Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles
Since 2017, the default webpack plugins have passed the entire process.env to EnvironmentPlugin. This pattern exposed ALL build environment variables to client-side JavaScript bundles whenever application code (or any dependency) referenced process.env.VARIABLE_NAME. This is not a regression - the vulnerable code has existed since the original Webpacker implementation. No recent code change in Shakapacker triggered this issue.