@vite-env/core 0.6.0 → 0.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/leak.cjs +11 -10
- package/dist/leak.cjs.map +1 -1
- package/dist/leak.d.cts +3 -6
- package/dist/leak.d.mts +3 -6
- package/dist/leak.mjs +11 -10
- package/dist/leak.mjs.map +1 -1
- package/package.json +25 -12
package/dist/leak.cjs
CHANGED
|
@@ -1,12 +1,9 @@
|
|
|
1
1
|
Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
|
|
2
2
|
//#region src/leak.ts
|
|
3
3
|
/**
|
|
4
|
-
* Scans
|
|
5
|
-
*
|
|
6
|
-
*
|
|
7
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
8
|
-
* appears as a literal string in any output chunk's source code.
|
|
9
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
4
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
5
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
6
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
10
7
|
*/
|
|
11
8
|
function detectServerLeak(def, data, bundle, onSkipped) {
|
|
12
9
|
const serverKeys = new Set(Object.keys(def.server ?? {}));
|
|
@@ -15,10 +12,14 @@ function detectServerLeak(def, data, bundle, onSkipped) {
|
|
|
15
12
|
const serverSecrets = Object.entries(data).filter((entry) => serverKeys.has(entry[0]) && typeof entry[1] === "string" && entry[1].length >= 8);
|
|
16
13
|
const chunks = Object.entries(bundle).filter(([, chunk]) => chunk.type === "chunk" && !!chunk.code);
|
|
17
14
|
const leaks = [];
|
|
18
|
-
for (const [key, value] of serverSecrets)
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
15
|
+
for (const [key, value] of serverSecrets) {
|
|
16
|
+
const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, String.raw`\$&`);
|
|
17
|
+
const pattern = new RegExp(`(["'\`])${escaped}\\1`);
|
|
18
|
+
for (const [chunkName, chunk] of chunks) if (pattern.test(chunk.code)) leaks.push({
|
|
19
|
+
key,
|
|
20
|
+
chunk: chunkName
|
|
21
|
+
});
|
|
22
|
+
}
|
|
22
23
|
return leaks;
|
|
23
24
|
}
|
|
24
25
|
//#endregion
|
package/dist/leak.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"leak.cjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans
|
|
1
|
+
{"version":3,"file":"leak.cjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans client-destined chunks for server-only var values appearing as quoted\n * string literals. Bare substring matches are ignored — only quoted literals\n * indicate a real bundler-inlined leak. Values < 8 chars are skipped.\n */\nexport function detectServerLeak(\n def: AnyEnvDefinition,\n data: Record<string, unknown>,\n bundle: Record<string, { type: string; code?: string }>,\n onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n const serverKeys = new Set(Object.keys(def.server ?? {}));\n\n const shortSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length < 8,\n );\n\n if (shortSecrets.length > 0 && onSkipped) {\n onSkipped(shortSecrets.map(([k]) => k));\n }\n\n const serverSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length >= 8,\n );\n\n const chunks = Object.entries(bundle).filter(\n ([, chunk]) => chunk.type === \"chunk\" && !!chunk.code,\n );\n\n const leaks: LeakReport[] = [];\n for (const [key, value] of serverSecrets) {\n const escaped = value.replace(/[.*+?^${}()|[\\]\\\\]/g, String.raw`\\$&`);\n const pattern = new RegExp(`([\"'\\`])${escaped}\\\\1`);\n for (const [chunkName, chunk] of chunks) {\n if (pattern.test(chunk.code!)) {\n leaks.push({ key, chunk: chunkName });\n }\n }\n }\n\n return leaks;\n}\n"],"mappings":";;;;;;;AAYA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,SAAS,EACjF;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,UAAU,EAClF;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,eAAe;EACxC,MAAM,UAAU,MAAM,QAAQ,uBAAuB,OAAO,GAAG,MAAM;EACrE,MAAM,UAAU,IAAI,OAAO,WAAW,QAAQ,KAAK;AACnD,OAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,QAAQ,KAAK,MAAM,KAAM,CAC3B,OAAM,KAAK;GAAE;GAAK,OAAO;GAAW,CAAC;;AAK3C,QAAO"}
|
package/dist/leak.d.cts
CHANGED
|
@@ -6,12 +6,9 @@ type LeakReport = {
|
|
|
6
6
|
chunk: string;
|
|
7
7
|
};
|
|
8
8
|
/**
|
|
9
|
-
* Scans
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
13
|
-
* appears as a literal string in any output chunk's source code.
|
|
14
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
9
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
10
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
11
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
15
12
|
*/
|
|
16
13
|
declare function detectServerLeak(def: AnyEnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
|
|
17
14
|
type: string;
|
package/dist/leak.d.mts
CHANGED
|
@@ -6,12 +6,9 @@ type LeakReport = {
|
|
|
6
6
|
chunk: string;
|
|
7
7
|
};
|
|
8
8
|
/**
|
|
9
|
-
* Scans
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
13
|
-
* appears as a literal string in any output chunk's source code.
|
|
14
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
9
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
10
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
11
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
15
12
|
*/
|
|
16
13
|
declare function detectServerLeak(def: AnyEnvDefinition, data: Record<string, unknown>, bundle: Record<string, {
|
|
17
14
|
type: string;
|
package/dist/leak.mjs
CHANGED
|
@@ -1,11 +1,8 @@
|
|
|
1
1
|
//#region src/leak.ts
|
|
2
2
|
/**
|
|
3
|
-
* Scans
|
|
4
|
-
*
|
|
5
|
-
*
|
|
6
|
-
* Strategy: for each server-only key, check if its actual runtime value
|
|
7
|
-
* appears as a literal string in any output chunk's source code.
|
|
8
|
-
* Short/common values (< 8 chars) are skipped to avoid false positives.
|
|
3
|
+
* Scans client-destined chunks for server-only var values appearing as quoted
|
|
4
|
+
* string literals. Bare substring matches are ignored — only quoted literals
|
|
5
|
+
* indicate a real bundler-inlined leak. Values < 8 chars are skipped.
|
|
9
6
|
*/
|
|
10
7
|
function detectServerLeak(def, data, bundle, onSkipped) {
|
|
11
8
|
const serverKeys = new Set(Object.keys(def.server ?? {}));
|
|
@@ -14,10 +11,14 @@ function detectServerLeak(def, data, bundle, onSkipped) {
|
|
|
14
11
|
const serverSecrets = Object.entries(data).filter((entry) => serverKeys.has(entry[0]) && typeof entry[1] === "string" && entry[1].length >= 8);
|
|
15
12
|
const chunks = Object.entries(bundle).filter(([, chunk]) => chunk.type === "chunk" && !!chunk.code);
|
|
16
13
|
const leaks = [];
|
|
17
|
-
for (const [key, value] of serverSecrets)
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
14
|
+
for (const [key, value] of serverSecrets) {
|
|
15
|
+
const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, String.raw`\$&`);
|
|
16
|
+
const pattern = new RegExp(`(["'\`])${escaped}\\1`);
|
|
17
|
+
for (const [chunkName, chunk] of chunks) if (pattern.test(chunk.code)) leaks.push({
|
|
18
|
+
key,
|
|
19
|
+
chunk: chunkName
|
|
20
|
+
});
|
|
21
|
+
}
|
|
21
22
|
return leaks;
|
|
22
23
|
}
|
|
23
24
|
//#endregion
|
package/dist/leak.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"leak.mjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans
|
|
1
|
+
{"version":3,"file":"leak.mjs","names":[],"sources":["../src/leak.ts"],"sourcesContent":["import type { AnyEnvDefinition } from \"./types\";\n\ntype LeakReport = {\n key: string;\n chunk: string;\n};\n\n/**\n * Scans client-destined chunks for server-only var values appearing as quoted\n * string literals. Bare substring matches are ignored — only quoted literals\n * indicate a real bundler-inlined leak. Values < 8 chars are skipped.\n */\nexport function detectServerLeak(\n def: AnyEnvDefinition,\n data: Record<string, unknown>,\n bundle: Record<string, { type: string; code?: string }>,\n onSkipped?: (keys: string[]) => void,\n): LeakReport[] {\n const serverKeys = new Set(Object.keys(def.server ?? {}));\n\n const shortSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length < 8,\n );\n\n if (shortSecrets.length > 0 && onSkipped) {\n onSkipped(shortSecrets.map(([k]) => k));\n }\n\n const serverSecrets = Object.entries(data).filter(\n (entry): entry is [string, string] =>\n serverKeys.has(entry[0]) && typeof entry[1] === \"string\" && entry[1].length >= 8,\n );\n\n const chunks = Object.entries(bundle).filter(\n ([, chunk]) => chunk.type === \"chunk\" && !!chunk.code,\n );\n\n const leaks: LeakReport[] = [];\n for (const [key, value] of serverSecrets) {\n const escaped = value.replace(/[.*+?^${}()|[\\]\\\\]/g, String.raw`\\$&`);\n const pattern = new RegExp(`([\"'\\`])${escaped}\\\\1`);\n for (const [chunkName, chunk] of chunks) {\n if (pattern.test(chunk.code!)) {\n leaks.push({ key, chunk: chunkName });\n }\n }\n }\n\n return leaks;\n}\n"],"mappings":";;;;;;AAYA,SAAgB,iBACd,KACA,MACA,QACA,WACc;CACd,MAAM,aAAa,IAAI,IAAI,OAAO,KAAK,IAAI,UAAU,EAAE,CAAC,CAAC;CAEzD,MAAM,eAAe,OAAO,QAAQ,KAAK,CAAC,QACvC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,SAAS,EACjF;AAED,KAAI,aAAa,SAAS,KAAK,UAC7B,WAAU,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC;CAGzC,MAAM,gBAAgB,OAAO,QAAQ,KAAK,CAAC,QACxC,UACC,WAAW,IAAI,MAAM,GAAG,IAAI,OAAO,MAAM,OAAO,YAAY,MAAM,GAAG,UAAU,EAClF;CAED,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,QACnC,GAAG,WAAW,MAAM,SAAS,WAAW,CAAC,CAAC,MAAM,KAClD;CAED,MAAM,QAAsB,EAAE;AAC9B,MAAK,MAAM,CAAC,KAAK,UAAU,eAAe;EACxC,MAAM,UAAU,MAAM,QAAQ,uBAAuB,OAAO,GAAG,MAAM;EACrE,MAAM,UAAU,IAAI,OAAO,WAAW,QAAQ,KAAK;AACnD,OAAK,MAAM,CAAC,WAAW,UAAU,OAC/B,KAAI,QAAQ,KAAK,MAAM,KAAM,CAC3B,OAAM,KAAK;GAAE;GAAK,OAAO;GAAW,CAAC;;AAK3C,QAAO"}
|
package/package.json
CHANGED
|
@@ -1,13 +1,12 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "https://raw.githubusercontent.com/vitejs/vite-plugin-registry/refs/heads/main/data/schema/extended-package-json.schema.json",
|
|
3
3
|
"name": "@vite-env/core",
|
|
4
|
-
"version": "0.6.
|
|
4
|
+
"version": "0.6.2",
|
|
5
5
|
"description": "The env.ts layer for Vite — define once, validate everywhere, import with types",
|
|
6
6
|
"keywords": [
|
|
7
7
|
"dotenv",
|
|
8
8
|
"env",
|
|
9
9
|
"environment-variables",
|
|
10
|
-
"rolldown",
|
|
11
10
|
"standard-schema",
|
|
12
11
|
"typescript",
|
|
13
12
|
"validation",
|
|
@@ -136,22 +135,21 @@
|
|
|
136
135
|
"scripts": {
|
|
137
136
|
"build": "tsdown",
|
|
138
137
|
"dev": "tsdown --watch",
|
|
139
|
-
"prepack": "bun run build",
|
|
140
138
|
"test": "vitest run",
|
|
141
139
|
"typecheck": "tsc --noEmit"
|
|
142
140
|
},
|
|
143
141
|
"dependencies": {
|
|
144
|
-
"@standard-schema/spec": "
|
|
145
|
-
"jiti": "
|
|
142
|
+
"@standard-schema/spec": "^1.1.0",
|
|
143
|
+
"jiti": "^2.6.1"
|
|
146
144
|
},
|
|
147
145
|
"devDependencies": {
|
|
148
|
-
"@types/node": "
|
|
149
|
-
"@vitest/coverage-v8": "
|
|
150
|
-
"tsdown": "
|
|
151
|
-
"typescript": "
|
|
152
|
-
"vite": "
|
|
153
|
-
"vitest": "
|
|
154
|
-
"zod": "
|
|
146
|
+
"@types/node": "^25.9.2",
|
|
147
|
+
"@vitest/coverage-v8": "^4.1.8",
|
|
148
|
+
"tsdown": "^0.21.7",
|
|
149
|
+
"typescript": "^6.0.3",
|
|
150
|
+
"vite": "^8.0.8",
|
|
151
|
+
"vitest": "^4.1.8",
|
|
152
|
+
"zod": "^4.3.6"
|
|
155
153
|
},
|
|
156
154
|
"peerDependencies": {
|
|
157
155
|
"vite": ">=8.0.0",
|
|
@@ -164,5 +162,20 @@
|
|
|
164
162
|
},
|
|
165
163
|
"engines": {
|
|
166
164
|
"node": ">=20.19.0"
|
|
165
|
+
},
|
|
166
|
+
"compatiblePackages": {
|
|
167
|
+
"schemaVersion": 1,
|
|
168
|
+
"vite": {
|
|
169
|
+
"type": "compatible",
|
|
170
|
+
"versions": ">=8.0.0"
|
|
171
|
+
},
|
|
172
|
+
"rollup": {
|
|
173
|
+
"type": "incompatible",
|
|
174
|
+
"reason": "Uses Vite-specific hooks (configResolved, configureServer) and APIs (ResolvedConfig, Environment API) not available in standalone Rollup."
|
|
175
|
+
},
|
|
176
|
+
"rolldown": {
|
|
177
|
+
"type": "incompatible",
|
|
178
|
+
"reason": "Uses Vite-specific hooks (configResolved, configureServer) and APIs (ResolvedConfig, Environment API) not available in standalone Rolldown."
|
|
179
|
+
}
|
|
167
180
|
}
|
|
168
181
|
}
|