github dmno-dev/varlock varlock@1.6.0
varlock v1.6.0
on GitHub

latest releases: @varlock/proton-pass-plugin@1.0.2, @varlock/passbolt-plugin@1.1.0, @varlock/keeper-plugin@1.1.0...
5 hours ago
  • #577 (minor) - - Add caching system: cache() resolver, plugin cache API, encrypted JSON store (file mode 0600), varlock cache CLI with TTY-aware browser and --yes confirm for clear.
    • Cache TTLs use the shared duration format; "forever" caches until manually cleared (the default for cache()), setting a plugin's cacheTtl to false (or an empty string) disables caching, and a TTL of 0 is rejected as ambiguous.
    • Cached values are individually encrypted and bound to their cache key, so entries cannot be swapped or replayed within the cache file.
    • --clear-cache always clears the persistent disk cache, including when combined with --skip-cache; @cache=disk warns when used in CI or with the file-based encryption fallback.
    • Add random value generators backed by node:crypto: randomNum() (integer by default, float when precision is set), randomUuid(), randomHex() (string-length by default, bytes=true for byte-length), randomString() (uses rejection sampling for unbiased output across any charset).
    • Add duration data type: accepts flexible string/number input ("1h", "30m", "500ms", 2000, "2days") and coerces to a number in a configurable output unit (ms default; seconds, minutes, hours, days, weeks). Only plain decimal number formats are accepted, and sub-millisecond durations are rejected. Same parser is used by cache(..., ttl=...) and the plugin cacheTtl option.
    • When _VARLOCK_CACHE_KEY is set (e.g. as a CI secret; same format as _VARLOCK_ENV_KEY, but a separate var since that one can be ephemeral), auto cache mode uses a disk cache encrypted with that key instead of falling back to memory — enabling shared caching across CI processes without the key ever touching disk. Each key gets its own cache file, named by key fingerprint.
    • @cache can be set dynamically with functions (e.g. @cache=forEnv(dev, "disk")); invalid resolved values surface as schema errors.
    • Plaintext is passed to the native encryption binary via stdin instead of argv so it never appears in process listings (the macOS enclave binary gained --data-stdin support); debug logging no longer includes encrypt/decrypt payloads.
    • Plugin opt-in caching via cacheTtl is documented per plugin — see the plugin packages' own changelogs.
  • #768 (patch) - fix: only warn about file-based encryption fallback when encryption is actually used, not on every load
  • #756 (patch) - Preserve process.env override provenance across nested invocations so varlock run-injected resolved values are no longer treated as true overrides by inner varlock loads.
    Only real upstream overrides now propagate through nesting, while inner command-local overrides still win as expected.
    Also fixes smoke-test CLI resolution to use the workspace-local varlock CLI instead of any globally installed binary.
    Note: __VARLOCK_ENV now includes override provenance metadata (__varlockOverrideMeta). Tooling that strictly validates that blob shape should allow unknown/new fields.
  • #757 (patch) Thanks @yinjs! - fix: treat whitespace-only lines as blank lines instead of throwing a parse error

Published to

Check out latest releases or
releases around dmno-dev/varlock varlock@1.6.0

Don't miss a new varlock release

NewReleases is sending notifications on new releases.

Get notifications