How to be assured environment variables secrets sensitive data are not being leaked?
Coming from nextjs, the
server-only package seems to be separate from nextjs, but using it with tanstack start does not seem like I'm using it correctly. Basically setting in any file that references an environment variable or business logic. I removed all implementations and did a test with a single secret file being imported into a createServerFileRoute file, and the whole client app crashes complaining about not using it in client code, but it is not being used in client code. I go to tanstack start docs and search for "environment variables" / "secrets" / "sensitive" and get 1 hit, and no information on server-only / use server (it seems like my claude code is flailing and hallucinating). But then I see a couple github issues of people using it and fixing it https://github.com/TanStack/router/issues/3401 so then I am sitting here scratching my head. Any help or guidance is much appreciated!GitHub
Server only packages leaking into client bundle via tanstack query ...
Which project does this relate to? Start Describe the bug I am trying to get react query to fetch session info with better auth on the server. Drizzle is getting bundled and shipped to the browser ...
2 Replies
multiple-amethyst•6d ago
you cannot leak sensitive env vars to the client because Vite only bundles VITE prefixed variables to the client
the only way to have non VITE prefixed variable come to the client is through a server request
so a server function or server route
there is ZERO other way
server-only doesnt work with Vite, to my knowledge. It's redundant anywaysensitive-blueOP•6d ago
Thank you @notKamui !