From 588b21ed5d9351a128917bb1d336c1b9683ed311 Mon Sep 17 00:00:00 2001
From: Rodolfo Carvalho <rhcarvalho@gmail.com>
Date: Wed, 17 Jun 2026 11:45:40 +0200
Subject: [PATCH] Prioritize project-local build path in NODE_PATH config
 templates

For security, ensure that project-local files (Mix.Project.build_path())
have priority over dependency-controlled directories (Path.expand("../deps", __DIR__))
in the NODE_PATH environment variable for esbuild and tailwind configs.
This prevents dependencies from overriding project-local assets/files.
---
 installer/templates/phx_single/config/config.exs.eex          | 4 ++--
 .../phx_umbrella/apps/app_name_web/config/config.exs.eex      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/installer/templates/phx_single/config/config.exs.eex b/installer/templates/phx_single/config/config.exs.eex
index c58796a9c7..0d4971c2a7 100644
--- a/installer/templates/phx_single/config/config.exs.eex
+++ b/installer/templates/phx_single/config/config.exs.eex
@@ -45,7 +45,7 @@ config :esbuild,
     args:
       ~w(js/app.js --bundle --target=es2022 --outdir=../priv/static/assets/js --external:/fonts/* --external:/images/* --alias:@=.),
     cd: Path.expand("..<%= if @in_umbrella, do: "/apps/#{@app_name}" %>/assets", __DIR__),
-    env: %{"NODE_PATH" => [Path.expand("../deps", __DIR__), Mix.Project.build_path()]}
+    env: %{"NODE_PATH" => [Mix.Project.build_path(), Path.expand("../deps", __DIR__)]}
   ]<% end %><%= if @css do %>
 
 # Configure tailwind (the version is required)
@@ -57,7 +57,7 @@ config :tailwind,
       --output=priv/static/assets/css/app.css
     ),
     cd: Path.expand("..<%= if @in_umbrella, do: "/apps/#{@app_name}" %>", __DIR__),
-    env: %{"NODE_PATH" => [Path.expand("../deps", __DIR__), Mix.Project.build_path()]}
+    env: %{"NODE_PATH" => [Mix.Project.build_path(), Path.expand("../deps", __DIR__)]}
   ]<% end %>
 
 # Configure Elixir's Logger
diff --git a/installer/templates/phx_umbrella/apps/app_name_web/config/config.exs.eex b/installer/templates/phx_umbrella/apps/app_name_web/config/config.exs.eex
index 8c4743db9a..8c02affb66 100644
--- a/installer/templates/phx_umbrella/apps/app_name_web/config/config.exs.eex
+++ b/installer/templates/phx_umbrella/apps/app_name_web/config/config.exs.eex
@@ -24,7 +24,7 @@ config :esbuild,
     args:
       ~w(js/app.js --bundle --target=es2022 --outdir=../priv/static/assets/js --external:/fonts/* --external:/images/* --alias:@=.),
     cd: Path.expand("../apps/<%= @web_app_name %>/assets", __DIR__),
-    env: %{"NODE_PATH" => [Path.expand("../deps", __DIR__), Mix.Project.build_path()]}
+    env: %{"NODE_PATH" => [Mix.Project.build_path(), Path.expand("../deps", __DIR__)]}
   ]<% end %><%= if @css do %>
 
 # Configure tailwind (the version is required)
@@ -36,5 +36,5 @@ config :tailwind,
       --output=priv/static/assets/css/app.css
     ),
     cd: Path.expand("../apps/<%= @web_app_name %>", __DIR__),
-    env: %{"NODE_PATH" => [Path.expand("../deps", __DIR__), Mix.Project.build_path()]}
+    env: %{"NODE_PATH" => [Mix.Project.build_path(), Path.expand("../deps", __DIR__)]}
   ]<% end %>