TTC
Theo's Typesafe Cult3d ago
Siebe

T3 Env bundles ALL (even server) envs in build output (Next.js 15)

When using t3 env package in Next.js it seems that it loads everything (partially) into my main-app-[random-hash].js (build output from webpack) The actual value of the server envs are not bundled but the name of the env is. This poses a security risk because now you can see what packages I use on the server to maybe find an exploit. Is this something I'm doing wrong or is it a bug in the package itself? My tsconfig: 
{
    "compilerOptions": {
        /* Base Options: */
        "esModuleInterop": true,
        "skipLibCheck": true,
        "target": "es2022",
        "allowJs": true,
        "resolveJsonModule": true,
        "moduleDetection": "force",
        "isolatedModules": true,

        /* Strictness */
        "strict": true,
        "noUncheckedIndexedAccess": true,
        "checkJs": true,

        /* Bundled projects */
        "lib": ["dom", "dom.iterable", "ES2022"],
        "noEmit": true,
        "module": "ESNext",
        "moduleResolution": "Bundler",
        "jsx": "preserve",
        "plugins": [{ "name": "next" }],
        "incremental": true,

        /* Path Aliases */
        "baseUrl": ".",
        "paths": {
            "@/*": ["./src/*"]
        }
    },
    "include": ["eslint.config.mjs", "next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
    "exclude": ["node_modules"]
}
{
    "compilerOptions": {
        /* Base Options: */
        "esModuleInterop": true,
        "skipLibCheck": true,
        "target": "es2022",
        "allowJs": true,
        "resolveJsonModule": true,
        "moduleDetection": "force",
        "isolatedModules": true,

        /* Strictness */
        "strict": true,
        "noUncheckedIndexedAccess": true,
        "checkJs": true,

        /* Bundled projects */
        "lib": ["dom", "dom.iterable", "ES2022"],
        "noEmit": true,
        "module": "ESNext",
        "moduleResolution": "Bundler",
        "jsx": "preserve",
        "plugins": [{ "name": "next" }],
        "incremental": true,

        /* Path Aliases */
        "baseUrl": ".",
        "paths": {
            "@/*": ["./src/*"]
        }
    },
    "include": ["eslint.config.mjs", "next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
    "exclude": ["node_modules"]
}
No description
2 Replies
Siebe
SiebeOP11h ago
Just to be clear this is on a real build (not a dev server) @julius (sorry to tag you) This issue is something that came out of a penetration test by big enterprise client of ours which wants it to be fixed.
julius
julius8h ago
There’s a big callout here https://env.t3.gg/docs/core#create-your-schema
Env
Never build your apps with invalid environment variables again. Validate and transform your environment with the full power of Zod.

Did you find this page helpful?