Theo Ephraim
@theozero.bsky.social
π€ 160
π₯ 114
π 206
π§ββοΈπͺπ
https://varlock.dev
Open sourcerer, devtools builder, entrepreneur
Random q - do folks out there care / think about how much plastic they are exposed to? Talking things like coffee gear, water bottles / mugs, cookware, baby products. Do you research before you buy? Would you like to minimize but takes too much work? Never think about it? I'm cooking something :)
1 day ago
0
0
0
Building a new CLI tool? Here is your toolkit: - gunshi (cli framework) - clack/prompts (cli prompts) - lefthook (git hooks) - tsdown (ts build tool) - bumpy (changelog + publishing) - fledgling (bonus) - for initial npm claim and oidc setup
2 days ago
0
14
1
Citing the recent bun drama, David Bowie will be re-releasing old albums as "Rusty Stardust"
5 days ago
0
1
0
Super fun chatting with
@brandonwhichard.com
about varlock. He is a real user - found us through a listener and has been using it ever since. Have a listen! π§
add a skeleton here at some point
6 days ago
0
3
1
All varlock docs package links and readmes (as of their next publish) now point to
@npmx.dev
β₯οΈπ§ββοΈ
7 days ago
1
16
2
PSA -
@astro.build
+ yaml w/ md +
@cloudflare.social
+ LLMs is a killer toolkit to build comprehensive resources of info gathered from all over the web. No servers, no DB, no tedious hand-maintaining data. Ideas that would take way too much effort before are now easily within reach.
9 days ago
0
1
0
π§ββοΈ
[email protected]
adds arbitrary codegen. As well as built-in support for php, python, go, rust - so you get a fully typed+coerced env loader to use in your code. Plugins can add codegen types - new possibilities to generate for k8s, terraform... anything!
varlock.dev/guides/code-...
loading . . .
Code generation
Generate types and other code from your env schema, and extend it with plugins
https://varlock.dev/guides/code-generation/
9 days ago
0
6
1
Finally digging into a proper plugin system for bumpy πΈ (
bumpy.varlock.dev
). This means native support / recipes to release to common js targets like jsr, vscode marketplace, and non-js things like PyPi, and
crates.io
loading . . .
GitHub - dmno-dev/bumpy: πΈ Modern monorepo friendly version management + changelog tool
πΈ Modern monorepo friendly version management + changelog tool - dmno-dev/bumpy
https://bumpy.varlock.dev
10 days ago
1
6
0
btw - I added condiments to my food storage tips site π«π
loading . . .
Mustard storage guide | HowToStore.food
Mustard is shelf-stable thanks to its vinegar and salt, so the pantry is perfectly safe before and after opening. Refrigerating an open jar keeps it spi...
https://howtostore.food/foods/mustard/
12 days ago
1
10
0
varlock will soon support arbitrary codegen registered in plugins. Opens up fun possibilities - generate zod schema, k8s configmap/secret split based on what's marked @sensitive, terraform vars Plus new built-in env generation for rust, go, python, php. Excited to see how you will use it! π§ββοΈβ¨
12 days ago
0
19
0
varlock credential broker is coming very soon! child process (usually AI agent) gets _placeholders_, swapped for real creds at the network boundary. Rules managed from your .env.schema - use our existing plugins to pull from anywhere. Can't wait to share it :)
14 days ago
0
3
0
Hey
@pnpm.io
- following up on our recent thread about using valid env vars for configuring npmrc auth --
github.com/orgs/pnpm/di...
loading . . .
Using valid env vars names for .npmrc Β· pnpm Β· Discussion #12746
First off, thanks for the env-variables-in-repository-npmrc post and for closing the ${ENV}-in-repo-file exfiltration hole. Locking expansion to trusted sources is the right call. This is a follow-...
https://github.com/orgs/pnpm/discussions/12746
16 days ago
0
2
0
npm staged publishing approval tool MVP is working. Batch approve multiple packages, multi-sig approval policies, audit trails, batches created in CI via OIDC. NPM token encrypted by passkeys so we never see them. Using staged publishing? Wanting to but avoiding because its clunky? Let me know!
17 days ago
1
0
0
My new npm staged publishing approval tool is called "stageflight" - HMU if you want to beta test! Provides batch approvals, multi-sig policies w/ audit trails, approvers don't need publishing rights. Cloud-hosted but secrets encrypted w/ your passkeys. optional ai review too in future
20 days ago
0
1
0
Working on something pretty rad thatβs going to help make npm staged publishing feel much nicer - and even more secure. Like/comment/DM if this is up your alley and you want to help me beta test.
21 days ago
0
0
0
πΈ
bumpy.varlock.dev
continues to get better and more solid. If you release npm packages - take it for a spin and let me know what you think! Couples very nicely with π£
fledgling.varlock.dev
especially in a monorepo :)
loading . . .
GitHub - dmno-dev/bumpy: πΈ Modern monorepo friendly version management + changelog tool
πΈ Modern monorepo friendly version management + changelog tool - dmno-dev/bumpy
https://bumpy.varlock.dev
23 days ago
1
4
2
Doesn't exactly inspire confidence when things show an error message even when they work. A few npm interactions regularly do this for me - approving staged publishing being one of them.
23 days ago
1
0
0
Say hello to π£ fledgling - a new tool to create new npm packages and setup/sync trusted publishing (OIDC) settings. Works great for one offs, but even better in a monorepo! just `npx fledgling`
loading . . .
28 days ago
2
16
7
π₯π£π₯ Hatching something fun tomorrow. A very nice complement to bumpy πΈ
29 days ago
0
1
0
New varlock+mise guide
varlock.dev/integrations...
Would appreciate a look from any heavy mise users!
loading . . .
mise
Install varlock with mise and wire validated env vars into your tasks
https://varlock.dev/integrations/mise/
29 days ago
0
6
2
How many of y'all use
@1password.bsky.social
wired into dev/agent workflows? varlock now has built-in caching (secured by secure enclave), meaning fewer roundtrips to 1pass servers. Much smoother for when things are reloading a lot.
varlock.dev/plugins/1pas...
varlock.dev/guides/cachi...
loading . . .
1Password Plugin
Using 1Password with Varlock
https://varlock.dev/plugins/1password/
about 1 month ago
1
2
0
Honestly didn't know what to expect when I started on prerelease channels for πΈ bumpy (publish v1.2.3-rc.1 and tag as "next") I knew it's awkward and hard to deal with - one of most complained about parts of changesets π¦ But the end result is actually really good!
github.com/dmno-dev/bum...
loading . . .
https://github.com/dmno-dev/bumpy/blob/main/docs/prereleases.md
about 1 month ago
0
0
0
pre-release channels are looking good on bumpy πΈ Same workflow, just merge to _next_. Then merge _next_ to _main_. Anyone out there using a npm preview release channel and not quite happy with their current setup? Hit me up!
bumpy.varlock.dev
about 1 month ago
0
3
2
Looking at adding long-lived pre-release channels to
bumpy.varlock.dev
(one most confusing/complained about parts of changesets π¦) not implemented yet, but here is the plan --
github.com/dmno-dev/bum...
If anyone has thought about this deeply and has any feedback I'd be very grateful!
loading . . .
GitHub - dmno-dev/bumpy: πΈ Modern monorepo friendly version management + changelog tool
πΈ Modern monorepo friendly version management + changelog tool - dmno-dev/bumpy
https://bumpy.varlock.dev
about 1 month ago
0
0
0
reposted by
Theo Ephraim
Nick Rempel
about 1 month ago
15
994
260
reposted by
Theo Ephraim
henry β·
about 1 year ago
when starting a new project repo, choosing a tech stack, etc, i try to always ask the hard and important questions right up front, such as: βhow do i work this?β, βwhat is that beautiful house?β, βwhere does that highway go to?β, βam I right? am I wrong?β, and βmy god! what have I done?β
2
38
10
set up
bumpy.varlock.dev
in your repo and I'll send you a sweet bumpy sticker πΈ
about 1 month ago
2
6
0
that's what I like to see π§ββοΈβ¨π
about 1 month ago
0
5
0
Updated
bumpy.varlock.dev
recommended release workflow. OIDC token is now injected only during publish, not during create/update version PR, also locked down to a github environment with branch protections. Everyone go turn on staged publishing now! And use bumpy :) ποΈπΈπ
loading . . .
GitHub - dmno-dev/bumpy: πΈ Modern monorepo friendly version management + changelog tool
πΈ Modern monorepo friendly version management + changelog tool - dmno-dev/bumpy
https://bumpy.varlock.dev
about 1 month ago
0
0
0
Any really great examples of css view transitions? I built
howtostore.food
as a fun side project and went pretty deep on it. Haven't really seen anything like it.
loading . . .
Food Storage Guide | HowToStore.food
How to store food so it stays fresh longer. Storage guides by item, method, and category.
https://howtostore.food
about 1 month ago
0
1
1
reposted by
Theo Ephraim
Darcy Clarke
about 2 months ago
β‘οΈ We're looking for a DevRel person at
@vlt.sh
- based in our Toronto π¨π¦ HQ. You'll work closely w/ me & should love the idea of owning various aspects of product marketing. You'll be vlt's biggest fan & advocate; molding this unique role in a way that plays to your strengths & ours.
2
24
17
If you are using varlock, try `npx skills add dmno-dev/varlock` to install our new varlock skill. I wish the DX around this was better to keep skills published along with npm modules in sync, but this seemed like the best solution for now.
about 2 months ago
0
1
0
think varlock is neat? Please go βlikeβ it on npmx
npmx.dev/package/varl...
Bumpy too :)
npmx.dev/package/@var...
loading . . .
varlock - npmx
AI-safe .env files: Schemas for agents, Secrets for humans.
https://npmx.dev/package/varlock
about 2 months ago
0
2
0
Putting together a bsky list of folks who build/maintain release tooling (e.g., changesets, release-it, uppt, bumpy, etc). What tools / people am I missing
bsky.app/profile/did:...
add a skeleton here at some point
about 2 months ago
8
15
3
bumpy.varlock.dev
now adds section to GH release showing targets w/ status+links. Uses hidden metadata, release updated until finalized. Next step is adding plugins so you can release to multiple places (npm, jsr, vscode extension marketplace, etc) cc
@nullvoxpopuli.com
about 2 months ago
1
2
0
What is current best practice on how to include/publish skills with npm packages? Seems like the wild west out there...
about 2 months ago
1
0
0
reposted by
Theo Ephraim
naugtur
about 2 months ago
π¦ Set up staged publishing with approximately 1 click per package
lavamoat.github.io/stageclicker/
Without sharing any of your permissions or exposing access to anything.
loading . . .
Drag this button to your bookmarks bar to save it as a bookmarklet:
https://lavamoat.github.io/stageclicker/
2
11
9
While on the topic of NPM, the varlock package now has ~125k weekly downloads, but is still not indexed by google. Some of our other packages have minimal usage are a indexed properly. Any idea what is going on...? Anyone else have this experience?
loading . . .
https://www.npmjs.com/package/varlock
about 2 months ago
0
0
0
I'd love to build some better workflows around staged publishing approval, rather than rely on npm's UI and 2fa. Looking to get this feedback to the right folks
github.com/orgs/communi...
/cc npm release tool authors
@danielroe.dev
@notwes.bsky.social
@nullvoxpopuli.com
@jovidecroock.com
loading . . .
staged approval customization Β· community Β· Discussion #196948
π·οΈ Discussion Type Product Feedback Body Thanks for getting out staged publishing. Adding that final check isolated from CI is an important step. I'd like to implement my own staged approval workfl...
https://github.com/orgs/community/discussions/196948
about 2 months ago
4
12
4
πΈ
bumpy.varlock.dev
now supports npm staged publishing for complex monorepos π - create bump file(s) in PR w/ bump level (patch/minor/major) and changelog content - PR merges, a "release PR" is created/updated - release PR merges, new package(s) staged - approve on npm w/ 2fa to release
loading . . .
GitHub - dmno-dev/bumpy: πΈ Modern monorepo friendly version management + changelog tool
πΈ Modern monorepo friendly version management + changelog tool - dmno-dev/bumpy
https://bumpy.varlock.dev
about 2 months ago
1
9
0
Should we just fund the company by selling merch? π§ββοΈπ€
about 2 months ago
1
6
0
reposted by
Theo Ephraim
danielroe π΄σ §σ ’σ ³σ £σ ΄σ Ώ
about 2 months ago
this is a fantastic thread full of very useful advice + some golden tools π
add a skeleton here at some point
1
29
10
As of today
@varlock.dev
has OIDC workload identity support - this means that for some popular combos of deployment platform + secret storage, you no longer need a secret-zero to pull the rest of your sensitive data. check out
varlock.dev/guides/oidc/
to get started
loading . . .
OIDC Workload Identity
Authenticate with secret providers using OIDC tokens from your deployment platform β no long-lived credentials needed
https://varlock.dev/guides/oidc/
2 months ago
0
8
1
Varlock v1 also now has built-in macOS keychain support. Write `ITEM=keychain(prompt)` and you get a native mac popup to choose/add an item. It writes back to your schema with the id. ACL is limited and reading is gated behind fingerprint.
3 months ago
1
5
0
Pushed a HUGE varlock@v1 featuring built-in local encryption via native binaries. No extra setup, and you get native DX to decrypt using biometrics. This is for local git-ignored values, and acts as foundation for future caching + team vaults. Get EVERY secret out of plaintext!
3 months ago
1
5
0
Introducing bumpy πΈ - a new version/release/changelog tool (carefully crafted slop fork of changesets π¦) Fixes 100s of open issues, much simpler, more flexible. We use it to release
@varlock.dev
and 25+ linked plugins/libs.
bumpy.varlock.dev
3 months ago
4
25
5
reposted by
Theo Ephraim
varlock.dev
3 months ago
DMNO (varlock) was one of the fastest growing open-source orgs on GitHub in Q1. Thanks for the recognition
@supabase.com
>commitvc
#osscarindex
osscar.dev/org/dmno-dev
loading . . .
DMNO β OSSCAR Q1 2026
DMNO on OSSCAR Q1 2026 with a composite score of 3.000.
https://osscar.dev/org/dmno-dev
0
9
2
To celebrate
@cloudflare.social
's epic week - the new
@varlock.dev
workers integration got a revamp and it is RAD. We totally fixed env vars in workers.
varlock.dev/integrations...
Full validation, pull from anywhere, set env atomically w/ each deploy. No more mix of .dev.vars/.env/wrangler.toml
loading . . .
Cloudflare Workers
How to integrate varlock with Cloudflare Workers and Wrangler for secure, type-safe environment management
https://varlock.dev/integrations/cloudflare/
3 months ago
0
3
1
Want to realize you've been storing your celery wrong your whole life? check out
howtostore.food
π₯¦π₯π Idea has been kicking around in my head for 10+ years, finally made feasible by AI. Still more to do, but very proud of the native view transitions! (built on
@astro.build
and
@cloudflare.social
)
loading . . .
Food Storage Guide | HowToStore.food
How to store food so it stays fresh longer. Storage guides by item, method, and category.
https://howtostore.food
3 months ago
0
5
2
Load more
feeds!
log in