.env files from the parent directory are loaded

[junaga]

Describe the bug

When running the vite or vite build command in a package, in a monorepo, .env files from above the package, the vite project root, are loaded.

ty for your time vite is awesome

Reproduction

See the following example repo

git clone https://github.com/junaga/vite-env-bug
cd vite-env-bug/package/nested
npm install
npm run build

As you can see the .js chunk in dist/assets/ contains the variable from the .env file 2 directories above. The variable is not set in the build tool environment and still embedded into the final bundle, this is a huge security concern.

System Info

System:
    OS: Linux 4.19 Debian GNU/Linux 10 (buster) 10 (buster)
    CPU: (12) x64 AMD Ryzen 5 3600 6-Core Processor
    Memory: 8.91 GB / 12.43 GB
    Container: Yes
    Shell: 5.0.3 - /bin/bash
  Binaries:
    Node: 14.18.1 - /usr/bin/node
    Yarn: 1.22.15 - /usr/bin/yarn
    npm: 6.14.15 - /usr/bin/npm
  npmPackages:
    vite: ^2.6.4 => 2.6.14

Used Package Manager

npm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/vue-next instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.