debug-js
Fix exposing of .env variables in Create React App
Create React Apps have the nifty feature of getting environment variables either from the shell or .env files. These are then resolved and baked into the JS bundle by webpack.
When using debug, the entirety of your .env file gets exposed in the bundle, e.g.:
function u() {
var e;
try {
e = t.storage.debug
} catch (e) {
}
return !e && "undefined" !== typeof r && "env" in r && (e = Object({
NODE_ENV: "production",
PUBLIC_URL: "",
REACT_APP_FOO: "1"
}).DEBUG), e
}
This PR fixes that situation by moving the env access to a separate file that isn't accessed when in browser mode.
Also should resolve https://github.com/visionmedia/debug/issues/467#issuecomment-324054986.
Coverage increased (+1.2%) to 75.0% when pulling 3d42235dac35b1fb4f3b77c00589128759bd1202 on moos:fix-cra-env into 22f993216dcdcee07eb0601ea71a917e4925a30a on visionmedia:master.
Coverage increased (+1.2%) to 75.0% when pulling 3d42235dac35b1fb4f3b77c00589128759bd1202 on moos:fix-cra-env into 22f993216dcdcee07eb0601ea71a917e4925a30a on visionmedia:master.
Coverage increased (+2.2%) to 89.862% when pulling 86c9684b10dd508ac544ed70bf22350efdfa39c2 on moos:fix-cra-env into 5c7c61dc0df0db4eb5de25707d8cd1b9be1add4f on visionmedia:master.
I'm :-1: on this. It's adding very specific checks where this is really a shortcoming in electron. Is this even still an issue? I know this is kind of an old PR.
Yup - definitely still an issue. It's not an electron issue -- the code referenced above ends up in CRA bundle that's consumed by the browser, thereby exposing the entirety of CRA app's various .env files to the web site visitor -- clearly, an unintended (and hard-to-detect, unless you analyze the bundle -- I bet most app devs don't do that!) side-effect of .env + debug.
I'd be happy to submit an update if there is interest.
Hi, sorry it took so long to get back. Could you rebase please? I'm okay with adding this check.