Security issue where *.server.js are exposed in dev mode

[ybouane]

Reproduction

https://stackblitz.com/edit/remix-run-remix-vcsxcesm?file=package.json

You can visit the:
/app/secret.server.js endpoint and see the content of the file.

Note: this happens in dev mode via: the vite dev command.

System Info

System:
    OS: Linux 5.0 undefined
    CPU: (8) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
    Memory: 0 Bytes / 0 Bytes
    Shell: 1.0 - /bin/jsh
  Binaries:
    Node: 18.20.3 - /usr/local/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 10.2.3 - /usr/local/bin/npm
    pnpm: 8.15.6 - /usr/local/bin/pnpm
  npmPackages:
    @remix-run/dev: 2.3.0 => 2.3.0 
    @remix-run/eslint-config: ^2.3.0 => 2.3.0 
    @remix-run/node: ^2.3.0 => 2.15.2 
    @remix-run/react: ^2.3.0 => 2.15.2 
    @remix-run/serve: ^2.3.0 => 2.15.2 
    vite: 5.0.0 => 5.0.0

Used Package Manager

npm

Expected Behavior

The fiel should either not be accessible or the server-side code should be stripped.

Note that sometimes it does work and the file's server content is properly stripped but I could not find a way to reproduce this. It almost seems random.

Actual Behavior

The file is exposed as is.