Leaky Builds

Created: 2022-01-17

Yesterday I noticed that the app builds were increasingly getting bigger and bigger. The "beta.001" build was around 100MB, which is the typical size for a simple electron app. "beta.002" came in at around 200MB, "beta.003" at 400MB. Where does all this come from?!

macOS ".app"

Luckily macOS apps are just special directories ending in ".app". You can just see their contents by right-clicking or "cd"-ing into them. So I checked the huge builds, using "$ du -h" to list the size of directories. Soon I've found a very familiar looking folder called "builds". It's contains past builds of Daily. It's located in the root of the code repository. That's the directory I rsync to the download server. Of course it's in the .gitignore. You probably can see were this is going...

electron-packer

Daily uses electron-forge for builds. Which internally uses electron-packer for, well, packaging. Turns out electron-packer, by default, just grabs everything in the root directory and stuffs it into the app build. So it happily packed all previous Daily builds into every new build. It has an "ignore" option to define folders and files it shouldn't include.

Sane Defaults

Is this is good default? I think not. It bit me, but in an annoying way. But I have to wonder how many people regularly leak files containing credentials or other sensitive data this way. Does anyone check the contents of their ".app" builds?