Potential source leakage risk: server.publicDir.copyOnBuild = "auto"

[quanquan2100]

Docs: https://rsbuild.rs/config/server/public-dir#options

Problem

server.publicDir.copyOnBuild defaults to auto, which means a dev-server config can implicitly affect production build output (copy files into dist). This can cause accidental source/code leakage if publicDir points to a sensitive folder.

Example scenario

In some legacy projects, images are referenced by fixed paths (e.g. /images/foo.png). To make it work in dev, people may set publicDir to a directory that contains those images—sometimes even src/. If they forget to set copyOnBuild: false, build output may copy that directory into dist.

export default {
  server: {
    publicDir: {
      name: 'src',
      // copyOnBuild not set -> "auto"
    },
  },
};

Suggestions

• Make the default safer when publicDir.name is customized (e.g. don’t copy unless explicitly enabled), or
• Add a build-time warning when publicDir points to src/ (or contains source-like files), or
• At least add a prominent doc note highlighting this risk.

Curious what the current intended behavior of "auto" is and whether a warning/safer default would be acceptable.

[chenjiahan]

Thanks for the suggestion. I think we can add a note in the documentation to clarify this behavior, but it’s not worth changing the default for this edge case since it would be a breaking change and introduce unnecessary complexity.

[chenjiahan]

#7188