Security issue - create @tanstack/start with neon db exposes database url to client

[billy-the-ape]

Which project does this relate to?

Create Tanstack App

Describe the bug

Creating a new tanstack start project with pnpm create @tanstack/start@latest per the docs will generate a project with the environment variables for the database prefixed with VITE_ -- this means that they are sent to the client.

Being new to vite I had no idea this was the case. Luckily my app is not to production yet, but I'd expect a lot of people might overlook this when building a new app with this tool.

Your Example Website or App

https://tanstack.com/start/latest/docs/framework/react/quick-start

Steps to Reproduce the Bug or Issue

1. Follow the quick start instructions
2. Expose your DB variables to the client

Expected behavior

Do not expose sensitive variables to the client

Screenshots or Videos

No response

Platform

Any

Additional context

No response

[billy-the-ape]

Appears to have been changed in this commit: 72f692c#diff-bb40100535735e324c0b4945a29931c8dfe90bbc4b7a97ef21a246abb04a5d5e