You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
git clone https://github.com/junaga/vite-env-bug
cd vite-env-bug/package/nested
npm install
npm run build
As you can see the .js chunk in dist/assets/ contains the variable from the .env file 2 directories above. The variable is not set in the build tool environment and still embedded into the final bundle, this is a huge security concern.
Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/vue-next instead.
Describe the bug
When running the
vite
orvite build
command in a package, in a monorepo,.env
files from above the package, the vite project root, are loaded.ty for your time vite is awesome
Reproduction
See the following example repo
git clone https://github.com/junaga/vite-env-bug cd vite-env-bug/package/nested npm install npm run build
As you can see the
.js
chunk indist/assets/
contains the variable from the.env
file 2 directories above. The variable is not set in the build tool environment and still embedded into the final bundle, this is a huge security concern.System Info
System: OS: Linux 4.19 Debian GNU/Linux 10 (buster) 10 (buster) CPU: (12) x64 AMD Ryzen 5 3600 6-Core Processor Memory: 8.91 GB / 12.43 GB Container: Yes Shell: 5.0.3 - /bin/bash Binaries: Node: 14.18.1 - /usr/bin/node Yarn: 1.22.15 - /usr/bin/yarn npm: 6.14.15 - /usr/bin/npm npmPackages: vite: ^2.6.4 => 2.6.14
Used Package Manager
npm
Logs
No response
Validations
The text was updated successfully, but these errors were encountered: