.output/public contains duplicate assets, server files, api files

[arfath-linklet]

Which project does this relate to?

Start

Describe the bug

Running a Tanstack Start build I expect only assets from public dir and public build artifacts to be served statically.

.output/public/assets: contain duplicate files also served in .output/public/_build/assets
.output/public/_build/.vite/manifest.json: exposes source folder structure to the world

enabling nitro compression using

compressPublicAssets: {
  gzip: true,
  brotli: true,
}

exposes additional files in .output/public

.output/public/assets: contains server files in compressed form
.output/public/_server/assets: contains server files in compressed form
.output/public/api/assets: contains server files in compressed form

As a workaround we include only the public files we think are safe explicitly in our docker builds

# Server
COPY --chown=app:app ./.output/server /app/.output/server
COPY --chown=app:app ./.output/nitro.json /app/.output/nitro.json
# Public
COPY --chown=app:app ./.output/public/_build/assets /app/.output/public/_build/assets
COPY --chown=app:app ./public /app/.output/public

Your Example Website or App

https://codesandbox.io/p/devbox/github/tanstack/router/tree/main/examples/react/start-basic?embed=1&theme=dark

Steps to Reproduce the Bug or Issue

Reproducible with start-basic example. Enable Nitro compression using app.config

compressPublicAssets: {
  gzip: true,
  brotli: true,
}

Expected behavior

I expect publicly exposed .output/public to strictly contain public files that are safe to serve avoiding possible server sensitive leaks.

Screenshots or Videos

No response

Platform

• OS: macOS
• Browser: Chrome
• Version: ~1.114.0

Additional context

No response