Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

middlewares: limit process.env to inferred usage #33186

Merged

Conversation

Schniz
Copy link
Contributor

@Schniz Schniz commented Jan 11, 2022

Production middlewares will only expose env vars that are statically analyzable, as mentioned here: https://nextjs.org/docs/api-reference/next/server#how-do-i-access-environment-variables

This creates some incompatibility with next dev and next start, where all process.env data is shared and can lead to unexpected behavior in runtime.

This PR fixes it by limiting the data in process.env with the inferred env vars from the code usage. I believe the test speaks for itself 馃暫

Production middlewares will only expose env vars that are statically
analyzable, as mentioned here: https://nextjs.org/docs/api-reference/next/server#how-do-i-access-environment-variables

This creates some incompatibility with `next dev` and `next start`,
where all `process.env` data is shared and can lead to unexpected
behavior in runtime.

This PR fixes it by limiting the data in `process.env` with the inferred
env vars from the code usage.
@ijjk

This comment has been minimized.

sokra
sokra previously approved these changes Jan 11, 2022
@ijjk

This comment has been minimized.

Copy link
Member

@ijjk ijjk left a comment

Looks good after we resolve the failing test case:

FAIL test/integration/react-streaming-and-server-components/test/index.test.js (78.221 s)
鈼 concurrentFeatures - prod 鈥 should render the correct html

    expect(received).toContain(expected) // indexOf

    Expected substring: "env:env_var_test"
    Received string:    "<!DOCTYPE html>

@Schniz Schniz requested a review from padmaia as a code owner Jan 12, 2022
@Schniz Schniz requested a review from sokra Jan 12, 2022
Co-authored-by: Tobias Koppers <tobias.koppers@googlemail.com>
@ijjk

This comment has been minimized.

@ijjk

This comment has been minimized.

@ijjk

This comment has been minimized.

@ijjk
Copy link
Member

ijjk commented Jan 12, 2022

Stats from current PR

Default Build (Increase detected 鈿狅笍)
General Overall increase 鈿狅笍
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
buildDuration 16.7s 16s -666ms
buildDurationCached 3.5s 3.5s -39ms
nodeModulesSize 355 MB 355 MB 鈿狅笍 +918 B
Page Load Tests Overall increase 鉁
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
/ failed reqs 0 0
/ total time (seconds) 3.08 3.056 -0.02
/ avg req/sec 811.77 818.13 +6.36
/error-in-render failed reqs 0 0
/error-in-render total time (seconds) 2.681 1.512 -1.17
/error-in-render avg req/sec 932.49 1653.12 +720.63
Client Bundles (main, webpack, commons)
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
450.HASH.js gzip 179 B 179 B
framework-HASH.js gzip 42.2 kB 42.2 kB
main-HASH.js gzip 27.2 kB 27.2 kB
webpack-HASH.js gzip 1.45 kB 1.45 kB
Overall change 71 kB 71 kB
Legacy Client Bundles (polyfills)
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
polyfills-HASH.js gzip 31 kB 31 kB
Overall change 31 kB 31 kB
Client Pages
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
_app-HASH.js gzip 1.37 kB 1.37 kB
_error-HASH.js gzip 194 B 194 B
amp-HASH.js gzip 312 B 312 B
css-HASH.js gzip 326 B 326 B
dynamic-HASH.js gzip 2.37 kB 2.37 kB
head-HASH.js gzip 350 B 350 B
hooks-HASH.js gzip 919 B 919 B
image-HASH.js gzip 4.74 kB 4.74 kB
index-HASH.js gzip 263 B 263 B
link-HASH.js gzip 2.13 kB 2.13 kB
routerDirect..HASH.js gzip 321 B 321 B
script-HASH.js gzip 383 B 383 B
withRouter-HASH.js gzip 318 B 318 B
85e02e95b279..7e3.css gzip 107 B 107 B
Overall change 14.1 kB 14.1 kB
Client Build Manifests
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
_buildManifest.js gzip 459 B 459 B
Overall change 459 B 459 B
Rendered Page Sizes
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
index.html gzip 532 B 532 B
link.html gzip 546 B 546 B
withRouter.html gzip 527 B 527 B
Overall change 1.6 kB 1.6 kB

Default Build with SWC
General Overall increase 鈿狅笍
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
buildDuration 16.9s 16.9s 鈿狅笍 +55ms
buildDurationCached 3.4s 3.4s -23ms
nodeModulesSize 355 MB 355 MB 鈿狅笍 +918 B
Page Load Tests Overall increase 鉁
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
/ failed reqs 0 0
/ total time (seconds) 3.13 3.047 -0.08
/ avg req/sec 798.8 820.47 +21.67
/error-in-render failed reqs 0 0
/error-in-render total time (seconds) 1.411 1.425 鈿狅笍 +0.01
/error-in-render avg req/sec 1772.14 1754.67 鈿狅笍 -17.47
Client Bundles (main, webpack, commons)
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
450.HASH.js gzip 179 B 179 B
framework-HASH.js gzip 42.3 kB 42.3 kB
main-HASH.js gzip 27.3 kB 27.3 kB
webpack-HASH.js gzip 1.44 kB 1.44 kB
Overall change 71.2 kB 71.2 kB
Legacy Client Bundles (polyfills)
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
polyfills-HASH.js gzip 31 kB 31 kB
Overall change 31 kB 31 kB
Client Pages
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
_app-HASH.js gzip 1.35 kB 1.35 kB
_error-HASH.js gzip 180 B 180 B
amp-HASH.js gzip 305 B 305 B
css-HASH.js gzip 321 B 321 B
dynamic-HASH.js gzip 2.36 kB 2.36 kB
head-HASH.js gzip 342 B 342 B
hooks-HASH.js gzip 906 B 906 B
image-HASH.js gzip 4.76 kB 4.76 kB
index-HASH.js gzip 256 B 256 B
link-HASH.js gzip 2.19 kB 2.19 kB
routerDirect..HASH.js gzip 314 B 314 B
script-HASH.js gzip 375 B 375 B
withRouter-HASH.js gzip 309 B 309 B
85e02e95b279..7e3.css gzip 107 B 107 B
Overall change 14.1 kB 14.1 kB
Client Build Manifests
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
_buildManifest.js gzip 458 B 458 B
Overall change 458 B 458 B
Rendered Page Sizes
vercel/next.js canary Schniz/next.js limit-process-env-to-middleware-env-output Change
index.html gzip 531 B 531 B
link.html gzip 545 B 545 B
withRouter.html gzip 526 B 526 B
Overall change 1.6 kB 1.6 kB
Commit: 31d50be

@kodiakhq kodiakhq bot merged commit e695004 into vercel:canary Jan 12, 2022
41 of 43 checks passed
teleaziz added a commit to teleaziz/next.js that referenced this issue Jan 12, 2022
鈥-example

* 'canary' of github.com:vercel/next.js:
  Added links to data fetching api refs, fixed title (vercel#33221)
  Removed backticks on data fetching api titles (vercel#33216)
  middlewares: limit `process.env` to inferred usage (vercel#33186)
  Fixed broken link (vercel#33209)
  v12.0.8
  v12.0.8-canary.22
  Refactor data fetching API docs (vercel#30615)
  Docs: correct ignorance pattern for .env.local (vercel#32647)
  Fixes vercel#33153: Updating cross-references from master to main + canary (vercel#33198)
  v12.0.8-canary.21
  Add util for normalizing errors (vercel#33159)
  Fix broken yarn pnp (vercel#32867)
@Schniz Schniz deleted the limit-process-env-to-middleware-env-output branch Jan 16, 2022
@vercel vercel locked as resolved and limited conversation to collaborators Feb 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants