wxt-dev/wxt

zip.includeSources does not behave intuitively, can lead to data leak

Open

#2.059 aberto em 31 de jan. de 2026

Ver no GitHub
 (3 comments) (0 reactions) (0 assignees)TypeScript (9.861 stars) (511 forks)user submission
contribution welcomegood first issue

Description

Describe the bug

Setup

// wxt.config.ts
export default defineConfig({
  zip: {
    includeSources: ['entrypoints/**'],
  },
})

Repo tree:

entrypoints/foo.ts
entrypoints/bar.js
cache/secrets/abc
super-secret-file
.gitignore

Expected behavior

$ wxt zip:firefox
$ zipinfo .output/*sources.zip
entrypoints/foo.ts
entrypoints/bar.js

Current non-intuitive, dangerously leaky behavior

$ wxt zip:firefox
$ zipinfo .output/*sources.zip
entrypoints/foo.ts
entrypoints/bar.js
cache/secrets/abc
super-secret-file

Hacky workaroud

I should not have to do this, but that's how I worked around this bug:

export default defineConfig({
  zip: {
    excludeSources: ['**'],
    includeSources: ['entrypoints/**'],
  },
})

I'll point out that this usually not how an allowlist/denylist behaves. The "accepted", safe, intuitive behavior is the following:

  • Nothing configured: default behavior, today "Hidden files, node_modules, and tests are ignored". I'd personally vote for a more advanced "respect .Xignore" support for a bunch of popular VCSes, like what ripgrep does, but that's a stretch.
  • Only allowlist provided (include): takes precedence since the user went through the trouble of customizing this setting; only what's "included" is included; not what happens, and what this bug is about.
  • Only denlist provided (exclude): takes precedence, everything is included except what's denied.
  • Both allowlist & denylist provided: only what passes the allowlist, then filter out further according to denylist. Though I accept that the opposite (first denylist, then force-allowlist), which is WXT's current behavior ("[includeSources] overrides excludeSources; if a file matches both lists, it is included in the ZIP") is acceptable albeit annoying.

Pointers:

Reproduction

repro.zip

Steps to reproduce

$ mkdir /tmp/repro && cd /tmp/repro
$ unzip /tmp/repro.zip
$ npm install
$ npm run zip:firefox
$ zipinfo .output/*sources.zip

System Info

System:
    OS: Linux 6.18 cpe:/o:nixos:nixos:26.05 26.05 (Yarara)
    CPU: irrelevant
    Memory: irrelevant
    Container: Yes
    Shell: 5.3.9 - /bin/bash
  Binaries:
    Node: 24.13.0 - node
    Yarn: 1.22.22 - yarn
    npm: 11.6.2 - npm
    pnpm: 10.28.0 - pnpm
  npmPackages:
    wxt: ^0.20.6 => 0.20.13

Used Package Manager

pnpm

Validations

Guia do colaborador

Pilha de tecnologia
typescriptnodejs
Domain
toolingbuild systemcli
Tipo Issue
bug
DifficultyDificuldade de implementação estimada para um novo contribuidor, de 1 para alterações muito pequenas a 5 para trabalho de nível especializado.
3
Tempo estimadoUm intervalo de tempo aproximado para um colaborador experiente investigar, implementar, testar e preparar um pull request.
1-3 hours
Status da atividadeQuão disponível o issue aparece agora: novo, ativo, obsoleto, bloqueado ou aguardando entrada do mantenedor.
fresh
ClarityCom que clareza o issue explica a mudança esperada, os critérios de aceitação e a próxima etapa.
clear
Prerequisites
Understanding of wxt configurationFamiliarity with glob patterns
Simpatia para novatosUma pontuação de 1 a 100 que estima o quão acessível este issue é para colaboradores iniciantes.
40
Direção de pesquisa
The bug is in the zip include/exclude logic. Look at the zip configuration handling in the codebase, likely in `src/zip.ts` or similar. The issue is that when only `includeSources` is provided, files outside the include pattern are still included. The fix should ensure that when only an allowlist is given, only matching files are included. Review the existing logic for merging include/exclude patterns and adjust the default behavior. The linked issue #1505 may provide context.