rails_vite 0.2.2 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 65246e1c68cbefab2638785dcb3f9b28290922e2826ba1af7c2f48b00d4edc8e
-  data.tar.gz: 2fba5e05a532396f04fda7e64cf20e5d07e85776309b09a170d3ec8925f8a95f
+  metadata.gz: 87116a45bfd905d7f8e598b6dbf486f7206f39bc62ab39d9a0d43450f2ed2a28
+  data.tar.gz: f5b4ca52c2c10a2ad14da1bb46b3b43a2f566bf706e1063154d7056e09c16c31
 SHA512:
-  metadata.gz: 532d10ec22f6e0e4a0fefaed1216ad04efc618b3979365a47b9278be4c03d5ae24488b5fdb5bdce93ecbe963ed0a214483c22d673daa76bc1bb1af355b20850a
-  data.tar.gz: 16f20d8f3ee96046f57b12f81671d094fef7d057cc0f8b8d4ae82fb2ab848a44db2d8fcbdc8bed01246a8351433d2874c63f7f041ab8471e0db8f4c8907f40dc
+  metadata.gz: 206278e4c87c73d4c1529db69778c751b809d904f066f35ba23c06afa127dcdceac52c0fb0e1aba2d35ec5dfdd17d251ae62bca82ab4e7bbd503766a951d509d
+  data.tar.gz: 1759ef4e320790b3090c18c3476dcf1c253e30a910de32230f80fd5c78460d27f5b6f752812053571c4209b5d1a8724590c6ee26702e79abda2035c560e29074

data/CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog],
 and this project adheres to [Semantic Versioning].
 
+## rails_vite@0.2.3 / rails-vite-plugin@0.2.5 - 2026-06-09
+
+### Added
+
+- `RailsVite.dev_server_csp_source` returns a Content Security Policy source for the running Vite dev server, resolved per request so it tracks the real (possibly auto-incremented) port and adds nothing when the server is down. Pass `websocket: true` for the HMR socket (#25) ([@skryukov])
+- `prependSourceDirToEntries` plugin option for `rails()` and `jsbundling()`. Set it to `false` to use Vite's `root` as your `sourceDir` — entries are then resolved by their bare, root-relative names instead of being prefixed with `sourceDir` (#22) ([@skryukov])
+
+### Changed
+
+- Auto builds now run quietly (`vite build --logLevel warn`) to keep system-test output clean; warnings and errors are still shown ([@skryukov])
+
+### Fixed
+
+- The development `@vite/client` and React Fast Refresh tags now derive their nonce from the request (`content_security_policy_nonce`) instead of inheriting whatever nonce the first `vite_*` call passed. A nonce-less first call (e.g. a stylesheet) no longer ships a nonce-less client script under a `strict-dynamic` CSP (#25) ([@skryukov])
+- Persist auto-build freshness across process restarts so repeated local system-test runs no longer rebuild unchanged assets. Freshness now derives from the build manifest's timestamp instead of in-memory state (#21) ([@skryukov], [@brodienguyen])
+- Don't delete the dev metadata file owned by another Vite process on exit, so concurrent Vite servers no longer clobber each other's dev server info (#27) ([@brodienguyen])
+- Allow Vite config to resolve in CI environments without weakening the dev-server environment guard (#28) ([@brodienguyen])
+
 ## rails_vite@0.2.2 / rails-vite-plugin@0.2.4 - 2026-04-09
 
 ### Added
@@ -74,6 +92,7 @@ and this project adheres to [Semantic Versioning].
 - Initial release ([@skryukov])
 
 [@skryukov]: https://github.com/skryukov
+[@brodienguyen]: https://github.com/brodienguyen
 
 [Keep a Changelog]: https://keepachangelog.com/en/1.0.0/
 [Semantic Versioning]: https://semver.org/spec/v2.0.0.html

data/README.md

@@ -107,12 +107,27 @@ CSS files are detected by extension and emit `<link rel="stylesheet">`:
 <%= vite_tags "application.css" %>
 ```
 
-### CSP Nonces
+### Content Security Policy
+
+Pass a `nonce` to any tag helper; it's applied to every tag it emits:
 
 ```erb
 <%= vite_tags "application.js", nonce: content_security_policy_nonce %>
 ```
 
+The dev server's `@vite/client` and React Fast Refresh tags pick up the request nonce automatically, so they work under `strict-dynamic` even when your first `vite_*` call is a nonce-less stylesheet.
+
+Running a CSP in development? Allow the dev server's origin with `RailsVite.dev_server_csp_source` — it resolves per request, so it tracks Vite's actual port and adds nothing when the server is down:
+
+```ruby
+# config/initializers/content_security_policy.rb — inside your `policy` block
+if Rails.env.development?
+  policy.script_src(*policy.script_src, RailsVite.dev_server_csp_source)
+  policy.style_src(*policy.style_src, RailsVite.dev_server_csp_source)
+  policy.connect_src(*policy.connect_src, RailsVite.dev_server_csp_source(websocket: true)) # HMR
+end
+```
+
 ### Subresource Integrity (SRI)
 
 [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) lets browsers verify that fetched assets haven't been tampered with by checking cryptographic hashes. Install the [`vite-plugin-manifest-sri`](https://github.com/nicolo-ribaudo/vite-plugin-manifest-sri) plugin:
@@ -178,6 +193,7 @@ export default defineConfig({
 | `buildDir` | `'vite'` | Build output subdirectory inside `public/` |
 | `publicDir` | `'public'` | Public directory |
 | `refresh` | `true` | Paths to watch for full-page reload. `true` watches `app/views/**` and `app/helpers/**` |
+| `prependSourceDirToEntries` | `true` | When `false`, entries are resolved without the `sourceDir` prefix. Set this when Vite's `root` is your `sourceDir` (see below) |
 
 ### Multiple Entry Points
 
@@ -208,6 +224,26 @@ rails({
 <%= vite_tags "entrypoints/application.ts" %>
 ```
 
+### Setting Vite's `root` to your source directory
+
+By default, `root` is the Rails project root, so `import.meta.glob` keys and manifest entries are prefixed with `sourceDir` (e.g. `app/frontend/components/Foo.jsx`). If you prefer `vite_ruby`-style root-relative names (`components/Foo.jsx`), set Vite's `root` to your source directory and tell the plugin not to prepend `sourceDir`:
+
+```typescript
+import { fileURLToPath } from 'node:url'
+
+export default defineConfig({
+  root: fileURLToPath(new URL('./app/frontend', import.meta.url)),
+  plugins: [
+    rails({ sourceDir: 'app/frontend', prependSourceDirToEntries: false }),
+  ],
+  build: {
+    outDir: fileURLToPath(new URL('./public/vite', import.meta.url)),
+  },
+})
+```
+
+With `root` set to the source directory, Vite emits bare manifest keys, and `prependSourceDirToEntries: false` makes the Rails helpers look them up by those bare names. Set both together. (Don't point `root` at a symlinked path — Vite resolves symlinks and emits keys that escape the root.)
+
 ## Adding Frameworks
 
 ### React
@@ -271,6 +307,10 @@ node ssr/ssr.js
 
 When the Vite dev server is not running, rails_vite automatically rebuilds assets on the first request if sources have changed. This is useful for system tests and quick checks without running `bin/dev`.
 
+Freshness is determined by comparing your source files' timestamps against the build manifest's timestamp. Since the manifest lives on disk, unchanged assets are not rebuilt across process restarts — for example, on repeated local system-test runs.
+
+Auto builds run quietly (`vite build --logLevel warn`), so they don't clutter your test output; warnings and errors are still shown. Run `rake vite:build` directly for the full build log.
+
 Disable it:
 
 ```ruby

data/lib/rails_vite/auto_build.rb

@@ -9,7 +9,6 @@ module RailsVite
       @app = app
       @config = config
       @mutex = Mutex.new
-      @last_build_at = NEVER
       @cached_source_mtime = nil
       @source_mtime_checked_at = nil
     end
@@ -25,16 +24,20 @@ module RailsVite
       @mutex.synchronize do
         return unless stale?
 
-        Rails.logger.error("rails-vite: build failed") unless system(RailsVite::Tasks.build_command)
-        @last_build_at = Time.now
+        # Build quietly: vite's per-build summary is noise on every auto-build
+        # (e.g. each local system-test run). Warnings and errors still stream.
+        Rails.logger.error("rails-vite: build failed") unless system("#{RailsVite::Tasks.build_command} --logLevel warn")
         @cached_source_mtime = nil
         @source_mtime_checked_at = nil
       end
     end
 
     def stale?
+      # The manifest file's mtime is our persisted "last build" timestamp: it
+      # lives on disk, so freshness survives process restarts (e.g. a new Rails
+      # process per local system-test run) without any extra state.
       !File.exist?(@config.manifest_path) ||
-        latest_source_mtime > @last_build_at
+        latest_source_mtime > File.mtime(@config.manifest_path)
     end
 
     def latest_source_mtime

data/lib/rails_vite/tag_helper.rb

@@ -47,8 +47,14 @@ module RailsVite
       tags = []
 
       unless @_vite_client_emitted
+        # The client/react-refresh tags are emitted once, on the first vite_*
+        # call. Their nonce must come from the request — not from whichever call
+        # happened to be first — so a nonce-less first call (e.g. a stylesheet)
+        # doesn't ship a nonce-less @vite/client under a `strict-dynamic` CSP.
+        client_nonce = nonce || (content_security_policy_nonce if respond_to?(:content_security_policy_nonce))
+
         if RailsVite.config.react_refresh?
-          tags << tag.script(type: "module", nonce: nonce) {
+          tags << tag.script(type: "module", nonce: client_nonce) {
             <<~JS.squish.html_safe
               import{injectIntoGlobalHook}from'#{dev_url}/@react-refresh';
               injectIntoGlobalHook(window);
@@ -57,7 +63,7 @@ module RailsVite
             JS
           }
         end
-        tags << tag.script(src: "#{dev_url}/@vite/client", type: "module", nonce: nonce)
+        tags << tag.script(src: "#{dev_url}/@vite/client", type: "module", nonce: client_nonce)
         @_vite_client_emitted = true
       end
 
@@ -111,10 +117,13 @@ module RailsVite
     end
 
     def resolve_vite_entry(entry, source_dir, entrypoints_dir)
-      return entry if entry.start_with?("#{source_dir}/", "/")
+      return entry if entry.start_with?("/")
+      return entry if !source_dir.empty? && entry.start_with?("#{source_dir}/")
 
-      prefix = entrypoints_dir ? "#{source_dir}/#{entrypoints_dir}" : source_dir
-      "#{prefix}/#{entry}"
+      # source_dir is empty when the plugin's `root` is the source directory
+      # (prependSourceDirToEntries: false) — entries are then looked up by their
+      # bare, manifest-relative names.
+      [source_dir, entrypoints_dir, entry].reject { |part| part.nil? || part.empty? }.join("/")
     end
 
     def vite_asset_url(file)

data/lib/rails_vite/version.rb

@@ -1,3 +1,3 @@
 module RailsVite
-  VERSION = "0.2.2"
+  VERSION = "0.2.3"
 end

data/lib/rails_vite.rb

@@ -24,6 +24,20 @@ module RailsVite
       manifest.digest
     end
 
+    # A Content Security Policy source for the running Vite dev server. Returns
+    # a lambda so the URL resolves per request: it tracks the dev server's real
+    # (possibly auto-incremented) port and contributes nothing when the server
+    # isn't running. Pass websocket: true for the HMR socket (http -> ws).
+    #
+    # RailsVite.config is qualified explicitly because Rails resolves CSP Proc
+    # sources via instance_exec, which rebinds self to the controller.
+    def dev_server_csp_source(websocket: false)
+      -> {
+        url = RailsVite.config.dev_server_url
+        url && (websocket ? url.sub(/\Ahttp/, "ws") : url)
+      }
+    end
+
     def reset!
       @config = nil
       @manifest = nil

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails_vite
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - Svyatoslav Kryukov