Problem
vite.config.js includes vite-plugin-vue-devtools without checking the current mode:
plugins: [
vue(),
vueJsx(),
vueDevTools(), // ← always active
tailwindcss(),
],
vite-plugin-vue-devtools injects a development inspector overlay into the page. Shipping it in a production build exposes internal component structure, store state, and routing information to end users.
Expected
Gate the plugin on the Vite mode:
import { defineConfig } from 'vite'
export default defineConfig(({ mode }) => ({
plugins: [
vue(),
vueJsx(),
mode === 'development' && vueDevTools(),
tailwindcss(),
].filter(Boolean),
// ...
}))Impact
Production builds currently bundle and activate the Vue DevTools overlay, leaking application internals.
Problem
vite.config.jsincludesvite-plugin-vue-devtoolswithout checking the current mode:vite-plugin-vue-devtoolsinjects a development inspector overlay into the page. Shipping it in a production build exposes internal component structure, store state, and routing information to end users.Expected
Gate the plugin on the Vite
mode:Impact
Production builds currently bundle and activate the Vue DevTools overlay, leaking application internals.