@vite-env/core 0.6.0 → 0.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/leak.cjs +11 -10
- package/dist/leak.cjs.map +1 -1
- package/dist/leak.d.cts +3 -6
- package/dist/leak.d.mts +3 -6
- package/dist/leak.mjs +11 -10
- package/dist/leak.mjs.map +1 -1
- package/package.json +5 -4
package/dist/leak.cjs
CHANGED
|
@@ -1,12 +1,9 @@
|
|
|
1
1
|
Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
|
|
2
2
|
//#region src/leak.ts
|
|
3
3
|
/**
|
|
4
|
-
* Scans
|
|
5
|
-
*
|
|
6
|
-
*
|
|
7
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
8
|
-
* appears as a literal string in any output chunk's source code.
|
|
9
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
4
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
5
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
6
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
10
7
|
*/
|
|
11
8
|
function detectServerLeak(def, data, bundle, onSkipped) {
|
|
12
9
|
const serverKeys = new Set(Object.keys(def.server ?? {}));
|
|
@@ -15,10 +12,14 @@ function detectServerLeak(def, data, bundle, onSkipped) {
|
|
|
15
12
|
const serverSecrets = Object.entries(data).filter((entry) => serverKeys.has(entry[0]) && typeof entry[1] === "string" && entry[1].length >= 8);
|
|
16
13
|
const chunks = Object.entries(bundle).filter(([, chunk]) => chunk.type === "chunk" && !!chunk.code);
|
|
17
14
|
const leaks = [];
|
|
18
|
-
for (const [key, value] of serverSecrets)
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
15
|
+
for (const [key, value] of serverSecrets) {
|
|
16
|
+
const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, String.raw`\$&`);
|
|
17
|
+
const pattern = new RegExp(`(["'\`])${escaped}\\1`);
|
|
18
|
+
for (const [chunkName, chunk] of chunks) if (pattern.test(chunk.code)) leaks.push({
|
|
19
|
+
key,
|
|
20
|
+
chunk: chunkName
|
|
21
|
+
});
|
|
22
|
+
}
|
|
22
23
|
return leaks;
|
|
23
24
|
}
|
|
24
25
|
//#endregion
|
package/dist/leak.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"leak.cjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans
|
|
1
|
+
{"version":3,"file":"leak.cjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans client-destined chunks for server-only var values appearing as quoted\n * string literals. Bare substring matches are ignored — only quoted literals\n * indicate a real bundler-inlined leak. Values < 8 chars are skipped.\n */\nexport function detectServerLeak(\n def: AnyEnvDefinition,\n data: Record<string, unknown>,\n bundle: Record<string, { type: string; code?: string }>,\n onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n const serverKeys = new Set(Object.keys(def.server ?? {}));\n\n const shortSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length < 8,\n );\n\n if (shortSecrets.length > 0 && onSkipped) {\n onSkipped(shortSecrets.map(([k]) => k));\n }\n\n const serverSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length >= 8,\n );\n\n const chunks = Object.entries(bundle).filter(\n ([, chunk]) => chunk.type === \"chunk\" && !!chunk.code,\n );\n\n const leaks: LeakReport[] = [];\n for (const [key, value] of serverSecrets) {\n const escaped = value.replace(/[.*+?^${}()|[\\]\\\\]/g, String.raw`\\$&`);\n const pattern = new RegExp(`([\"'\\`])${escaped}\\\\1`);\n for (const [chunkName, chunk] of chunks) {\n if (pattern.test(chunk.code!)) {\n leaks.push({ key, chunk: chunkName });\n }\n }\n }\n\n return leaks;\n}\n"],"mappings":";;;;;;;AAYA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,SAAS,EACjF;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,UAAU,EAClF;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,eAAe;EACxC,MAAM,UAAU,MAAM,QAAQ,uBAAuB,OAAO,GAAG,MAAM;EACrE,MAAM,UAAU,IAAI,OAAO,WAAW,QAAQ,KAAK;AACnD,OAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,QAAQ,KAAK,MAAM,KAAM,CAC3B,OAAM,KAAK;GAAE;GAAK,OAAO;GAAW,CAAC;;AAK3C,QAAO"}
|
package/dist/leak.d.cts
CHANGED
|
@@ -6,12 +6,9 @@ type LeakReport = {
|
|
|
6
6
|
chunk: string;
|
|
7
7
|
};
|
|
8
8
|
/**
|
|
9
|
-
* Scans
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
13
|
-
* appears as a literal string in any output chunk's source code.
|
|
14
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
9
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
10
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
11
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
15
12
|
*/
|
|
16
13
|
declare function detectServerLeak(def: AnyEnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
|
|
17
14
|
type: string;
|
package/dist/leak.d.mts
CHANGED
|
@@ -6,12 +6,9 @@ type LeakReport = {
|
|
|
6
6
|
chunk: string;
|
|
7
7
|
};
|
|
8
8
|
/**
|
|
9
|
-
* Scans
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
13
|
-
* appears as a literal string in any output chunk's source code.
|
|
14
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
9
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
10
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
11
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
15
12
|
*/
|
|
16
13
|
declare function detectServerLeak(def: AnyEnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
|
|
17
14
|
type: string;
|
package/dist/leak.mjs
CHANGED
|
@@ -1,11 +1,8 @@
|
|
|
1
1
|
//#region src/leak.ts
|
|
2
2
|
/**
|
|
3
|
-
* Scans
|
|
4
|
-
*
|
|
5
|
-
*
|
|
6
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
7
|
-
* appears as a literal string in any output chunk's source code.
|
|
8
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
3
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
4
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
5
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
9
6
|
*/
|
|
10
7
|
function detectServerLeak(def, data, bundle, onSkipped) {
|
|
11
8
|
const serverKeys = new Set(Object.keys(def.server ?? {}));
|
|
@@ -14,10 +11,14 @@ function detectServerLeak(def, data, bundle, onSkipped) {
|
|
|
14
11
|
const serverSecrets = Object.entries(data).filter((entry) => serverKeys.has(entry[0]) && typeof entry[1] === "string" && entry[1].length >= 8);
|
|
15
12
|
const chunks = Object.entries(bundle).filter(([, chunk]) => chunk.type === "chunk" && !!chunk.code);
|
|
16
13
|
const leaks = [];
|
|
17
|
-
for (const [key, value] of serverSecrets)
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
14
|
+
for (const [key, value] of serverSecrets) {
|
|
15
|
+
const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, String.raw`\$&`);
|
|
16
|
+
const pattern = new RegExp(`(["'\`])${escaped}\\1`);
|
|
17
|
+
for (const [chunkName, chunk] of chunks) if (pattern.test(chunk.code)) leaks.push({
|
|
18
|
+
key,
|
|
19
|
+
chunk: chunkName
|
|
20
|
+
});
|
|
21
|
+
}
|
|
21
22
|
return leaks;
|
|
22
23
|
}
|
|
23
24
|
//#endregion
|
package/dist/leak.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"leak.mjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans
|
|
1
|
+
{"version":3,"file":"leak.mjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans client-destined chunks for server-only var values appearing as quoted\n * string literals. Bare substring matches are ignored — only quoted literals\n * indicate a real bundler-inlined leak. Values < 8 chars are skipped.\n */\nexport function detectServerLeak(\n def: AnyEnvDefinition,\n data: Record<string, unknown>,\n bundle: Record<string, { type: string; code?: string }>,\n onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n const serverKeys = new Set(Object.keys(def.server ?? {}));\n\n const shortSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length < 8,\n );\n\n if (shortSecrets.length > 0 && onSkipped) {\n onSkipped(shortSecrets.map(([k]) => k));\n }\n\n const serverSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length >= 8,\n );\n\n const chunks = Object.entries(bundle).filter(\n ([, chunk]) => chunk.type === \"chunk\" && !!chunk.code,\n );\n\n const leaks: LeakReport[] = [];\n for (const [key, value] of serverSecrets) {\n const escaped = value.replace(/[.*+?^${}()|[\\]\\\\]/g, String.raw`\\$&`);\n const pattern = new RegExp(`([\"'\\`])${escaped}\\\\1`);\n for (const [chunkName, chunk] of chunks) {\n if (pattern.test(chunk.code!)) {\n leaks.push({ key, chunk: chunkName });\n }\n }\n }\n\n return leaks;\n}\n"],"mappings":";;;;;;AAYA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,SAAS,EACjF;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,UAAU,EAClF;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,eAAe;EACxC,MAAM,UAAU,MAAM,QAAQ,uBAAuB,OAAO,GAAG,MAAM;EACrE,MAAM,UAAU,IAAI,OAAO,WAAW,QAAQ,KAAK;AACnD,OAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,QAAQ,KAAK,MAAM,KAAM,CAC3B,OAAM,KAAK;GAAE;GAAK,OAAO;GAAW,CAAC;;AAK3C,QAAO"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "https://raw.githubusercontent.com/vitejs/vite-plugin-registry/refs/heads/main/data/schema/extended-package-json.schema.json",
|
|
3
3
|
"name": "@vite-env/core",
|
|
4
|
-
"version": "0.6.
|
|
4
|
+
"version": "0.6.1",
|
|
5
5
|
"description": "The env.ts layer for Vite — define once, validate everywhere, import with types",
|
|
6
6
|
"keywords": [
|
|
7
7
|
"dotenv",
|
|
@@ -136,13 +136,14 @@
|
|
|
136
136
|
"scripts": {
|
|
137
137
|
"build": "tsdown",
|
|
138
138
|
"dev": "tsdown --watch",
|
|
139
|
-
"
|
|
139
|
+
"postpack": "bun ../../scripts/rewrite-deps.ts restore",
|
|
140
|
+
"prepack": "bun run build && bun ../../scripts/rewrite-deps.ts rewrite",
|
|
140
141
|
"test": "vitest run",
|
|
141
142
|
"typecheck": "tsc --noEmit"
|
|
142
143
|
},
|
|
143
144
|
"dependencies": {
|
|
144
|
-
"@standard-schema/spec": "
|
|
145
|
-
"jiti": "
|
|
145
|
+
"@standard-schema/spec": "^1.1.0",
|
|
146
|
+
"jiti": "^2.6.1"
|
|
146
147
|
},
|
|
147
148
|
"devDependencies": {
|
|
148
149
|
"@types/node": "catalog:dev",
|