Fix redundant resolved-env injection on Cloudflare, warn on unencrypted Vercel deploys#881
Merged
Merged
Conversation
…ed Vercel deploys Astro's @astrojs/cloudflare adapter defaulted ssrInjectMode to 'resolved-env', baking the fully resolved (potentially sensitive) env into the worker bundle even though the Cloudflare runtime loader immediately overwrites it from bindings at boot. Now defaults to init-only like Vite/SvelteKit already did. Also add a build-time throw if a user explicitly sets ssrInjectMode: 'resolved-env' while a Cloudflare target is detected, and a one-time warning (Vite, Next.js webpack/turbopack) when deploying to Vercel with resolved-env injection and no @encryptInjectedEnv enabled, since that ships secrets as plaintext JSON in the build artifact.
Contributor
|
The changes in this PR will be included in the next version bump.
|
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
varlock-website | b4db34a | Commit Preview URL Branch Preview URL |
Jul 15 2026, 07:26 PM |
@varlock/ci-env-info
varlock
@varlock/astro-integration
@varlock/cloudflare-integration
@varlock/nextjs-integration
@varlock/vite-integration
commit: |
@astrojs/cloudflare runs SSR inside workerd during `astro dev` via its own @cloudflare/vite-plugin instance, which has no binding-injection hook for varlock to use (that mechanism only exists inside varlockCloudflareVitePlugin, which Astro doesn't use). Removing the resolved-env default broke dev mode entirely (initVarlockEnv failed — no env source at all). Scope the fix to production builds: Astro still defaults to resolved-env in dev (the only way to get real values into the dev worker), and the vite plugin's Cloudflare resolved-env throw now only fires outside dev mode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
@astrojs/cloudflareadapter defaultedssrInjectModetoresolved-envfor every build, baking the fully resolved (potentially sensitive) env into the worker bundle even for production, where the Cloudflare runtime loader already gets it from bindings at boot. Now only defaults toresolved-envforastro dev(where@astrojs/cloudflareruns SSR inside workerd via its own@cloudflare/vite-plugininstance with no binding-injection hook available) — production builds default toinit-only, matching Vite/SvelteKit.varlockVitePlugin()now throws ifssrInjectMode: 'resolved-env'is explicitly set for a production build while a Cloudflare target is detected (SvelteKit +adapter-cloudflare,@varlock/cloudflare-integration, or the Astro Cloudflare branch), pointing users at the nativevarlock-wranglerinjection path instead. Dev builds are exempt since some adapters have no alternative there.@encryptInjectedEnvnot enabled, since that ships secrets as plaintext JSON in the build artifact.vite.mdxandencrypted-deployments.mdx.Test plan
@varlock/vite-integration,@varlock/astro-integration,@varlock/cloudflare-integration,@varlock/nextjs-integrationall build cleanlyisCloudflareTargetis set, and doesn't fire in dev or otherwiseVERCEL=1+ no encryptionastro build) builds cleanlyastro(89 passed, including the Cloudflare adapter dev suite that this branch initially broke and then fixed),vite,sveltekit,cloudflare(262 passed)