zip.includeSources does not behave intuitively, can lead to data leak

[zopieux]

Describe the bug

Setup

// wxt.config.ts
export default defineConfig({
  zip: {
    includeSources: ['entrypoints/**'],
  },
})

Repo tree:

entrypoints/foo.ts
entrypoints/bar.js
cache/secrets/abc
super-secret-file
.gitignore

Expected behavior

$ wxt zip:firefox
$ zipinfo .output/*sources.zip
entrypoints/foo.ts
entrypoints/bar.js

Current non-intuitive, dangerously leaky behavior

$ wxt zip:firefox
$ zipinfo .output/*sources.zip
entrypoints/foo.ts
entrypoints/bar.js
cache/secrets/abc
super-secret-file

Hacky workaroud

I should not have to do this, but that's how I worked around this bug:

export default defineConfig({
  zip: {
    excludeSources: ['**'],
    includeSources: ['entrypoints/**'],
  },
})

I'll point out that this usually not how an allowlist/denylist behaves. The "accepted", safe, intuitive behavior is the following:

• Nothing configured: default behavior, today "Hidden files, node_modules, and tests are ignored". I'd personally vote for a more advanced "respect .Xignore" support for a bunch of popular VCSes, like what ripgrep does, but that's a stretch.
• Only allowlist provided (include): takes precedence since the user went through the trouble of customizing this setting; only what's "included" is included; not what happens, and what this bug is about.
• Only denlist provided (exclude): takes precedence, everything is included except what's denied.
• Both allowlist & denylist provided: only what passes the allowlist, then filter out further according to denylist. Though I accept that the opposite (first denylist, then force-allowlist), which is WXT's current behavior ("[includeSources] overrides excludeSources; if a file matches both lists, it is included in the ZIP") is acceptable albeit annoying.

Pointers:

• https://wxt.dev/guide/essentials/publishing.html#firefox-addon-store
• https://wxt.dev/api/reference/wxt/interfaces/InlineConfig.html#zip
• Vaguely related: Automatic gathering of used files for zip #1505

Reproduction

repro.zip

Steps to reproduce

$ mkdir /tmp/repro && cd /tmp/repro
$ unzip /tmp/repro.zip
$ npm install
$ npm run zip:firefox
$ zipinfo .output/*sources.zip

System Info

System:
    OS: Linux 6.18 cpe:/o:nixos:nixos:26.05 26.05 (Yarara)
    CPU: irrelevant
    Memory: irrelevant
    Container: Yes
    Shell: 5.3.9 - /bin/bash
  Binaries:
    Node: 24.13.0 - node
    Yarn: 1.22.22 - yarn
    npm: 11.6.2 - npm
    pnpm: 10.28.0 - pnpm
  npmPackages:
    wxt: ^0.20.6 => 0.20.13

Used Package Manager

pnpm

Validations

• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[aklinker1]

I do not mention the defaults for those values, nor how they are merged. That's definitely part of the problem.

Gonna share the relevant lines of code here for reference:

How user config get's merged with the defaults

wxt/packages/wxt/src/core/resolve-config.ts

Lines 309 to 322 in 3417bd3

	excludeSources: [
	'**/node_modules',
	// WXT files
	'**/web-ext.config.ts',
	// Hidden files
	'**/.*',
	// Tests
	'**/__tests__/**',
	'**/*.+(test|spec).?(c|m)+(j|t)s?(x)',
	// Output directory
	`${path.relative(root, outBaseDir)}/**`,
	// From user
	...(mergedConfig.zip?.excludeSources ?? []),
	],

https://github.com/wxt-dev/wxt/blob/3417bd3ed27d2e52e6b906393e0329565256f0e7/packages/wxt/src/core/resolve-config.ts#L303C5-L303C24

The call to glob

wxt/packages/wxt/src/core/zip.ts

Lines 116 to 128 in 3417bd3

	const files = (
	await glob(['**/*', ...(options?.include || [])], {
	cwd: directory,
	// Ignore node_modules, otherwise this glob step takes forever
	ignore: ['**/node_modules'],
	onlyFiles: true,
	})
	).filter((relativePath) => {
	return (
	minimatchMultiple(relativePath, options?.include) ||
	!minimatchMultiple(relativePath, options?.exclude)
	);
	});

---

So basically all non-hidden files are included by default, unless you exclude it.

I have some cleanup to do here, like moving that **/* into the resolve-config.ts file so all the options are in one place.

WXT tries to provide intelligent defaults that work for most projects, but clearly don't work in your case... so they might be too generic. I have fallen victim to this on one of my own projects, so there's definintely a DX problem here lol.

---

So you're recommending list the files they want to include, then let the exclude option remove files from that list? Basically don't have WXT do anything for you so you have complete control.

I think that makes sense. It will have to be a breaking change, will need to wait for the next major release.

[aklinker1]

@PatrykKuniczak you wanna take this bug? It's a breaking change, be sure to work off the major branch.

Edit: nevermind, @kaigritun already opened a PR lol

[zopieux]

Thanks for taking action upon this suggestion!

So you're recommending list the files they want to include, then let the exclude option remove files from that list? Basically don't have WXT do anything for you so you have complete control.

Pretty much, yes. I don't mind the current default value for the blocklist though, which would be bullet point 3. If I say include: dir/** but dir contains some hidden files, they'd be not included by virtue of the default exclude. User can customize the exclude list if they really want hidden files.

The point I'm making is that with this conservative approach, the worst that can happen is that the Firefox review folks (if they still exist in 2026 Mozilla...) ask for missing source files, as opposed to random secrets being leaked.