chore(deps): bump varlock from 0.7.4 to 1.2.0

[dependabot]

Bumps varlock from 0.7.4 to 1.2.0.

Release notes

Sourced from varlock's releases.

varlock v1.2.0

No changelog entries.

varlock v1.1.0

No changelog entries.

varlock@1.0.0

2026-04-29

• #666 - fix: explicit per-item decorators now take priority over @defaultSensitive/@​defaultRequired from other files
• #567 - Built-in local encryption utilities - let's get everything out of plaintext!
  • Add built-in varlock() resolver for local device-bound encryption using tiny native binaries
    • macOS via Swift/Secure Enclave
    • Windows via Windows Hello/TPM (+WSL2 support)
    • Linux via TPM2/keyring
  • Add varlock encrypt command with stdin support
  • Add varlock reveal command
  • Add varlock lock command to clear local session unlock
  • Add keychain() resolver for built-in macOS Keychain support

varlock v0.9.1

No changelog entries.

varlock@0.9.0

Minor Changes

• #615 9c38e3a - Add --no-inject-graph CLI flag to varlock run to opt out of injecting the __VARLOCK_ENV serialized config graph into the child process environment. This prevents sensitive values from being exposed via environment inspection (e.g., env, printenv) in interactive shells, long-lived processes, or LLM-driven agents.

Patch Changes

• #627 f93c23f - Fix: escape */ sequences in item descriptions to prevent premature JSDoc comment closure in generated TypeScript types

• #622 6f90d87 - Fix leak detection for Uint8Array/ArrayBuffer response bodies

  scanForLeaks now detects secrets in Uint8Array, ArrayBufferView, and ArrayBuffer values. Previously these fell through unscanned, so secrets returned as binary-encoded response bodies (common in Cloudflare Workers) were not caught.

varlock@0.8.2

Patch Changes

• #620 0f3ca3b - Fix regex literal parsing ambiguity with file paths

  Removed grammar-level regex literal (/pattern/) parsing which caused paths like /folder/foo/bar to be incorrectly parsed as regex patterns. Regex-like strings are now detected at runtime by specific consumers (remap() match values, matches type option) instead of at the grammar level. Unquoted strings that look like /pattern/flags are treated as regex in those contexts; wrap in quotes to force literal string matching.

• #618 0db7d1d - Fix varlock run on Windows: correctly build the cmd.exe command string when spawning .cmd/.bat files

  Previously, individual arguments were double-quoted separately (e.g. "tsx.cmd" "watch" "src/index.ts"). Because cmd.exe's /s /c strips only the first and last quote from the entire command string, this left a stray " after the command name, causing errors like "The system cannot find the path specified."

  The fix wraps the entire inner command string in a single pair of outer quotes (e.g. "tsx.cmd watch src/index.ts"), which is what cmd.exe expects. Paths or arguments that contain spaces are individually quoted inside those outer quotes.

  Additionally, when findCommand cannot resolve a bare command name to a .cmd/.bat path, varlock now falls back to routing through cmd.exe so that Windows PATHEXT lookups (e.g. tsx → tsx.cmd, pnpm → pnpm.cmd) are handled automatically.

... (truncated)

Changelog

Sourced from varlock's changelog.

1.2.0

2026-05-11

• #569 Thanks @​danish-fareed! - add code env scanner and audit command with @auditIgnore / @auditIgnorePaths decorators
• #695 (patch) - Add --agent flag for init and load

1.1.0

2026-05-02

• #681 - Add --summary-stderr/--summary-file flags to varlock load and fullResult option to execSyncVarlock
• #644 - Add @​deprecated item decorator with strikethrough display in pretty output and @​deprecated JSDoc in generated TypeScript types
• #675 (patch) - fix biometric session scoping for non-TTY processes
• #679 (patch) - wsl standalone binary fixes

1.0.0

2026-04-29

• #666 - fix: explicit per-item decorators now take priority over @defaultSensitive/@​defaultRequired from other files
• #567 - Built-in local encryption utilities - let's get everything out of plaintext!
  • Add built-in varlock() resolver for local device-bound encryption using tiny native binaries
    • macOS via Swift/Secure Enclave
    • Windows via Windows Hello/TPM (+WSL2 support)
    • Linux via TPM2/keyring
  • Add varlock encrypt command with stdin support
  • Add varlock reveal command
  • Add varlock lock command to clear local session unlock
  • Add keychain() resolver for built-in macOS Keychain support

0.9.1

2026-04-22

• #630 22629d3 Thanks @​app/copilot-swe-agent! - varlock scan now accepts optional positional path/glob arguments to scan specific files, directories, or glob patterns instead of the whole repo. This is useful for scanning build output folders (e.g. dist, .next) to ensure no secrets leaked into what will be published.

  varlock scan ./dist             # Scan a specific build output directory
  varlock scan ./dist ./public    # Scan multiple directories
  varlock scan './dist/**/*.js'   # Scan files matching a glob pattern

  When explicit paths are provided, git-aware filtering (--staged, --include-ignored) is bypassed, and build-output directories that are normally skipped (such as dist, .next, build) are scanned without restriction.

0.9.0

Minor Changes

• #615 9c38e3a - Add --no-inject-graph CLI flag to varlock run to opt out of injecting the __VARLOCK_ENV serialized config graph into the child process environment. This prevents sensitive values from being exposed via environment inspection (e.g., env, printenv) in interactive shells, long-lived processes, or LLM-driven agents.

Patch Changes

• #627 f93c23f - Fix: escape */ sequences in item descriptions to prevent premature JSDoc comment closure in generated TypeScript types

• #622 6f90d87 - Fix leak detection for Uint8Array/ArrayBuffer response bodies

... (truncated)

Commits

• 08db662 Version packages (#696)
• 8b206da prompt builder and CLI agent mode (#695)
• bf04e5d feat(varlock): add code env scanner and audit command (#569)
• d141104 Version packages (#685)
• 30b3217 feat: add @​deprecated item decorator (#644)
• 6df118f feat: add --summary-stderr/--summary-file to varlock load, improve execSyncVa...
• ae92954 Bugfix/wsl standalone (#679)
• 7b7c94d fix biometric session scoping for non-TTY processes (#675)
• edd6023 Version packages (#667)
• 48c76f7 CI tweaks to release encryption feature (#672)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)