fix: escape special characters in --format shell output to prevent shell injection

[Copilot]

varlock load --format shell only escaped " and \n in double-quoted output, leaving backticks, $VAR, and $() unescaped — causing eval "$(varlock load --format shell)" to fail or execute unintended commands when values contained those characters.

Changes

• Switch shell format to single-quoted values — single quotes prevent all shell expansion; only ' itself needs escaping via the '\'' sequence
• Extract formatShellValue() as an exported helper to keep the escaping logic testable and isolated; env format retains double-quote behavior unchanged
• Add unit tests covering backticks, $VAR, $(), double quotes, backslashes, single quotes, and newlines

Before / After

# Value: this-is-a-password`

# Before (broken — backtick triggers command substitution)
export ******

# After (safe — single quotes prevent all expansion)
export PASSWORD='this-is-a-password`'

# Value containing single quotes: it's a secret
export PASSWORD='it'\''s a secret'

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[BUG]: Unescaped quotes in values cause shell injection to fail</issue_title>
<issue_description>### varlock version

0.6.3

Steps to reproduce

Direnv user here.
If you try to inject varlock into your shell using eval "$(varlock load --format shell)", you may have an error if your environment values have some quotes/backticks in them.

Say I have my .env.schema with:

PASSWORD=exec(`pass-cli item view "pass://my-vault/example/password"`)

if my password is: this-is-a-password`

This will cause the eval process to fail.

A workaround is to use the JSON output and jq to export the vars.
This replaces the eval() call in my .envrc file:

while IFS= read -r line; do
    export "$line"
done < <(
    varlock load --format json |
    jq -r 'to_entries[] | "\(.key)=\(.value)"'
)

What is expected?

varlock load --format shell should probably escape quotes

What is actually happening?

eval() fails

System Info

Any additional comments?

No response</issue_description>

<agent_instructions>fix this and add appropriate test case(s)</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@philmillman Sorry about that, will get it fixed asap! thanks for the report!

• Fixes [BUG]: Unescaped quotes in values cause shell injection to fail #471

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

[changeset-bot]

🦋 Changeset detected

Latest commit: c6c3d12

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 12 packages

Name	Type
varlock	Patch
@varlock/astro-integration	Patch
@varlock/nextjs-integration	Patch
@varlock/vite-integration	Patch
@varlock/1password-plugin	Patch
@varlock/aws-secrets-plugin	Patch
@varlock/azure-key-vault-plugin	Patch
@varlock/bitwarden-plugin	Patch
@varlock/google-secret-manager-plugin	Patch
@varlock/hashicorp-vault-plugin	Patch
@varlock/infisical-plugin	Patch
@varlock/pass-plugin	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/varlock@472

commit: c6c3d12