Absolute paths of development environment are leaked to unminified production code

[Timsonrobl]

⚠️ IMPORTANT ⚠️ Please do not ignore this template. If you do, your issue will be closed immediately.

• Read the docs.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/vue-next instead.
• This is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.

Describe the bug

"vite build" are currently leaking full paths from development environment if set to minify: false.
For example if project code is located on C:\users\sensitive-info-like-user-real-names\projects\myproject\source vite would add variable names like var C__users_sensitiveInfoLikeUserRealNames_projects_myproject_source_node_modules_objectInspect into production code generated by vite build.
I understand that not minifying code for production is not common, however code minification is not a security procedure and should not affect security matters in my opinion.

Reproduction

I'm pretty sure this behavior is universal for any vite project.

System Info

• vite version: 2.1.2
• Operating System: Windows 10
• Node version: 15.9.0
• Package manager (npm/yarn/pnpm) and version: yarn 1.22.5

Logs (Optional if provided reproduction)

1. Run vite or vite build with the --debug flag.
2. Provide the error log here.

[haoqunjiang]

I can't reproduce this issue with the vue project template.
So could you please provide a reproduction repo?

[github-actions]

Hello @Timsonrobl. Please provide a online reproduction by codesandbox or a minimal GitHub repository. Issues labeled by need reproduction will be closed if no activities in 3 days.

[Timsonrobl]

I can't reproduce this issue with the vue project template.
So could you please provide a reproduction repo?

Sure, here it is: https://github.com/Timsonrobl/vitejs-leak-minrepo
You need to import any package from node-modules and make sure it's not tree-shaken for leak to appear. For some reason it's not reproducible with just vue createApp import

[haoqunjiang]

Got it.

Seems only reproducible in Windows.

[pastelmind]

I can attest that this is reproducible only on Windows. I scaffolded a Vite project using the react template, and the vendor.*.js contains the following line on Windows 10:

var C__Users_Phil_Documents_GitHub_viteReproJs_node_modules_react = { exports: {} };

...while on Ubuntu 20.04 (WSL 2/Windows 10):

var react = { exports: {} };

I'm having problem with Vite where build artifacts generated on Windows and Linux are different, and I suspect this is the root cause.

[pastelmind]

It seems the problem originates from @rollup/plugin-commonjs:

export function getName(id) {
  const name = makeLegalIdentifier(basename(id, extname(id)));
  if (name !== 'index') {
    return name;
  }
  const segments = dirname(id).split(sep);
  return makeLegalIdentifier(segments[segments.length - 1]);
}

This function is used to extract a module's base name from the module ID. For example, getName("C:\\Users\\Phil\\Documents\\GitHub\\test-vite-app\\node_modules\\react\\index.js") returns "react".

The problem is that Vite.js normalizes all module IDs to use forward slashes (/). This confuses getName(), which uses path.sep to split paths. Since path.sep is a backslash (\) on Windows, this doesn't split anything. Thus, getName("C:/Users/Phil/Documents/GitHub/test-vite-app/node_modules/react/index.js") returns something like "C__Users_Phil_Documents_GitHub_testViteApp_node_modules_react".

I see two possible ways of fixing this.

1. Use backslashes for module IDs on Windows: This may have huge implications and probably won't solve the reproducible build problem.
2. Fix @rollup/plugin-commonjs. An easy hack is to replace

   const segments = dirname(id).split(sep);
   return makeLegalIdentifier(segments[segments.length - 1]);

   with

   return makeLegalIdentifier(basename(dirname(id)));