fix: avoid exposing all system env vars in Vite define config

[hexqi]

Summary

• Replace 'process.env': { ...process.env } in vite.config.ts with only the 4 npm_package_* variables actually consumed by insert-deps-version.ts in the browser
• Prevents leaking unnecessary system environment variables (API keys, tokens, paths, etc.) into the client-side bundle

Summary by CodeRabbit

• Chores
  • Updated build configuration to explicitly manage environment variable exposure.

Note: This is an internal configuration adjustment with no user-facing changes or new functionality.

[coderabbitai]

Walkthrough

The Vite configuration for the fluent-editor documentation site was modified to restrict environment variable exposure. Instead of spreading all environment variables under process.env, only four specific npm_package_* variables are explicitly exposed: vite, vitepress, vue, and quill.

Changes

Environment Variable Restriction

Layer / File(s)	Summary
Configuration packages/docs/fluent-editor/vite.config.ts	The define['process.env'] mapping changed from spreading the entire process.env to explicitly listing four npm_package_* variables (vite, vitepress, vue, quill) for improved security and reduced bundle exposure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 A config so tight, just what we need,
Four variables clean, no overspread!
Safer bundles hop through the day,
Secrets stay hidden, locked away! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: replacing spreading all environment variables with selective exposure of only necessary variables for security purposes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/vite-env-security

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Microsoft Presidio Analyzer (2.2.362)

packages/docs/fluent-editor/vite.config.ts

Microsoft Presidio Analyzer failed to scan this file

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/docs/fluent-editor/vite.config.ts`:
- Around line 21-26: The current define block sets 'process.env' to an object
which will shadow all process.env accesses; instead, replace the top-level
'process.env' define with per-key defines for the four tokens
(npm_package_devDependencies_vite, npm_package_devDependencies_vitepress,
npm_package_dependencies_vue, npm_package_dependencies_quill) so only those
exact access paths are replaced; for each key (refer to those exact identifiers
in vite.config.ts) set its value to a JSON.stringify'd string (or fallback to
the literal "undefined" string) rather than embedding an object, and leave
process.env.NODE_ENV and other env keys untouched so Vite's internal
replacements continue to work.
- Around line 21-26: The current define block replaces the entire 'process.env'
object (in vite.config.ts) which shadows standard env vars; change it to
individual per-key definitions instead of a single 'process.env' object: define
each key like 'process.env.npm_package_devDependencies_vite',
'process.env.npm_package_devDependencies_vitepress',
'process.env.npm_package_dependencies_vue', and
'process.env.npm_package_dependencies_quill' and set their values using
JSON.stringify(process.env.<KEY>) so undefined becomes explicit; update the
define entry where 'process.env' is currently set to create these four per-key
mappings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d84baf96-2c20-40d7-ab32-67ded855f07c

📥 Commits

Reviewing files that changed from the base of the PR and between 4a3ccb5 and 3fa0c33.

📒 Files selected for processing (1)

• packages/docs/fluent-editor/vite.config.ts