Theo's Typesafe Cult•3mo ago

T3 Env bundles ALL (even server) envs in build output (Next.js 15)

When using t3 env package in Next.js it seems that it loads everything (partially) into my main-app-[random-hash].js (build output from webpack) The actual value of the server envs are not bundled but the name of the env is. This poses a security risk because now you can see what packages I use on the server to maybe find an exploit. Is this something I'm doing wrong or is it a bug in the package itself? My tsconfig:

{
    "compilerOptions": {
        /* Base Options: */
        "esModuleInterop": true,
        "skipLibCheck": true,
        "target": "es2022",
        "allowJs": true,
        "resolveJsonModule": true,
        "moduleDetection": "force",
        "isolatedModules": true,

        /* Strictness */
        "strict": true,
        "noUncheckedIndexedAccess": true,
        "checkJs": true,

        /* Bundled projects */
        "lib": ["dom", "dom.iterable", "ES2022"],
        "noEmit": true,
        "module": "ESNext",
        "moduleResolution": "Bundler",
        "jsx": "preserve",
        "plugins": [{ "name": "next" }],
        "incremental": true,

        /* Path Aliases */
        "baseUrl": ".",
        "paths": {
            "@/*": ["./src/*"]
        }
    },
    "include": ["eslint.config.mjs", "next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
    "exclude": ["node_modules"]
}

{
    "compilerOptions": {
        /* Base Options: */
        "esModuleInterop": true,
        "skipLibCheck": true,
        "target": "es2022",
        "allowJs": true,
        "resolveJsonModule": true,
        "moduleDetection": "force",
        "isolatedModules": true,

        /* Strictness */
        "strict": true,
        "noUncheckedIndexedAccess": true,
        "checkJs": true,

        /* Bundled projects */
        "lib": ["dom", "dom.iterable", "ES2022"],
        "noEmit": true,
        "module": "ESNext",
        "moduleResolution": "Bundler",
        "jsx": "preserve",
        "plugins": [{ "name": "next" }],
        "incremental": true,

        /* Path Aliases */
        "baseUrl": ".",
        "paths": {
            "@/*": ["./src/*"]
        }
    },
    "include": ["eslint.config.mjs", "next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
    "exclude": ["node_modules"]
}

Solution:

There’s a big callout here https://env.t3.gg/docs/core#create-your-schema

Env

Never build your apps with invalid environment variables again. Validate and transform your environment with the full power of Zod.

Jump to solution

3 Replies

SiebeOP•3mo ago

Just to be clear this is on a real build (not a dev server) @julius (sorry to tag you) This issue is something that came out of a penetration test by big enterprise client of ours which wants it to be fixed.

Solution

julius•3mo ago

There’s a big callout here https://env.t3.gg/docs/core#create-your-schema

Env

Never build your apps with invalid environment variables again. Validate and transform your environment with the full power of Zod.

SiebeOP•3mo ago

Oh sorry, my bad

Gaming

Programming

T3 Env bundles ALL (even server) envs in build output (Next.js 15)

Did you find this page helpful?