Skip to content

Fix redundant resolved-env injection on Cloudflare, warn on unencrypted Vercel deploys#881

Merged
theoephraim merged 4 commits into
mainfrom
guard-resolved-env-cloudflare-vercel
Jul 15, 2026
Merged

Fix redundant resolved-env injection on Cloudflare, warn on unencrypted Vercel deploys#881
theoephraim merged 4 commits into
mainfrom
guard-resolved-env-cloudflare-vercel

Conversation

@theoephraim

@theoephraim theoephraim commented Jul 12, 2026

Copy link
Copy Markdown
Member

Summary

  • Astro's @astrojs/cloudflare adapter defaulted ssrInjectMode to resolved-env for every build, baking the fully resolved (potentially sensitive) env into the worker bundle even for production, where the Cloudflare runtime loader already gets it from bindings at boot. Now only defaults to resolved-env for astro dev (where @astrojs/cloudflare runs SSR inside workerd via its own @cloudflare/vite-plugin instance with no binding-injection hook available) — production builds default to init-only, matching Vite/SvelteKit.
  • varlockVitePlugin() now throws if ssrInjectMode: 'resolved-env' is explicitly set for a production build while a Cloudflare target is detected (SvelteKit + adapter-cloudflare, @varlock/cloudflare-integration, or the Astro Cloudflare branch), pointing users at the native varlock-wrangler injection path instead. Dev builds are exempt since some adapters have no alternative there.
  • Added a one-time, non-blocking warning (Vite, Next.js webpack + turbopack) when deploying to Vercel with resolved-env-style injection and @encryptInjectedEnv not enabled, since that ships secrets as plaintext JSON in the build artifact.
  • Docs updated: vite.mdx and encrypted-deployments.mdx.

Test plan

  • @varlock/vite-integration, @varlock/astro-integration, @varlock/cloudflare-integration, @varlock/nextjs-integration all build cleanly
  • Manually verified the Cloudflare throw fires only for production builds when isCloudflareTarget is set, and doesn't fire in dev or otherwise
  • Manually verified the Vercel warning fires once and only when VERCEL=1 + no encryption
  • Docs site (astro build) builds cleanly
  • Full framework test suites pass locally: astro (89 passed, including the Cloudflare adapter dev suite that this branch initially broke and then fixed), vite, sveltekit, cloudflare (262 passed)

…ed Vercel deploys

Astro's @astrojs/cloudflare adapter defaulted ssrInjectMode to 'resolved-env',
baking the fully resolved (potentially sensitive) env into the worker bundle
even though the Cloudflare runtime loader immediately overwrites it from
bindings at boot. Now defaults to init-only like Vite/SvelteKit already did.

Also add a build-time throw if a user explicitly sets ssrInjectMode:
'resolved-env' while a Cloudflare target is detected, and a one-time warning
(Vite, Next.js webpack/turbopack) when deploying to Vercel with resolved-env
injection and no @encryptInjectedEnv enabled, since that ships secrets as
plaintext JSON in the build artifact.
@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

bumpy-frog

The changes in this PR will be included in the next version bump.

minor Minor releases

  • @varlock/astro-integration 1.1.1 → 1.2.0
  • @varlock/cloudflare-integration 1.2.1 → 1.3.0
  • @varlock/vite-integration 1.2.1 → 1.3.0

patch Patch releases

  • @varlock/nextjs-integration 1.1.4 → 1.1.5

Bump files in this PR

Click here if you want to add another bump file to this PR


This comment is maintained by bumpy.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 12, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
varlock-website b4db34a Commit Preview URL

Branch Preview URL
Jul 15 2026, 07:26 PM

@pkg-pr-new

pkg-pr-new Bot commented Jul 12, 2026

Copy link
Copy Markdown

Open in StackBlitz

@varlock/ci-env-info

npm i https://pkg.pr.new/@varlock/ci-env-info@881

varlock

npm i https://pkg.pr.new/varlock@881

@varlock/astro-integration

npm i https://pkg.pr.new/@varlock/astro-integration@881

@varlock/cloudflare-integration

npm i https://pkg.pr.new/@varlock/cloudflare-integration@881

@varlock/nextjs-integration

npm i https://pkg.pr.new/@varlock/nextjs-integration@881

@varlock/vite-integration

npm i https://pkg.pr.new/@varlock/vite-integration@881

commit: b4db34a

@astrojs/cloudflare runs SSR inside workerd during `astro dev` via its own
@cloudflare/vite-plugin instance, which has no binding-injection hook for
varlock to use (that mechanism only exists inside varlockCloudflareVitePlugin,
which Astro doesn't use). Removing the resolved-env default broke dev mode
entirely (initVarlockEnv failed — no env source at all).

Scope the fix to production builds: Astro still defaults to resolved-env in
dev (the only way to get real values into the dev worker), and the vite
plugin's Cloudflare resolved-env throw now only fires outside dev mode.
@theoephraim
theoephraim merged commit 4f1850c into main Jul 15, 2026
37 of 38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant