michael
commented
1 year ago Good call thank you.
It's fixed via https://github.com/michael/editable-website/commit/8df358240555e64b4f56bd550e98ca07e2811fc9
Is there a way to notify forks, that there's a security related update so they'll do a sync?
VITE variables can be shipped to the client. From my quick check it looks like they aren't ever sent here, but it's still a problem. Instead remove the VITE prefix, and use
import { ADMIN_PASSWORD } from '$env/static/private'(the docs) Since this is kinda a security problem I'm pinging @michael - although since this is supposed to be forked, fixing it might not help.