From 9eda23291f05f6f333502dbab4132d2d33a15225 Mon Sep 17 00:00:00 2001
From: Yinon Burgansky <yinonburgansky@gmail.com>
Date: Sun, 7 Sep 2025 17:57:48 +0300
Subject: [PATCH] fix: don't send server stack trace to client

fixes #1967
Avoid sending Error.stack to the client. Stack traces can leak
production file paths, internal function names, and other sensitive info, increasing
attack surface.
---
 packages/start/src/runtime/server-handler.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/start/src/runtime/server-handler.ts b/packages/start/src/runtime/server-handler.ts
index 46e1603c5..992a1a43a 100644
--- a/packages/start/src/runtime/server-handler.ts
+++ b/packages/start/src/runtime/server-handler.ts
@@ -1,5 +1,5 @@
 /// <reference types="vinxi/types/server" />
-import { crossSerializeStream, fromJSON, getCrossReferenceHeader } from "seroval";
+import { crossSerializeStream, Feature, fromJSON, getCrossReferenceHeader } from "seroval";
 // @ts-ignore
 import {
   CustomEventPlugin,
@@ -62,6 +62,7 @@ function serializeToStream(id: string, value: any) {
           URLSearchParamsPlugin,
           URLPlugin
         ],
+        disabledFeatures: import.meta.env.PROD ? Feature.ErrorPrototypeStack : undefined,
         onSerialize(data, initial) {
           controller.enqueue(
             createChunk(initial ? `(${getCrossReferenceHeader(id)},${data})` : data)