envilder
Version:
A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth
629 lines (400 loc) • 20.3 kB
Markdown
# CLI Changelog
Changes specific to the CLI (`envilder` npm package).
For SDK-specific changes, see `sdk-dotnet.md`, `sdk-python.md`, or `sdk-nodejs.md`.
---
## [0.13.0] - 2026-06-26
### Added
* **Colorized `AWS identity` banner**: The
`☁ AWS identity · account=… · region=… · profile=…` line is now colorized.
`account` and `region` render in red when they resolve to `unknown`,
signalling that authentication failed
([#382](https://github.com/macalbert/envilder/issues/382))
* **Dedicated `SsoSessionExpiredError` for expired SSO sessions**:
Failures to resolve or load an AWS SSO session now surface as a
dedicated `SsoSessionExpiredError` (a sibling of
`ExpiredCredentialsError`) carrying the AWS profile from
`$config.profile`. The message is calm and actionable, telling you to
run `aws sso login --profile <name>`. A plain expired session token
still surfaces as `ExpiredCredentialsError`
([#374](https://github.com/macalbert/envilder/issues/374))
* **Calm, actionable error blocks via `CliErrorPresenter`**: Credential
errors now render through a single `CliErrorPresenter` that prints a
calm, colorized, actionable error block instead of a raw stack trace
([#374](https://github.com/macalbert/envilder/issues/374))
* **TTY-gated `aws sso login` redirect with auto-retry**: On an
`SsoSessionExpiredError` in an interactive terminal, the CLI offers to
run `aws sso login` for you (spawned safely with array arguments,
never through a shell) and retries the pull once after a successful
login. Non-interactive runs (CI, pipes) never prompt and just present
the actionable message
([#375](https://github.com/macalbert/envilder/issues/375))
### Changed
* **Print the `AWS identity` banner before resolving secrets**: The
banner is now printed before secrets are resolved, so it always
appears first. Previously it could surface mid-output because secrets
resolve in parallel
([#382](https://github.com/macalbert/envilder/issues/382))
### Fixed
* **Clear error for expired or invalid AWS credentials**: Expired or
invalid AWS credentials (e.g. an expired session token) now produce a
clear, actionable `ExpiredCredentialsError` telling you to refresh
credentials (e.g. run `aws sso login`), instead of being masked as a
misleading `ParameterNotFound`. The pull command now fails fast in
this case
---
## [0.12.1] - 2026-06-26
### Fixed
* **Honor `$config.profile` for the AWS region, not just credentials**:
When a map file set an AWS profile via `$config.profile`, Envilder applied
it to credentials only; the AWS SDK fell back to the default profile's
region and silently read or wrote SSM parameters in the wrong
account-region. Envilder now sets `AWS_PROFILE` so the AWS SDK resolves
both the profile's region and its (SSO-capable) credentials natively.
Region resolution order is `AWS_REGION` > `AWS_DEFAULT_REGION` >
profile region > `us-east-1` fallback
([#382](https://github.com/macalbert/envilder/issues/382))
### Added
* **Log the effective AWS identity before resolving secrets**:
Before the first read or write, Envilder logs
`☁ AWS identity · account=… · region=… · profile=…` so a misrouted account
or region is immediately visible. The account is read from the active
credentials, falling back to an STS `GetCallerIdentity` call when not
present, then `unknown`
([#382](https://github.com/macalbert/envilder/issues/382))
---
## [0.12.0] - 2026-06-26
### Changed
* **Preserve existing `.env` formatting on pull**: When the target `.env`
file already exists, Envilder now updates values in place instead of
rewriting the file from scratch. Full-line comments, blank lines, key
ordering, `export` prefixes, and surrounding spacing are preserved; only
the values of mapped keys are replaced, and new keys are appended at the
end. (Inline comments after a value, e.g. `KEY=val # note`, are not
preserved.)
---
## [0.11.0] - 2026-05-31
### Changed
* **BREAKING: Require Node.js >= 22.12**: pnpm 11, testcontainers v12,
commander 15, and commitlint 21 require Node.js 22.12+. The `engines`
field now enforces `>=22.12.0`
([#291](https://github.com/macalbert/envilder/pull/291))
### Dependencies
* Update all devDependencies to latest (TypeScript 6.0.3, Biome 2.4.16,
testcontainers 12.0.1, pnpm 11.5.0)
* Remove `rimraf`: replaced with zero-dependency `fs.rmSync` in clean scripts
([#291](https://github.com/macalbert/envilder/pull/291))
---
## [0.10.0] - 2026-05-03
### Added
* **Map-file JSON Schema**: A formal JSON Schema specification for map files,
published at `https://envilder.com/schema/map-file.v1.json`. Add
`"$schema": "https://envilder.com/schema/map-file.v1.json"` to any map file
for IDE autocomplete, inline documentation, and validation
([#218](https://github.com/macalbert/envilder/pull/218))
* **Schema contract tests**: 39 tests validating the JSON Schema across all
providers (AWS, Azure, GCP, HashiCorp Vault, file)
### Fixed
* **Reserved key filtering**: All `$`-prefixed keys (e.g. `$schema`) are now
excluded from variable mappings. Previously only `$config` was filtered,
causing `$schema` to leak into environment variables
([#218](https://github.com/macalbert/envilder/pull/218))
---
## [0.9.4] - 2026-05-03
### Fixed
* Mask secret path in bulk push log output (#185)
---
## [0.9.3] - 2026-04-17
### Added
* **Runtime SDKs now available**: Load secrets directly into your application
at startup, no `.env` file needed:
**.NET** ([NuGet](https://www.nuget.org/packages/Envilder)):
```csharp
builder.Configuration.AddEnvilder("envilder.json");
```
**Python** ([PyPI](https://pypi.org/project/envilder)):
```python
from envilder import Envilder
Envilder.load('envilder.json')
```
**CLI** (as always):
```bash
npx envilder --map=envilder.json --envfile=.env
```
**GitHub Action:**
```yaml
- uses: macalbert/envilder/github-action@v0
with:
map-file: envilder.json
env-file: .env
```
### Changed
* **README rewritten**: Streamlined messaging, accurate comparison
tables, simplified quick start (2 steps), and reduced noise
### Fixed
* **ci(publish-npm):** Narrowed `paths` filter from `src/**` to
`src/envilder/**` so SDK/website/IaC changes no longer trigger the
npm publish workflow
* **ci(publish-npm):** Replaced `npm view` with `curl` against the npm
registry API to avoid `.npmrc` auth failures during version detection
* **ci(publish-website):** Added `docs/CHANGELOG.md` and
`docs/changelogs/**` to path filters so changelog updates trigger
website deployment
### Dependencies
* Bump `typescript` from 6.0.2 to 6.0.3
---
## [0.9.2] - 2026-04-02
### Added
* **LocalStack sponsor section**: Added sponsor section to website homepage and README with LocalStack logos
(dark, light, color variants) and a new `Sponsors.astro` component
([#136](https://github.com/macalbert/envilder/pull/136))
* **Website test suite**: Added `tests/website/` with Vitest coverage for i18n utilities and Markdown helpers
* **`BackToTop` component**: New scroll-to-top button component for the documentation website
### Changed
* **Project layout restructured for SDK platform readiness** ([#134](https://github.com/macalbert/envilder/pull/134)):
* Core domain layer moved from `src/envilder/` to `src/envilder/core/`
* Website moved from `src/apps/website/` to `src/website/`
* All imports, `tsconfig.json`, `package.json`, and workspace config updated accordingly
* **Website UX improvements**: `DocsContent`, `HowItWorks`, `ThemeSwitcher`, `TerminalMockup`, and
`BaseLayout` components updated; global CSS expanded; i18n keys added for new content
### Fixed
* **README:** Replace `#gh-light-mode-only` / `#gh-dark-mode-only` image fragments with a `<picture>`
element using `prefers-color-scheme` media queries
* **ci:** Update version check in publish workflow to use published version from npm
### Dependencies
* Bump `@aws-sdk/client-ssm` from 3.1019.0 to 3.1021.0 ([#140](https://github.com/macalbert/envilder/pull/140))
* Bump `@aws-sdk/credential-providers` from 3.1019.0 to 3.1021.0 ([#142](https://github.com/macalbert/envilder/pull/142))
* Bump `secretlint` from 11.4.0 to 11.4.1 ([#141](https://github.com/macalbert/envilder/pull/141))
* Bump `@secretlint/secretlint-rule-preset-recommend` from 11.4.0 to 11.4.1 ([#144](https://github.com/macalbert/envilder/pull/144))
* Bump `astro` from 6.1.1 to 6.1.2 ([#143](https://github.com/macalbert/envilder/pull/143))
* Bump `actions/configure-pages` from 5 to 6 ([#139](https://github.com/macalbert/envilder/pull/139))
* Bump `actions/deploy-pages` from 4 to 5 ([#138](https://github.com/macalbert/envilder/pull/138))
* Bump `pnpm/action-setup` from 4 to 5 ([#137](https://github.com/macalbert/envilder/pull/137))
---
## [0.9.1] - 2026-03-30
### Added
* **Documentation website**: Full Astro-based docs site deployed at [envilder.com](https://envilder.com),
with multi-language support (EN, ES, CA), dark/retro and light themes, and a dedicated changelog page
### Changed
* Updated Envilder logo in README
### Fixed
* **deps:** Move `@types/node` from `dependencies` to `devDependencies` to prevent it from being bundled as a runtime dependency
* **e2e:** Use unique SSM paths per CLI test run to prevent race conditions between parallel test executions
### Dependencies
* Bump `brace-expansion` from 5.0.4 to 5.0.5 (security patch)
* Bump `@azure/core-rest-pipeline` and `@azure/identity` group updates
---
## [0.8.0] - 2026-03-22
### Added
* **`$config` section in map files**: Map files now support an optional `$config` key to declare provider
and connection details inline (e.g., `"provider": "azure"`, `"vaultUrl": "https://..."`,
`"profile": "dev-account"`)
* New CLI flag `--vault-url <url>`: Azure Key Vault URL, overrides `$config.vaultUrl` in the map file
* Precedence chain: CLI flags > `$config` in map file > defaults
* Backward compatible: existing map files without `$config` continue to work (defaults to AWS provider)
* **Azure Key Vault support**: Use `--provider=azure` to pull/push secrets from Azure Key Vault ([#90](https://github.com/macalbert/envilder/pull/90))
* New infrastructure adapter: `AzureKeyVaultSecretProvider` implementing `ISecretProvider`
* New CLI option `--provider <name>` to select cloud provider (`aws` or `azure`, default: `aws`)
* Azure authentication via `DefaultAzureCredential` (supports Azure CLI, managed identity, etc.)
### Changed
* **CLI flag `--ssm-path` renamed to `--secret-path`**: The old flag is still accepted as a deprecated
alias and prints a warning. It will be removed in a future release.
* `configureInfrastructureServices()` now receives a single `MapFileConfig` object instead of separate parameters
* CLI reads `$config` from the map file and merges with CLI flags
* Extracted shared `ContainerConfiguration` module for DI setup reused by CLI and GitHub Action
* Updated CLI description to include Azure Key Vault examples
### Dependencies
* Added `@azure/keyvault-secrets`
* Added `@azure/identity`
* Added `@azure/core-rest-pipeline`
---
## [0.7.12] - 2026-03-22
### Fixed
* **ssm:** Upgrade AWS SDK to resolve fast-xml-parser CVEs ([#128](https://github.com/macalbert/envilder/pull/128))
### Changed
* **ci:** Upgrade `dorny/test-reporter` to v3 for Node.js 24 support ([#127](https://github.com/macalbert/envilder/pull/127))
* **dx:** Add AI workflow agents, prompts, and lefthook pre-commit hook ([#125](https://github.com/macalbert/envilder/pull/125))
### Dependencies
* Bump `undici` from 7.22.0 to 7.24.1 ([#126](https://github.com/macalbert/envilder/pull/126))
---
## [0.7.11] - 2026-03-08
### Security
* Bump AWS SDK packages to resolve `fast-xml-parser` vulnerability ([#124](https://github.com/macalbert/envilder/pull/124))
---
## [0.7.10] - 2026-03-02
### Changed
* **ci:** Update CI configuration for improved build reliability
* Bump AWS SDK SSM to 3.1000.0 and align CI/publish workflows ([#123](https://github.com/macalbert/envilder/pull/123))
### Dependencies
* Bump `@aws-sdk/credential-providers` from 3.995.0 to 3.1000.0 ([#122](https://github.com/macalbert/envilder/pull/122))
* Bump `@types/node` from 25.3.0 to 25.3.3 ([#121](https://github.com/macalbert/envilder/pull/121))
* Bump `minimatch` ([#119](https://github.com/macalbert/envilder/pull/119))
---
## [0.7.9] - 2026-02-22
### Fixed
* **security:** Patch transitive dependency vulnerabilities ([#118](https://github.com/macalbert/envilder/pull/118))
* **ci:** Simplify npm publish command in workflow
---
## [0.7.8] - 2026-02-05
### Fixed
* **deps:** Upgrade AWS SDK to resolve `fast-xml-parser` DoS vulnerability ([#116](https://github.com/macalbert/envilder/pull/116))
### Dependencies
* Bump `@isaacs/brace-expansion` ([#115](https://github.com/macalbert/envilder/pull/115))
* Bump `@secretlint/secretlint-rule-preset-recommend` ([#114](https://github.com/macalbert/envilder/pull/114))
* Bump `commander` from 14.0.2 to 14.0.3 ([#113](https://github.com/macalbert/envilder/pull/113))
* Bump `@aws-sdk/client-ssm` from 3.958.0 to 3.980.0 ([#112](https://github.com/macalbert/envilder/pull/112))
* Bump `secretlint` from 11.2.5 to 11.3.1 ([#110](https://github.com/macalbert/envilder/pull/110))
* Bump `@commitlint/cli` from 20.3.0 to 20.4.0 ([#111](https://github.com/macalbert/envilder/pull/111))
---
## [0.7.7] - 2026-01-27
### Added
* **push:** AWS throttling retry logic and duplicate SSM path validation ([#109](https://github.com/macalbert/envilder/pull/109))
### Fixed
* **ci:** Streamline `npm publish` workflow to prevent failures ([#106](https://github.com/macalbert/envilder/pull/106))
### Dependencies
* Bump `lodash` ([#108](https://github.com/macalbert/envilder/pull/108))
* Bump `diff` ([#107](https://github.com/macalbert/envilder/pull/107))
---
## [0.7.6] - 2026-01-16
### Fixed
* **ci:** Align npm publish script with CI workflow expectations to prevent failures
* Removed redundant validation steps (lint, build, test) from publish script
### Changed
* Simplified npm publish script from full validation pipeline to `npm pack --dry-run && npm publish`
* Updated README badge links
* Converted README badges from HTML to standard Markdown format
### Removed
* **ci:** Deleted deprecated `publish-action.yml` workflow
---
## [0.7.5] - 2026-01-15
### Documentation
* Remove changelog generation instructions from documentation ([#104](https://github.com/macalbert/envilder/pull/104))
### Dependencies
* Bump undici to address security vulnerability ([#105](https://github.com/macalbert/envilder/pull/105))
---
## [0.7.4] - 2026-01-02
### Dependencies
* Bump @commitlint/cli from 20.1.0 to 20.2.0 ([#103](https://github.com/macalbert/envilder/pull/103))
* Bump testcontainers from 11.9.0 to 11.11.0 ([#102](https://github.com/macalbert/envilder/pull/102))
* Bump @types/node from 24.10.1 to 25.0.3 ([#101](https://github.com/macalbert/envilder/pull/101))
* Bump @testcontainers/localstack from 11.9.0 to 11.11.0 ([#100](https://github.com/macalbert/envilder/pull/100))
* Bump @commitlint/config-conventional ([#99](https://github.com/macalbert/envilder/pull/99))
---
## [0.7.3] - 2025-11-29
### Changed
* **ci:** Update Node.js version to 24 in workflow
* Update publish command to use pnpm
* Add repository field to package.json
* Standardize quotes in publish-npm.yml
### Dependencies
* Bump actions/checkout from 5 to 6 ([#98](https://github.com/macalbert/envilder/pull/98))
* Bump glob from 11.1.0 to 13.0.0 ([#97](https://github.com/macalbert/envilder/pull/97))
* Bump pnpm/action-setup from 2 to 4 ([#92](https://github.com/macalbert/envilder/pull/92))
* Bump @commitlint/cli from 19.8.1 to 20.1.0 ([#94](https://github.com/macalbert/envilder/pull/94))
* Bump glob in the npm_and_yarn group ([#96](https://github.com/macalbert/envilder/pull/96))
---
## [0.7.1] - 2025-11-16
### Documentation
* Update README and ROADMAP for GitHub Action integration ([#95](https://github.com/macalbert/envilder/pull/95))
### Changed
* **ci:** Update workflow to use pnpm for dependency management
### Tests
* Increase timeout for E2E tests to 60 seconds
---
## [0.7.0] - 2025-11-16
### Added
* **packaging:** Add project build and uninstall functionality
### Fixed
* **cli:** Correct build command from `ppnpm` to `pnpm`
### Changed
* Move GitHub Action to `github-action/` subfolder
### Breaking Changes
* Action path changed from `macalbert/envilder@v1` to `macalbert/envilder/github-action@v1`
---
## [0.6.6] - 2025-11-02
### Changed
* Updated AWS credentials configuration in workflows
* Bumped vite, @types/node, @biomejs/biome, GitHub/codeql-action, actions/setup-node, vitest
---
## [0.6.5] - 2025-10-15
### Added
* Enabled npm trusted publishing with OIDC authentication
### Dependencies
* Bumped tmp, @types/node, @testcontainers/localstack, testcontainers, @aws-sdk/credential-providers
* Bumped secretlint, @biomejs/biome, @secretlint/secretlint-rule-preset-recommend
* Bumped vite, commander, inversify
* Updated actions/checkout, actions/setup-node, actions/upload-pages-artifact, aws-actions/configure-aws-credentials
---
## [0.6.4] - 2025-08-02
### Dependencies
* Bumped typescript from 5.8.3 to 5.9.2
* Bumped secretlint, @types/glob, @secretlint/secretlint-rule-preset-recommend, @biomejs/biome
---
## [0.6.3] - 2025-07-20
### Changed
* Bump version to 0.6.3 in package.json
---
## [0.6.2] - 2025-07-20
### Changed
* **di:** Implement .NET-Style DIP Startup Pattern for dependency injection ([#59](https://github.com/macalbert/envilder/pull/59))
---
## [0.6.1] - 2025-07-13
### Added
* **Push Mode** functionality to upload environment variables to AWS SSM Parameter Store
* File-based approach for pushing multiple variables from `.env` files
* Single-variable approach for direct command line uploads
* Support for working with different AWS profiles when pushing secrets
### Security
* Implemented secure parameter handling to protect sensitive values
### Changed
* Designed clean, modular command structure for Push Mode operations
* Added new domain models and handlers to support Push feature
* Maintained separation of concerns between infrastructure and application layers
---
## [0.6.0] - 2025-07-13
### Added
* **push:** Introduced Push Mode: sync local `.env` variables to AWS SSM Parameter Store ([#57](https://github.com/macalbert/envilder/pull/57))
---
## [0.5.6] - 2025-07-06
### Added
* Introduced new logger interface for seamless integration of custom logging implementations
### Changed
* Updated several packages for improved security and performance
---
## [0.5.5] - 2025-06-29
### Changed
* Moved `EnvilderBuilder` from `domain` to `application/builders` directory
* Updated import paths across codebase for better organization
### Fixed
* Fixed glob pattern and path handling in test cleanup functions
* Corrected file path resolution in end-to-end tests
---
## [0.5.4] - 2025-06-10
### Added
* Added unit tests for error handling with missing CLI arguments
* Enhanced unit test reporting with JUnit format for better CI integration
### Changed
* Refactored `EnvFileManager` and related interfaces to use async/await
* Improved error handling and modularized secret processing
* Extracted `PackageJsonFinder` class
* Updated dependencies for better reliability
---
## [0.5.3] - 2025-06-07
### Added
* Modular CLI for environment variable synchronization with pluggable secret providers
* Builder pattern for flexible CLI configuration and usage
* Extensive unit, integration, and end-to-end tests
* AWS integration testing using LocalStack with TestContainers
### Changed
* **BREAKING**: Full TypeScript migration from JavaScript
* Introduced modular, layered architecture with clear separation
* Migrated CI/CD workflows from Yarn to npm
---
## [0.5.2] - 2025-05-18
### Added
* Comprehensive E2E validation test in CI/CD pipeline
* Ensures package integrity and command-line operability before release
---
## [0.5.1] - 2025-05-16
### Fixed
* CLI command not recognized after global install (`npm install -g envilder`)
* Fixed missing compiled `lib/` files in published package