-
#849 (minor)
Generate code for Python, Rust, Go, and PHP with new per-language decorators (@generatePythonEnv,@generateRustEnv,@generateGoEnv,@generatePhpEnv). Each emits a self-contained, idiomatic module — typed coerced values, a loader that parses the injected env, and aSENSITIVE_KEYSconstant — so it's usable out of the box. The TypeScript generator moves to@generateTsTypesand gains options to controlprocess.env/import.meta.envaugmentation and a monorepo-friendlyexposeEnv=localmode.@generateTypes(lang=ts)still works as a deprecated alias. Thevarlock typegencommand is renamed tovarlock codegen(withtypegenkept as a deprecated alias). Note:@disableProcessEnvInjectionnow requires a statictrue/falsevalue — env-dependent values likeforEnv(prod)are a schema error, since generated code must not differ per environment. -
#866 (patch)
plugin-registered data types can now declarecoercedTypeso generated env modules type their fields correctly (previously they always emitted as strings) -
#861 (patch)
Runtime leak detection now catches secrets in compressed responses: gzipped responses that fit in a single chunk (i.e. most pages) were never scanned, so browsers — which always sendAccept-Encoding: gzip— could receive leaked sensitive values the scanner should have blocked. Brotli and zstd responses are now scanned too, and compressed chunks containing a leak fail closed (the response is killed) instead of passing through.Note: since most browser traffic previously bypassed the scanner, an app with an existing undetected leak will start seeing those responses blocked after upgrading — look for
DETECTED LEAKED SENSITIVE CONFIGin server logs, which names the offending config key. -
#861 (patch)
Runtime fixes: env state is now shared across bundled copies ofvarlock/env(fixes stale values after env reloads when a bundler duplicates the module, including cleanup ofprocess.envkeys removed between reloads), andnode:cryptois loaded lazily — with encrypted env blobs decrypting via WebCrypto on edge runtimes that lack it entirely (e.g. Vercel Edge). Minimum supported Node version is now 22.3. -
#853 (patch) - Reject unknown or misspelled CLI flags with a did-you-mean suggestion instead of silently ignoring them
-
#865 (patch)
icon fetching during type generation now ignores failed responses, times out after 2s, and doesn't retry failed icons within a run -
#854 (patch)
Windows local encryption now uses TPM-sealed keys via NCrypt when available; existing DPAPI keys auto-upgrade on the next decrypt.
Published to
- ✅ npm