.output/public contains duplicate assets, server files, api files

[arfath-linklet]

Which project does this relate to?

Start

Describe the bug

Running a Tanstack Start build I expect only assets from public dir and public build artifacts to be served statically.

.output/public/assets: contain duplicate files also served in .output/public/_build/assets
.output/public/_build/.vite/manifest.json: exposes source folder structure to the world

enabling nitro compression using

compressPublicAssets: {
  gzip: true,
  brotli: true,
}

exposes additional files in .output/public

.output/public/assets: contains server files in compressed form
.output/public/_server/assets: contains server files in compressed form
.output/public/api/assets: contains server files in compressed form

As a workaround we include only the public files we think are safe explicitly in our docker builds

# Server
COPY --chown=app:app ./.output/server /app/.output/server
COPY --chown=app:app ./.output/nitro.json /app/.output/nitro.json
# Public
COPY --chown=app:app ./.output/public/_build/assets /app/.output/public/_build/assets
COPY --chown=app:app ./public /app/.output/public

Your Example Website or App

https://codesandbox.io/p/devbox/github/tanstack/router/tree/main/examples/react/start-basic?embed=1&theme=dark

Steps to Reproduce the Bug or Issue

Reproducible with start-basic example. Enable Nitro compression using app.config

compressPublicAssets: {
  gzip: true,
  brotli: true,
}

Expected behavior

I expect publicly exposed .output/public to strictly contain public files that are safe to serve avoiding possible server sensitive leaks.

Screenshots or Videos

No response

Platform

• OS: macOS
• Browser: Chrome
• Version: ~1.114.0

Additional context

No response

[gunnartorfis]

This is probably the same issue I am encountering. When I run my Tanstack Start app with Docker I get the following runtime error:

[request error] [unhandled] [GET] http://localhost:3000/
 H3Error: Invariant failed: Duplicate routes found with id: __root__
    at invariant (file:///app/server/node_modules/tiny-invariant/dist/esm/tiny-invariant.js:12:11)
    ... 8 lines matching cause stack trace ...
    at new RouterCore (file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:1422:10) {
  cause: Error: Invariant failed: Duplicate routes found with id: __root__
      at invariant (file:///app/server/node_modules/tiny-invariant/dist/esm/tiny-invariant.js:12:11)
      at file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:126:11
      at Array.forEach (<anonymous>)
      at recurseRoutes (file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:120:21)
      at file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:139:13
      at Array.forEach (<anonymous>)
      at recurseRoutes (file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:120:21)
      at RouterCore.buildRouteTree (file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:143:7)
      at RouterCore.update (file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:86:14)
      at new RouterCore (file:///app/server/node_modules/@tanstack/router-core/dist/esm/router.js:1422:10),
  statusCode: 500,
  fatal: false,
  unhandled: true,
  statusMessage: undefined,
  data: undefined
}

These are the COPY steps we're using:

COPY --from=installer --chown=web:nodejs /app/apps/web/.output ./
COPY --from=installer --chown=web:nodejs /app/apps/web/public ./public

[SeanCassiere]

The duplicate assets problem has been fixed with the Vite and Nitro builds being separated.