bun build --target=bun inlines environment variable and .env file values

[GeoffWilliams]

What version of Bun is running?

1.1.8+89d25807f

What platform is your computer?

Linux 6.1.0-17-amd64 x86_64 unknown

What steps can reproduce the bug?

bun build --target=bun inlines the value of environment variables set in the environment and .env, eg:

.env

MYVAR=gotcha

test.ts

console.log(process.env.MYVAR);
console.log(process.env.MYOTHERVAR);

bundle

export MYOTHERVAR=hmmm
bun build --outdir bundled test.ts --target=bun

What is the expected behavior?

Expect to see directly specified environment variables used when supplied so that I can use environment variables for configuration/externalization of secrets. Running typescript directly with bun works:

MYVAR=hello MYOTHERVAR=world bun test.ts 
hello
world

What do you see instead?

Values from .env and the environment are inlined into the bundle/compiled executable when --target=bun used. Referenced environment variables that had no value during build work as expected:

MYVAR=hello MYOTHERVAR=world bun ./bundled/test.js 
gotcha
hmmm

Additional information

Unwanted inlining will embed secrets into bundles/executables. I already did this without realising:

grep $TEST_BINANCE_FUTURES_API_KEY build/app 
grep: build/app: binary file matches

The behaviour of target is documented at https://bun.sh/docs/bundler#target but does not mention anything about inlining environment variables and .env files

I guess the workaround would be to run bun compile in a clean environment and move any .env files out of the way first

[GeoffWilliams]

Workaround:

mv .env .env.nouse
env -i ~/.bun/bin/bun build --target=bun --compile --sourcemap src/app.ts --outfile build/app 
mv .env.nouse .env

[benpsnyder]

I am also experiencing this issue.
Here is the environment variable

but it in-lined the .env from a development build

the .env should never be included in builds, imho, or we need a CLI flag