Unsafe string replacement somewhere in `build-import-analysis

[tcc-sejohnson]

Describe the bug

Hey there. I'm one of the SvelteKit maintainers. First time filing an issue here.

I'm currently in the process of investigating sveltejs/kit#6102. It appears some sort of unsafe string replacement is going on somewhere in the vite:build-import-analysis plugin. Let me give a bit of background before moving on...

SvelteKit offers static environment variables from a module we call $env/static/{public|private}. For these modules (which are virtual and injected by our plugin), we generate code that looks like:

// $env/static/public
export const PUBLIC_FOO = 'asdf';
export const PUBLIC_BAR = 'jlk;';

These can be imported like so: import { PUBLIC_FOO } from '$env/static/public'. When generating the code, we load them using the Vite loadEnv function, so you're familiar with the semantics.

This has worked great so far, but it appears that if the content of one of the variables is import.meta.env, something bad happens:

// $env/static/public
export const PUBLIC_BAD = 'do NOT use import.meta.env in this string!!';

It results in these errors:

import.meta.env is definitely the problem, as changing it to anything else (even just import.meta.en) doesn't trigger the issue.

Steps to reproduce:

git clone https://github.com/tcc-sejohnson/kit-repro-unsafe-string-replacement
pnpm i
pnpm build

To satisfy your curiosity, you can edit the .env file to show a successful build with any value other than import.meta.env.

Reproduction

https://github.com/tcc-sejohnson/kit-repro-unsafe-string-replacement

System Info

System:
    OS: Linux 5.17 Pop!_OS 22.04 LTS
    CPU: (12) x64 AMD Ryzen 5 5600X 6-Core Processor
    Memory: 21.25 GB / 31.32 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 18.7.0 - ~/.nvm/versions/node/v18.7.0/bin/node
    Yarn: 1.22.17 - ~/.yarn/bin/yarn
    npm: 8.15.0 - ~/.nvm/versions/node/v18.7.0/bin/npm
  Browsers:
    Chrome: 104.0.5112.79
    Chromium: 83.0.4103.116
    Firefox: 101.0.1
  npmPackages:
    vite: ^3.0.9 => 3.0.9

Used Package Manager

pnpm

Logs

vite v3.0.9 building for production...
✓ 4 modules transformed.
[vite:build-import-analysis] Cannot destructure property 'line' of 'locate(...)' as it is undefined.
file: $env/static/public
error during build:
TypeError: Cannot destructure property 'line' of 'locate(...)' as it is undefined.
at augmentCodeLocation (file:///home/elliottjohnson/dev/github/sveltejs/repros/chungus-amongus/node_modules/.pnpm/rollup@2.77.3/node_modules/rollup/dist/es/shared/rollup.js:1868:17)
at Object.error (file:///home/elliottjohnson/dev/github/sveltejs/repros/chungus-amongus/node_modules/.pnpm/rollup@2.77.3/node_modules/rollup/dist/es/shared/rollup.js:21938:25)
at Object.transform (file:///home/elliottjohnson/dev/github/sveltejs/repros/chungus-amongus/node_modules/.pnpm/vite@3.0.9/node_modules/vite/dist/node/chunks/dep-0fc8e132.js:40776:22)
 ELIFECYCLE  Command failed with exit code 1.

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[tony19]

I think the problem is in the vite:define plugin, whose regex pattern matches import.meta.env even inside quotes.

A possible solution is to strip the literals from the code before testing the string for a match:

import { stripLiteral } from 'strip-literal'
//...
code = stripLiteral(code)
while ((match = pattern.exec(code))) {

[sapphi-red]

Duplicate of #3304