[PR #97] [MERGED] fix: sanitize error messages in production mode #307

New issue

Closed

opened 2026-05-06 12:39:06 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:06 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/97
Author: @southpolesteve
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @southpolesteve

Base: main ← Head: fix/sanitize-error-messages

📝 Commits (1)

a4c3cf6 fix: sanitize error messages in production mode

📊 Changes

7 files changed (+99 additions, -23 deletions)

View changed files

📝 examples/hackernews/worker/index.ts (+1 -4)
📝 examples/pages-router-cloudflare/worker/index.ts (+1 -4)
📝 examples/realworld-api-rest/worker/index.ts (+1 -4)
📝 packages/vinext/src/server/api-handler.ts (+2 -1)
📝 packages/vinext/src/server/app-dev-server.ts (+82 -5)
📝 packages/vinext/src/server/dev-server.ts (+7 -4)
📝 packages/vinext/src/server/middleware.ts (+5 -1)

📄 Description

Summary

Returns generic error messages in production responses instead of raw exception details. Full errors are still logged server-side for debugging.

App Router: new __sanitizeErrorForClient() replaces non-navigation errors with a generic message + djb2 digest hash (matching Next.js behavior) in production. Navigation errors (redirect, notFound, etc.) pass through unchanged with their digests intact.
Pages Router: error responses no longer include internal file paths
Middleware: production mode returns "Internal Server Error", dev mode preserves detail
Worker entry examples: updated to use generic error responses
RSC and SSR onError callbacks generate digest hashes for non-navigation errors in production, allowing server-log correlation without exposing details to clients

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/97 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/sanitize-error-messages` --- ### 📝 Commits (1) - [`a4c3cf6`](https://github.com/cloudflare/vinext/commit/a4c3cf6a979d445cc02c030e3c8bae2aa1ffde40) fix: sanitize error messages in production mode ### 📊 Changes **7 files changed** (+99 additions, -23 deletions) <details> <summary>View changed files</summary> 📝 `examples/hackernews/worker/index.ts` (+1 -4) 📝 `examples/pages-router-cloudflare/worker/index.ts` (+1 -4) 📝 `examples/realworld-api-rest/worker/index.ts` (+1 -4) 📝 `packages/vinext/src/server/api-handler.ts` (+2 -1) 📝 `packages/vinext/src/server/app-dev-server.ts` (+82 -5) 📝 `packages/vinext/src/server/dev-server.ts` (+7 -4) 📝 `packages/vinext/src/server/middleware.ts` (+5 -1) </details> ### 📄 Description ## Summary Returns generic error messages in production responses instead of raw exception details. Full errors are still logged server-side for debugging. - App Router: new `__sanitizeErrorForClient()` replaces non-navigation errors with a generic message + djb2 digest hash (matching Next.js behavior) in production. Navigation errors (redirect, notFound, etc.) pass through unchanged with their digests intact. - Pages Router: error responses no longer include internal file paths - Middleware: production mode returns "Internal Server Error", dev mode preserves detail - Worker entry examples: updated to use generic error responses - RSC and SSR `onError` callbacks generate digest hashes for non-navigation errors in production, allowing server-log correlation without exposing details to clients --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>