@tinacms/cli 2.1.7 → 2.1.8

package/dist/index.js

@@ -2,7 +2,7 @@
 import { Cli, Builtins } from "clipanion";
 
 // package.json
-var version = "2.1.7";
+var version = "2.1.8";
 
 // src/next/commands/dev-command/index.ts
 import path8 from "path";
@@ -1255,15 +1255,15 @@ var loaders = {
 };
 
 // src/next/database.ts
+import { createServer } from "net";
 import {
-  createDatabaseInternal,
   FilesystemBridge,
-  TinaLevelClient
+  TinaLevelClient,
+  createDatabaseInternal
 } from "@tinacms/graphql";
-import { pipeline } from "readable-stream";
-import { createServer } from "net";
 import { ManyLevelHost } from "many-level";
 import { MemoryLevel } from "memory-level";
+import { pipeline } from "readable-stream";
 var createDBServer = (port) => {
   const levelHost = new ManyLevelHost(
     // @ts-ignore
@@ -1282,7 +1282,7 @@ var createDBServer = (port) => {
       );
     }
   });
-  dbServer.listen(port);
+  dbServer.listen(port, "localhost");
 };
 async function createAndInitializeDatabase(configManager, datalayerPort, bridgeOverride) {
   let database;
@@ -1586,6 +1586,43 @@ import {
   splitVendorChunkPlugin
 } from "vite";
 
+// src/next/vite/cors.ts
+var LOCALHOST_RE = /^https?:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/;
+var PRIVATE_NETWORK_RE = /^https?:\/\/(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(:\d+)?$/;
+function expandOrigins(raw) {
+  const hasPrivate = raw.some((o) => o === "private");
+  const filtered = raw.filter((o) => o !== "private");
+  return hasPrivate ? [...filtered, PRIVATE_NETWORK_RE] : filtered;
+}
+function buildCorsOriginCheck(allowedOrigins = []) {
+  const extra = expandOrigins(allowedOrigins);
+  return (origin, callback) => {
+    if (!origin) {
+      callback(null, true);
+      return;
+    }
+    if (LOCALHOST_RE.test(origin)) {
+      callback(null, true);
+      return;
+    }
+    for (const allowed of extra) {
+      if (typeof allowed === "string") {
+        if (allowed === origin) {
+          callback(null, true);
+          return;
+        }
+      } else {
+        allowed.lastIndex = 0;
+        if (allowed.test(origin)) {
+          callback(null, true);
+          return;
+        }
+      }
+    }
+    callback(null, false);
+  };
+}
+
 // src/next/vite/filterPublicEnv.ts
 function filterPublicEnv(env = process.env) {
   const publicEnv = {};
@@ -2022,6 +2059,13 @@ var createConfig = async ({
     },
     server: {
       host: configManager.config?.build?.host ?? false,
+      // Restrict Vite's built-in CORS to the same origins our custom
+      // middleware allows (localhost + user-configured allowedOrigins).
+      cors: {
+        origin: buildCorsOriginCheck(
+          configManager.config?.server?.allowedOrigins
+        )
+      },
       watch: noWatch ? {
         ignored: ["**/*"]
       } : {
@@ -2031,7 +2075,15 @@ var createConfig = async ({
         ]
       },
       fs: {
-        strict: false
+        strict: true,
+        // Allow serving files from the project root and the SPA package.
+        // Without this, Vite would block access to tina config/generated
+        // files since the Vite root is the @tinacms/app package directory.
+        allow: [
+          configManager.spaRootPath,
+          configManager.rootPath,
+          ...configManager.contentRootPath && configManager.contentRootPath !== configManager.rootPath ? [configManager.contentRootPath] : []
+        ]
       }
     },
     build: {
@@ -2061,14 +2113,14 @@ var createConfig = async ({
 };
 
 // src/next/vite/plugins.ts
-import { createFilter } from "@rollup/pluginutils";
 import fs6 from "fs";
-import { transformWithEsbuild } from "vite";
-import { transform as esbuildTransform } from "esbuild";
 import path7 from "path";
+import { createFilter } from "@rollup/pluginutils";
+import { resolve as gqlResolve } from "@tinacms/graphql";
 import bodyParser from "body-parser";
 import cors from "cors";
-import { resolve as gqlResolve } from "@tinacms/graphql";
+import { transform as esbuildTransform } from "esbuild";
+import { transformWithEsbuild } from "vite";
 
 // src/next/commands/dev-command/server/media.ts
 import path6, { join } from "path";
@@ -2402,10 +2454,18 @@ var devServerEndPointsPlugin = ({
   searchIndex,
   databaseLock
 }) => {
+  const corsOriginCheck = buildCorsOriginCheck(
+    configManager.config?.server?.allowedOrigins
+  );
   const plug = {
     name: "graphql-endpoints",
     configureServer(server) {
-      server.middlewares.use(cors());
+      server.middlewares.use(
+        cors({
+          origin: corsOriginCheck,
+          methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"]
+        })
+      );
       server.middlewares.use(bodyParser.json({ limit: "5mb" }));
       server.middlewares.use(async (req, res, next) => {
         const mediaPaths = configManager.config.media?.tina;
@@ -5872,6 +5932,12 @@ import { LocalAuthProvider } from "tinacms";`;
       outputFolder: "admin",
       publicFolder: "${args.publicFolder}",
     },
+    // Uncomment to allow cross-origin requests from non-localhost origins
+    // during local development (e.g. GitHub Codespaces, Gitpod, Docker).
+    // Use 'private' to allow all private-network IPs (WSL2, Docker, etc.)
+    // server: {
+    //   allowedOrigins: ['https://your-codespace.github.dev'],
+    // },
     media: {
       tina: {
         mediaRoot: "",

package/dist/next/database.d.ts

@@ -1,4 +1,4 @@
-import { Database, Bridge } from '@tinacms/graphql';
+import { Bridge, Database } from '@tinacms/graphql';
 import { ConfigManager } from './config-manager';
 export declare const createDBServer: (port: number) => void;
 export declare function createAndInitializeDatabase(configManager: ConfigManager, datalayerPort: number, bridgeOverride?: Bridge): Promise<Database>;

package/dist/next/vite/cors.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Shared CORS origin-checking logic for the TinaCMS dev server.
+ *
+ * By default only localhost / 127.0.0.1 / [::1] (any port) are allowed.
+ * Users can extend this via `server.allowedOrigins` in their tina config.
+ * The special keyword `'private'` expands to all RFC 1918 private-network
+ * IP ranges (10.x, 172.16-31.x, 192.168.x) — useful for WSL2, Docker
+ * bridge networks, etc.
+ */
+/**
+ * Build a CORS `origin` callback compatible with the `cors` npm package.
+ */
+export declare function buildCorsOriginCheck(allowedOrigins?: (string | RegExp)[]): (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => void;

package/dist/next/vite/plugins.d.ts

@@ -1,8 +1,8 @@
-import type { Plugin } from 'vite';
 import { FilterPattern } from '@rollup/pluginutils';
 import type { Config } from '@svgr/core';
-import { transformWithEsbuild } from 'vite';
 import type { Database } from '@tinacms/graphql';
+import type { Plugin } from 'vite';
+import { transformWithEsbuild } from 'vite';
 import type { ConfigManager } from '../config-manager';
 export declare const transformTsxPlugin: ({ configManager: _configManager, }: {
     configManager: ConfigManager;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/cli",
   "type": "module",
-  "version": "2.1.7",
+  "version": "2.1.8",
   "main": "dist/index.js",
   "typings": "dist/index.d.ts",
   "files": [
@@ -88,12 +88,12 @@
     "vite": "^4.5.9",
     "yup": "^1.6.1",
     "zod": "^3.24.2",
-    "@tinacms/app": "2.3.26",
-    "@tinacms/graphql": "2.1.3",
+    "@tinacms/app": "2.3.27",
+    "@tinacms/graphql": "2.1.4",
     "@tinacms/metrics": "2.0.1",
-    "@tinacms/schema-tools": "2.6.0",
-    "@tinacms/search": "1.2.4",
-    "tinacms": "3.5.1"
+    "@tinacms/schema-tools": "2.7.0",
+    "@tinacms/search": "1.2.5",
+    "tinacms": "3.6.0"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"