0.0.6

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/keepass-plugin@0.0.2

Patch Changes

• #413 7b04b21 Thanks @qades! - Add KeePass plugin for loading secrets from KDBX 4.0 databases.

  • kp() resolver with #attribute syntax, entry name inference from key, and customAttributesObj for bulk custom field loading
  • kpBulk() resolver for loading all passwords from a group via @setValuesBulk
  • kdbxPassword data type for master password validation
  • File mode using kdbxweb with pure WASM argon2 (no native addons, works in SEA builds)
  • CLI mode via keepassxc-cli with dynamic useCli option (e.g., useCli=forEnv(dev))
  • Multiple database instances via id param
  • Key file authentication support
  • Add input option to spawnAsync for streaming stdin to child processes

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/pass-plugin@0.0.6

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

@varlock/proton-pass-plugin@0.0.3

Patch Changes

• #483 ba61adb - Add support for single-file ESM and TypeScript plugins, and improve the plugin authoring API.

  New: ESM and TypeScript single-file plugins

  Single-file plugins can now be written as .mjs or .ts files in addition to .js/.cjs. TypeScript plugins require Bun.

  Improved: explicit plugin import instead of injected global

  Plugin authors should now import plugin explicitly from varlock/plugin-lib rather than relying on the injected global:

  // CJS plugin (.js / .cjs)
  const { plugin } = require("varlock/plugin-lib");
  
  // ESM plugin (.mjs / .ts)
  import { plugin } from "varlock/plugin-lib";

  This works in both regular installs and SEA binary builds. Error classes (ValidationError, CoercionError, etc.) are also now directly importable from varlock/plugin-lib.

  Breaking change: the implicit plugin global is no longer injected into CJS plugin modules. Existing plugins must add const { plugin } = require('varlock/plugin-lib').

• Updated dependencies [ba61adb, 6fe325d, 76c17f8, 7f32751]:

  • varlock@0.7.0

[pkg-pr-new]

Open in StackBlitz

varlock

npm i https://pkg.pr.new/varlock@506

@varlock/astro-integration

npm i https://pkg.pr.new/@varlock/astro-integration@506

@varlock/cloudflare-integration

npm i https://pkg.pr.new/@varlock/cloudflare-integration@506

@varlock/expo-integration

npm i https://pkg.pr.new/@varlock/expo-integration@506

@varlock/nextjs-integration

npm i https://pkg.pr.new/@varlock/nextjs-integration@506

@varlock/vite-integration

npm i https://pkg.pr.new/@varlock/vite-integration@506

@varlock/1password-plugin

npm i https://pkg.pr.new/@varlock/1password-plugin@506

@varlock/aws-secrets-plugin

npm i https://pkg.pr.new/@varlock/aws-secrets-plugin@506

@varlock/azure-key-vault-plugin

npm i https://pkg.pr.new/@varlock/azure-key-vault-plugin@506

@varlock/bitwarden-plugin

npm i https://pkg.pr.new/@varlock/bitwarden-plugin@506

@varlock/google-secret-manager-plugin

npm i https://pkg.pr.new/@varlock/google-secret-manager-plugin@506

@varlock/hashicorp-vault-plugin

npm i https://pkg.pr.new/@varlock/hashicorp-vault-plugin@506

@varlock/infisical-plugin

npm i https://pkg.pr.new/@varlock/infisical-plugin@506

@varlock/keepass-plugin

npm i https://pkg.pr.new/@varlock/keepass-plugin@506

@varlock/pass-plugin

npm i https://pkg.pr.new/@varlock/pass-plugin@506

@varlock/proton-pass-plugin

npm i https://pkg.pr.new/@varlock/proton-pass-plugin@506

commit: af0a03d

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.2.1

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report