A small bug-fix release that hardens shell activation against expansion of secret values and stops fnox set / fnox import from rewriting [secrets.NAME] tables as inline tables.
Fixed
Preserve table-style secret formatting on edits (#467) -- @jdx
fnox set and fnox import previously rewrote any existing [secrets."NAME"] table as a single-line inline table ("NAME" = { provider = ..., value = ... }), discarding the multi-line layout. Both commands now detect the existing style and update fields in-place, keeping the [secrets."NAME"] header, comments, and key order intact:
[secrets."SEKRIT_PASSWORD"]
provider = "age"
value = "..." # updated in place
if_missing = "error" # preservedPrevent shell expansion of secret values in bash/zsh activation (#473) -- @jdx
The bash and zsh hook-env output previously wrapped values in double quotes with only \ and " escaped, so a secret containing $$, `cmd`, or ${...} would be expanded by the shell when the activation script was eval-ed — leaking e.g. the shell PID into the variable (see discussion #471). fnox now POSIX-quotes values via shlex, producing safe single-quoted output:
export DOLLAR_SECRET='$$test'
export BACKTICK_SECRET='a`whoami`b'Values now round-trip through eval unchanged. Fish, PowerShell, and Nushell were already unaffected.
Documentation
- Mise integration guide now recommends installing fnox with mise and using shell integration or
fnox exec; thejdx/mise-env-fnoxenv plugin is flagged as experimental and incomplete (#472) -- @jdx
Full Changelog: v1.24.0...v1.24.1
💚 Sponsor fnox
fnox is maintained by @jdx under en.dev — a small independent studio building developer tooling like mise, aube, hk, and more. Keeping fnox secure, maintained, and free is funded by sponsors.
If fnox is handling secrets or config for you or your team, please consider sponsoring at en.dev. Sponsorships are what let fnox stay independent and the project keep moving.