Skip to content

Exclude @internal items from load --format json-full by default#874

Merged
theoephraim merged 1 commit into
mainfrom
fix-internal-item-leak-in-integrations
Jul 11, 2026
Merged

Exclude @internal items from load --format json-full by default#874
theoephraim merged 1 commit into
mainfrom
fix-internal-item-leak-in-integrations

Conversation

@theoephraim

Copy link
Copy Markdown
Member

Summary

  • varlock load --format json-full unconditionally included @internal items (with real, unredacted values) - an inspection-format design choice that's fine for a human debugging locally, but every framework integration (Vite, Next.js, Cloudflare, Expo) shells out to exactly this command to fetch its config and reuses the result as-is for what gets injected into the app. That meant an @internal secret-zero credential (e.g. a service-account token) could reach client bundles and SSR runtime process.env/ENV, defeating the entire purpose of @internal.
  • varlock run was never affected - it builds its own blob with includeInternal: false from the start, independent of load.
  • Fix: default --format json-full to exclude @internal items, matching every other output format (json, env, shell). Added --include-internal to load (mirroring run's existing flag) for local debugging when you deliberately want to see an internal item's value.
  • Since no integration passes --include-internal, this fixes Vite, Next.js, Cloudflare, and Expo without touching a single integration package - the leak was entirely upstream of them.

Test plan

  • bun run --filter varlock typecheck
  • bunx vitest run in packages/varlock (939 tests passing)
  • bun run lint:fix
  • bun run --filter varlock-website astro build
  • Added smoke tests (smoke-tests/tests/cli.test.ts) confirming --format json-full excludes @internal by default and includes it (flagged) with --include-internal - both pass against the built CLI
  • Manually verified end-to-end with a real @internal @sensitive item: absent from default json-full output, present with --include-internal

… default

json-full is an inspection format, but every framework integration
(Vite, Next.js, Cloudflare, Expo) shells out to exactly this command
to get its injected config, then reuses the result as-is - so an
@internal secret-zero credential (e.g. a service-account token) could
reach client bundles and SSR runtime code, defeating the whole point
of @internal. Only varlock run was actually safe, since it builds its
own blob with includeInternal: false from the start.

Add --include-internal to load (mirroring run's existing flag) for
local debugging, and default json-full to excluding internal items
like every other output format already does. Since no integration
passes --include-internal, this fixes all of them without touching
a single integration package.
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

bumpy-frog

The changes in this PR will be included in the next version bump.

patch Patch releases

  • varlock 1.10.0 → 1.10.1

Bump files in this PR

Click here if you want to add another bump file to this PR


This comment is maintained by bumpy.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
varlock-website 8d2a377 Commit Preview URL

Branch Preview URL
Jul 09 2026, 07:42 PM

@pkg-pr-new

pkg-pr-new Bot commented Jul 9, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/varlock@874

commit: 8d2a377

theoephraim added a commit that referenced this pull request Jul 9, 2026
…longside this PR

Removes the "known gap" caution about framework integrations not
enforcing @internal exclusion - #874 fixes that at the CLI level
(load --format json-full excludes internal items by default), so
every integration inherits the guarantee with no code changes of
their own. Both PRs are being merged together.
@theoephraim theoephraim merged commit e7b9c74 into main Jul 11, 2026
23 checks passed
theoephraim added a commit that referenced this pull request Jul 11, 2026
…longside this PR

Removes the "known gap" caution about framework integrations not
enforcing @internal exclusion - #874 fixes that at the CLI level
(load --format json-full excludes internal items by default), so
every integration inherits the guarantee with no code changes of
their own. Both PRs are being merged together.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant