Expo integration

[ghandic]

This pull request introduces a new Expo / React Native integration package for varlock, providing a Babel plugin that enables secure, type-safe environment variable handling in Expo projects. The integration statically replaces non-sensitive ENV.xxx references at compile time, validates environment variables, and ensures sensitive values are never leaked into the bundle. The pull request also includes initial documentation, test coverage, build configuration, and updates to workspace settings and website navigation.

Expo / React Native integration package:

• Added new package @varlock/expo-integration with a Babel plugin (src/babel-plugin.ts) that replaces non-sensitive ENV.xxx references with static values at compile time and leaves sensitive values for runtime access, including leak prevention and log redaction features.
• Created initial documentation (README.md) and changelog for the new Expo integration, outlining installation, usage, security, and features. [1] [2]
• Added package metadata and configuration in package.json, including peer dependencies, build scripts, and export settings.
• Provided a full suite of tests for the Babel plugin to verify static replacement, sensitive value handling, plugin metadata, and module initialization.

Build and workspace configuration:

• Added build configuration (tsup.config.ts) and TypeScript settings (tsconfig.json) for the new Expo integration package. [1] [2]
• Updated root package.json workspace configuration to support new integrations and plugins package directories.

Website update:

• Added Expo / React Native integration to the website navigation in astro.config.ts, highlighting it as a new feature.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7f47768

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[theoephraim]

This is great! My main question here is what does it mean to be a "sensitive env var" within this context. In a few places it's mentioned that they are still available at runtime via the proxy (which is true for some other integrations) but how does that work here? Are sensitive env vars even a thing in native apps since you can never really secure them?

[theoephraim]

7.29.0 is the latest - not sure if better to leave at earliest or use current. I think in similar situations we mostly use the current version.

[ghandic]

In the root package.json it has "@babel/core": "^7.0.0", - happy to put either

[ghandic]

This is great! My main question here is what does it mean to be a "sensitive env var" within this context. In a few places it's mentioned that they are still available at runtime via the proxy (which is true for some other integrations) but how does that work here? Are sensitive env vars even a thing in native apps since you can never really secure them?

Intention was for server api routes in expo, I have added this and validation in my next commit as well as better explanation around it

[theoephraim]

great - I figured that was the case but I'm not familiar so just wasn't sure, and wanted to make sure it wasnt just hallucinating based on other readmes :)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​16.1.6
	@​google-cloud/​secret-manager@​6.1.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/astro@5.18.1 → npm/vite@6.4.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@6.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report