I can't reproduce this issue with the vue project template.
So could you please provide a reproduction repo?

Hello @Timsonrobl. Please provide a online reproduction by codesandbox or a minimal GitHub repository. Issues labeled by need reproduction will be closed if no activities in 3 days.

I can't reproduce this issue with the vue project template.
So could you please provide a reproduction repo?

Sure, here it is: https://github.com/Timsonrobl/vitejs-leak-minrepo
You need to import any package from node-modules and make sure it's not tree-shaken for leak to appear. For some reason it's not reproducible with just vue createApp import

Got it.

Seems only reproducible in Windows.

I can attest that this is reproducible only on Windows. I scaffolded a Vite project using the react template, and the vendor.*.js contains the following line on Windows 10:

var C__Users_Phil_Documents_GitHub_viteReproJs_node_modules_react = { exports: {} };

...while on Ubuntu 20.04 (WSL 2/Windows 10):

var react = { exports: {} };

I'm having problem with Vite where build artifacts generated on Windows and Linux are different, and I suspect this is the root cause.

It seems the problem originates from @rollup/plugin-commonjs:

export function getName(id) {
  const name = makeLegalIdentifier(basename(id, extname(id)));
  if (name !== 'index') {
    return name;
  }
  const segments = dirname(id).split(sep);
  return makeLegalIdentifier(segments[segments.length - 1]);
}

This function is used to extract a module's base name from the module ID. For example, getName("C:\\Users\\Phil\\Documents\\GitHub\\test-vite-app\\node_modules\\react\\index.js") returns "react".

The problem is that Vite.js normalizes all module IDs to use forward slashes (/). This confuses getName(), which uses path.sep to split paths. Since path.sep is a backslash (\) on Windows, this doesn't split anything. Thus, getName("C:/Users/Phil/Documents/GitHub/test-vite-app/node_modules/react/index.js") returns something like "C__Users_Phil_Documents_GitHub_testViteApp_node_modules_react".

I see two possible ways of fixing this.

1. Use backslashes for module IDs on Windows: This may have huge implications and probably won't solve the reproducible build problem.
2. Fix @rollup/plugin-commonjs. An easy hack is to replace

   const segments = dirname(id).split(sep);
   return makeLegalIdentifier(segments[segments.length - 1]);

   with

   return makeLegalIdentifier(basename(dirname(id)));

@rollup/plugin-commonjs v20.0.0 fixes the bug (see rollup/plugins#924). Once we update our dependencies, this issue should be resolved.

Note: I marked the PR for @rollup/plugin-commonjs as a breaking change (and a major version bump) since it alters how variables are emitted. However, this should be a patch version bump for Vite since it doesn't affect its core functionality.

Edit: Should I make a PR for this? Or does the Vite team have an established process for bumping major versions of dependencies?

Thanks a lot @pastelmind,

Edit: Should I make a PR for this? Or does the Vite team have an established process for bumping major versions of dependencies?

We have renovate bot in the repo, at one point it will generate a PR for this. But if you would like to do a PR, I think it is a good idea so this issue is referenced as the reason for the update.