Description
Describe the bug
This line of code:
const clientEnv = loadEnv(mode, process.cwd(), '');
for vite.config.ts file (entire vite configuration) was the place that caused our CI/CD envs to be exposed to the world.
Of course, some bots that scrape the internet read compiled bundle, got our keys, and used them to cause a massacre.
Yes, we *** up using chatgpt generated config and doing code review.
Still, it should not be so easy to do it and I feel more people could be affected by that.
It is also hard to find it during the code review because these are 2 sings that can cost you and your company a lot of money.
IMO it should show some error at least somewhere, or take a value like 'YES_I_WANT_TO_EXPOSE_ALL_OF_MY_ENVS_TO_THE_WORLD_AND_BOTS'.
Reproduction
https://stackblitz.com/edit/vitejs-vite-e6fzdp?file=vite.config.ts&terminal=dev
Steps to reproduce
No response
System Info
Windows 10,
Chrome 124.0.6367.202
Packages:
"vite": "~5.0.0",
"vite-plugin-env-compatible": "^2.0.1",
"vitest": "^1.3.1",Used Package Manager
npm
Logs
No response
Validations
- Follow our Code of Conduct
- Read the Contributing Guidelines.
- Read the docs.
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
- Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
- The provided reproduction is a minimal reproducible example of the bug.