npm - elit - Versions diffs - 3.6.0 → 3.6.2 - Mend

elit 3.6.0 → 3.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/server.cjs CHANGED Viewed

@@ -56718,22 +56718,30 @@ async function resolveWorkspaceElitImportBasePath(rootDir, basePath, _mode) {
   }
   return void 0;
 }
+var BROWSER_SAFE_ELIT_IMPORTS = {
+  "elit": "index",
+  "elit/dom": "dom",
+  "elit/el": "el",
+  "elit/native": "native",
+  "elit/universal": "universal",
+  "elit/router": "router",
+  "elit/state": "state",
+  "elit/style": "style",
+  "elit/hmr": "hmr",
+  "elit/types": "types"
+};
+function createBrowserSafeElitImports(basePath, fileExt) {
+  return Object.fromEntries(
+    Object.entries(BROWSER_SAFE_ELIT_IMPORTS).map(([specifier, outputName]) => [
+      specifier,
+      `${basePath}/${outputName}${fileExt}`
+    ])
+  );
+}
 var createElitImportMap = async (rootDir, basePath = "", mode = "dev") => {
   const workspaceImportBasePath = await resolveWorkspaceElitImportBasePath(rootDir, basePath, mode);
-  const fileExt = ".js";
-  const elitImports = workspaceImportBasePath ? {
-    "elit": `${workspaceImportBasePath}/index${fileExt}`,
-    "elit/": `${workspaceImportBasePath}/`,
-    "elit/dom": `${workspaceImportBasePath}/dom${fileExt}`,
-    "elit/state": `${workspaceImportBasePath}/state${fileExt}`,
-    "elit/style": `${workspaceImportBasePath}/style${fileExt}`,
-    "elit/el": `${workspaceImportBasePath}/el${fileExt}`,
-    "elit/universal": `${workspaceImportBasePath}/universal${fileExt}`,
-    "elit/router": `${workspaceImportBasePath}/router${fileExt}`,
-    "elit/hmr": `${workspaceImportBasePath}/hmr${fileExt}`,
-    "elit/types": `${workspaceImportBasePath}/types${fileExt}`,
-    "elit/native": `${workspaceImportBasePath}/native${fileExt}`
-  } : {};
+  const fileExt = ".mjs";
+  const elitImports = workspaceImportBasePath ? createBrowserSafeElitImports(workspaceImportBasePath, fileExt) : {};
   const externalImports = await generateExternalImportMaps(rootDir, basePath);
   const allImports = { ...externalImports, ...elitImports };
   return `<script type="importmap">${JSON.stringify({ imports: allImports }, null, 2)}</script>`;
@@ -57004,6 +57012,29 @@ async function processPackage(nodeModulesPath, pkgName, importMap, basePath) {
   }
 }
 function processExportsField(pkgName, exports2, baseUrl, importMap) {
+  if (pkgName === "elit") {
+    if (typeof exports2 !== "object" || exports2 === null) {
+      return;
+    }
+    const elitExports = exports2;
+    const browserSafeImports = {};
+    const rootResolved = "." in elitExports ? resolveExport(elitExports["."]) : "import" in elitExports ? resolveExport(elitExports) : null;
+    if (rootResolved) {
+      browserSafeImports.elit = `${baseUrl}/${rootResolved}`;
+    }
+    const allowedSubpaths = Object.keys(BROWSER_SAFE_ELIT_IMPORTS).filter((specifier) => specifier !== "elit").map((specifier) => ({
+      exportKey: `./${specifier.slice("elit/".length)}`,
+      importName: specifier
+    }));
+    for (const { exportKey, importName } of allowedSubpaths) {
+      const resolved = resolveExport(elitExports[exportKey]);
+      if (resolved) {
+        browserSafeImports[importName] = `${baseUrl}/${resolved}`;
+      }
+    }
+    Object.assign(importMap, browserSafeImports);
+    return;
+  }
   if (typeof exports2 === "string") {
     importMap[pkgName] = `${baseUrl}/${exports2}`;
     importMap[`${pkgName}/`] = `${baseUrl}/`;
@@ -57365,6 +57396,85 @@ function shouldUseClientFallbackRoot(primaryRoot, fallbackRoot, indexPath) {
   const primaryHasRuntimeSources = existsSync(join(resolvedPrimaryRoot, "src")) || existsSync(join(resolvedPrimaryRoot, "public")) || existsSync(join(resolvedPrimaryRoot, normalizedIndexPath));
   return !primaryHasRuntimeSources;
 }
+function isPathWithinRoot(filePath, rootDir) {
+  return filePath === rootDir || filePath.startsWith(rootDir.endsWith(sep) ? rootDir : `${rootDir}${sep}`);
+}
+async function getAllowedClientRoots(client) {
+  const allowedRoots = [];
+  for (const candidateRoot of [client.root, client.fallbackRoot]) {
+    if (!candidateRoot) {
+      continue;
+    }
+    try {
+      const resolvedRoot = await realpath(resolve(candidateRoot));
+      if (!allowedRoots.includes(resolvedRoot)) {
+        allowedRoots.push(resolvedRoot);
+      }
+    } catch {
+    }
+  }
+  return allowedRoots;
+}
+async function getClientBaseDirs(client, isDistRequest, isNodeModulesRequest) {
+  const baseDirs = [];
+  for (const candidateRoot of [client.root, client.fallbackRoot]) {
+    if (!candidateRoot) {
+      continue;
+    }
+    try {
+      const resolvedRoot = await realpath(resolve(candidateRoot));
+      let baseDir = resolvedRoot;
+      if (isDistRequest || isNodeModulesRequest) {
+        const targetDir = isDistRequest ? "dist" : "node_modules";
+        const foundDir = await findSpecialDir(candidateRoot, targetDir);
+        baseDir = foundDir ? await realpath(foundDir) : resolvedRoot;
+      }
+      if (!baseDirs.includes(baseDir)) {
+        baseDirs.push(baseDir);
+      }
+    } catch {
+    }
+  }
+  return baseDirs;
+}
+async function resolveClientPathFromBaseDir(baseDir, normalizedPath) {
+  const tryRealpathWithinBaseDir = async (relativePath2) => {
+    const unresolvedPath = resolve(join(baseDir, relativePath2));
+    if (!isPathWithinRoot(unresolvedPath, baseDir)) {
+      return void 0;
+    }
+    try {
+      return await realpath(unresolvedPath);
+    } catch {
+      return void 0;
+    }
+  };
+  const exactPath = await tryRealpathWithinBaseDir(normalizedPath);
+  if (exactPath) {
+    return exactPath;
+  }
+  if (normalizedPath.endsWith(".js")) {
+    const tsPath = await tryRealpathWithinBaseDir(normalizedPath.replace(/\.js$/, ".ts"));
+    if (tsPath) {
+      return tsPath;
+    }
+  }
+  if (normalizedPath.includes(".")) {
+    return void 0;
+  }
+  for (const candidatePath of [
+    `${normalizedPath}.ts`,
+    `${normalizedPath}.js`,
+    join(normalizedPath, "index.ts"),
+    join(normalizedPath, "index.js")
+  ]) {
+    const resolvedPath = await tryRealpathWithinBaseDir(candidatePath);
+    if (resolvedPath) {
+      return resolvedPath;
+    }
+  }
+  return void 0;
+}
 function createDevServer(options) {
   const config = { ...defaultOptions, ...options };
   const wsClients = /* @__PURE__ */ new Set();
@@ -57394,6 +57504,7 @@ function createDevServer(options) {
     const activeRoot = useFallbackRoot ? client.fallbackRoot || client.root : client.root;
     return {
       root: activeRoot,
+      fallbackRoot: useFallbackRoot ? void 0 : client.fallbackRoot,
       basePath,
       index: useFallbackRoot ? void 0 : indexPath,
       ssr: useFallbackRoot ? void 0 : client.ssr,
@@ -57495,75 +57606,26 @@ function createDevServer(options) {
       return send403(res, "403 Forbidden");
     }
     normalizedPath = tempPath;
-    const rootDir = await realpath(resolve(matchedClient.root));
-    let baseDir = rootDir;
-    if (isDistRequest || isNodeModulesRequest) {
-      const targetDir = isDistRequest ? "dist" : "node_modules";
-      const foundDir = await findSpecialDir(matchedClient.root, targetDir);
-      baseDir = foundDir ? await realpath(foundDir) : rootDir;
-    }
     let fullPath;
-    try {
-      const unresolvedPath = resolve(join(baseDir, normalizedPath));
-      if (!unresolvedPath.startsWith(baseDir.endsWith(sep) ? baseDir : baseDir + sep)) {
-        if (config.logging) console.log(`[403] File access outside of root (before symlink): ${unresolvedPath}`);
-        return send403(res, "403 Forbidden");
-      }
-      fullPath = await realpath(unresolvedPath);
-      if (config.logging && filePath === "/src/pages") {
-        console.log(`[DEBUG] Initial resolve succeeded: ${fullPath}`);
-      }
-    } catch (firstError) {
-      let resolvedPath;
-      if (config.logging && !normalizedPath.includes(".")) {
-        console.log(`[DEBUG] File not found: ${normalizedPath}, trying extensions...`);
-      }
-      if (normalizedPath.endsWith(".js")) {
-        const tsPath = normalizedPath.replace(/\.js$/, ".ts");
-        try {
-          const tsFullPath = await realpath(resolve(join(baseDir, tsPath)));
-          if (!tsFullPath.startsWith(baseDir.endsWith(sep) ? baseDir : baseDir + sep)) {
-            if (config.logging) console.log(`[403] Fallback TS path outside of root: ${tsFullPath}`);
-            return send403(res, "403 Forbidden");
-          }
-          resolvedPath = tsFullPath;
-        } catch {
+    const baseDirs = await getClientBaseDirs(matchedClient, isDistRequest, isNodeModulesRequest);
+    for (const baseDir of baseDirs) {
+      fullPath = await resolveClientPathFromBaseDir(baseDir, normalizedPath);
+      if (fullPath) {
+        if (config.logging && filePath === "/src/pages") {
+          console.log(`[DEBUG] Initial resolve succeeded: ${fullPath}`);
         }
+        break;
       }
-      if (!resolvedPath && !normalizedPath.includes(".")) {
-        try {
-          resolvedPath = await realpath(resolve(join(baseDir, normalizedPath + ".ts")));
-          if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}.ts`);
-        } catch {
-          try {
-            resolvedPath = await realpath(resolve(join(baseDir, normalizedPath + ".js")));
-            if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}.js`);
-          } catch {
-            try {
-              resolvedPath = await realpath(resolve(join(baseDir, normalizedPath, "index.ts")));
-              if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}/index.ts`);
-            } catch {
-              try {
-                resolvedPath = await realpath(resolve(join(baseDir, normalizedPath, "index.js")));
-                if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}/index.js`);
-              } catch {
-                if (config.logging) console.log(`[DEBUG] Not found: all attempts failed for ${normalizedPath}`);
-              }
-            }
-          }
-        }
-      }
-      if (!resolvedPath) {
-        if (!res.headersSent) {
-          if (filePath === "/index.html" && matchedClient.ssr) {
-            return await serveSSR(res, matchedClient);
-          }
-          if (config.logging) console.log(`[404] ${filePath}`);
-          return send404(res, "404 Not Found");
+    }
+    if (!fullPath) {
+      if (!res.headersSent) {
+        if (filePath === "/index.html" && matchedClient.ssr) {
+          return await serveSSR(res, matchedClient);
         }
-        return;
+        if (config.logging) console.log(`[404] ${filePath}`);
+        return send404(res, "404 Not Found");
       }
-      fullPath = resolvedPath;
+      return;
     }
     try {
       const stats = await stat(fullPath);
@@ -57592,11 +57654,12 @@ function createDevServer(options) {
       return send404(res, "404 Not Found");
     }
     try {
+      const allowedRoots = await getAllowedClientRoots(matchedClient);
       const stats = await stat(fullPath);
       if (stats.isDirectory()) {
         try {
           const indexPath = await realpath(resolve(join(fullPath, "index.html")));
-          if (!indexPath.startsWith(rootDir + sep) && indexPath !== rootDir) {
+          if (!isPathWithinRoot(indexPath, fullPath) && !allowedRoots.some((rootDir) => isPathWithinRoot(indexPath, rootDir))) {
             return send403(res, "403 Forbidden");
           }
           await stat(indexPath);
@@ -57618,10 +57681,11 @@ function createDevServer(options) {
       return input.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
     }
     try {
-      const rootDir = await realpath(resolve(client.root));
+      const allowedRoots = await getAllowedClientRoots(client);
+      const rootDir = allowedRoots[0] || await realpath(resolve(client.root));
       const unresolvedPath = resolve(filePath);
       if (!isNodeModulesOrDist) {
-        if (!unresolvedPath.startsWith(rootDir + sep) && unresolvedPath !== rootDir) {
+        if (!allowedRoots.some((allowedRoot) => isPathWithinRoot(unresolvedPath, allowedRoot))) {
           if (config.logging) console.log(`[403] Attempted to serve file outside allowed directories: ${filePath}`);
           return send403(res, "403 Forbidden");
         }

package/dist/server.js CHANGED Viewed

@@ -63445,22 +63445,30 @@ tell application "System Events" to get value of property list item "CFBundleNam
     }
     return void 0;
   }
+  var BROWSER_SAFE_ELIT_IMPORTS = {
+    "elit": "index",
+    "elit/dom": "dom",
+    "elit/el": "el",
+    "elit/native": "native",
+    "elit/universal": "universal",
+    "elit/router": "router",
+    "elit/state": "state",
+    "elit/style": "style",
+    "elit/hmr": "hmr",
+    "elit/types": "types"
+  };
+  function createBrowserSafeElitImports(basePath, fileExt) {
+    return Object.fromEntries(
+      Object.entries(BROWSER_SAFE_ELIT_IMPORTS).map(([specifier, outputName]) => [
+        specifier,
+        `${basePath}/${outputName}${fileExt}`
+      ])
+    );
+  }
   var createElitImportMap = async (rootDir, basePath = "", mode = "dev") => {
     const workspaceImportBasePath = await resolveWorkspaceElitImportBasePath(rootDir, basePath, mode);
-    const fileExt = ".js";
-    const elitImports = workspaceImportBasePath ? {
-      "elit": `${workspaceImportBasePath}/index${fileExt}`,
-      "elit/": `${workspaceImportBasePath}/`,
-      "elit/dom": `${workspaceImportBasePath}/dom${fileExt}`,
-      "elit/state": `${workspaceImportBasePath}/state${fileExt}`,
-      "elit/style": `${workspaceImportBasePath}/style${fileExt}`,
-      "elit/el": `${workspaceImportBasePath}/el${fileExt}`,
-      "elit/universal": `${workspaceImportBasePath}/universal${fileExt}`,
-      "elit/router": `${workspaceImportBasePath}/router${fileExt}`,
-      "elit/hmr": `${workspaceImportBasePath}/hmr${fileExt}`,
-      "elit/types": `${workspaceImportBasePath}/types${fileExt}`,
-      "elit/native": `${workspaceImportBasePath}/native${fileExt}`
-    } : {};
+    const fileExt = ".mjs";
+    const elitImports = workspaceImportBasePath ? createBrowserSafeElitImports(workspaceImportBasePath, fileExt) : {};
     const externalImports = await generateExternalImportMaps(rootDir, basePath);
     const allImports = { ...externalImports, ...elitImports };
     return `<script type="importmap">${JSON.stringify({ imports: allImports }, null, 2)}</script>`;
@@ -63731,6 +63739,29 @@ tell application "System Events" to get value of property list item "CFBundleNam
     }
   }
   function processExportsField(pkgName, exports2, baseUrl, importMap) {
+    if (pkgName === "elit") {
+      if (typeof exports2 !== "object" || exports2 === null) {
+        return;
+      }
+      const elitExports = exports2;
+      const browserSafeImports = {};
+      const rootResolved = "." in elitExports ? resolveExport(elitExports["."]) : "import" in elitExports ? resolveExport(elitExports) : null;
+      if (rootResolved) {
+        browserSafeImports.elit = `${baseUrl}/${rootResolved}`;
+      }
+      const allowedSubpaths = Object.keys(BROWSER_SAFE_ELIT_IMPORTS).filter((specifier) => specifier !== "elit").map((specifier) => ({
+        exportKey: `./${specifier.slice("elit/".length)}`,
+        importName: specifier
+      }));
+      for (const { exportKey, importName } of allowedSubpaths) {
+        const resolved = resolveExport(elitExports[exportKey]);
+        if (resolved) {
+          browserSafeImports[importName] = `${baseUrl}/${resolved}`;
+        }
+      }
+      Object.assign(importMap, browserSafeImports);
+      return;
+    }
     if (typeof exports2 === "string") {
       importMap[pkgName] = `${baseUrl}/${exports2}`;
       importMap[`${pkgName}/`] = `${baseUrl}/`;
@@ -64092,6 +64123,85 @@ tell application "System Events" to get value of property list item "CFBundleNam
     const primaryHasRuntimeSources = existsSync(join(resolvedPrimaryRoot, "src")) || existsSync(join(resolvedPrimaryRoot, "public")) || existsSync(join(resolvedPrimaryRoot, normalizedIndexPath));
     return !primaryHasRuntimeSources;
   }
+  function isPathWithinRoot(filePath, rootDir) {
+    return filePath === rootDir || filePath.startsWith(rootDir.endsWith(sep) ? rootDir : `${rootDir}${sep}`);
+  }
+  async function getAllowedClientRoots(client) {
+    const allowedRoots = [];
+    for (const candidateRoot of [client.root, client.fallbackRoot]) {
+      if (!candidateRoot) {
+        continue;
+      }
+      try {
+        const resolvedRoot = await realpath(resolve(candidateRoot));
+        if (!allowedRoots.includes(resolvedRoot)) {
+          allowedRoots.push(resolvedRoot);
+        }
+      } catch {
+      }
+    }
+    return allowedRoots;
+  }
+  async function getClientBaseDirs(client, isDistRequest, isNodeModulesRequest) {
+    const baseDirs = [];
+    for (const candidateRoot of [client.root, client.fallbackRoot]) {
+      if (!candidateRoot) {
+        continue;
+      }
+      try {
+        const resolvedRoot = await realpath(resolve(candidateRoot));
+        let baseDir = resolvedRoot;
+        if (isDistRequest || isNodeModulesRequest) {
+          const targetDir = isDistRequest ? "dist" : "node_modules";
+          const foundDir = await findSpecialDir(candidateRoot, targetDir);
+          baseDir = foundDir ? await realpath(foundDir) : resolvedRoot;
+        }
+        if (!baseDirs.includes(baseDir)) {
+          baseDirs.push(baseDir);
+        }
+      } catch {
+      }
+    }
+    return baseDirs;
+  }
+  async function resolveClientPathFromBaseDir(baseDir, normalizedPath) {
+    const tryRealpathWithinBaseDir = async (relativePath2) => {
+      const unresolvedPath = resolve(join(baseDir, relativePath2));
+      if (!isPathWithinRoot(unresolvedPath, baseDir)) {
+        return void 0;
+      }
+      try {
+        return await realpath(unresolvedPath);
+      } catch {
+        return void 0;
+      }
+    };
+    const exactPath = await tryRealpathWithinBaseDir(normalizedPath);
+    if (exactPath) {
+      return exactPath;
+    }
+    if (normalizedPath.endsWith(".js")) {
+      const tsPath = await tryRealpathWithinBaseDir(normalizedPath.replace(/\.js$/, ".ts"));
+      if (tsPath) {
+        return tsPath;
+      }
+    }
+    if (normalizedPath.includes(".")) {
+      return void 0;
+    }
+    for (const candidatePath of [
+      `${normalizedPath}.ts`,
+      `${normalizedPath}.js`,
+      join(normalizedPath, "index.ts"),
+      join(normalizedPath, "index.js")
+    ]) {
+      const resolvedPath = await tryRealpathWithinBaseDir(candidatePath);
+      if (resolvedPath) {
+        return resolvedPath;
+      }
+    }
+    return void 0;
+  }
   function createDevServer(options) {
     const config = { ...defaultOptions, ...options };
     const wsClients = /* @__PURE__ */ new Set();
@@ -64121,6 +64231,7 @@ tell application "System Events" to get value of property list item "CFBundleNam
       const activeRoot = useFallbackRoot ? client.fallbackRoot || client.root : client.root;
       return {
         root: activeRoot,
+        fallbackRoot: useFallbackRoot ? void 0 : client.fallbackRoot,
         basePath,
         index: useFallbackRoot ? void 0 : indexPath,
         ssr: useFallbackRoot ? void 0 : client.ssr,
@@ -64222,75 +64333,26 @@ tell application "System Events" to get value of property list item "CFBundleNam
         return send403(res, "403 Forbidden");
       }
       normalizedPath = tempPath;
-      const rootDir = await realpath(resolve(matchedClient.root));
-      let baseDir = rootDir;
-      if (isDistRequest || isNodeModulesRequest) {
-        const targetDir = isDistRequest ? "dist" : "node_modules";
-        const foundDir = await findSpecialDir(matchedClient.root, targetDir);
-        baseDir = foundDir ? await realpath(foundDir) : rootDir;
-      }
       let fullPath;
-      try {
-        const unresolvedPath = resolve(join(baseDir, normalizedPath));
-        if (!unresolvedPath.startsWith(baseDir.endsWith(sep) ? baseDir : baseDir + sep)) {
-          if (config.logging) console.log(`[403] File access outside of root (before symlink): ${unresolvedPath}`);
-          return send403(res, "403 Forbidden");
-        }
-        fullPath = await realpath(unresolvedPath);
-        if (config.logging && filePath === "/src/pages") {
-          console.log(`[DEBUG] Initial resolve succeeded: ${fullPath}`);
-        }
-      } catch (firstError) {
-        let resolvedPath;
-        if (config.logging && !normalizedPath.includes(".")) {
-          console.log(`[DEBUG] File not found: ${normalizedPath}, trying extensions...`);
-        }
-        if (normalizedPath.endsWith(".js")) {
-          const tsPath = normalizedPath.replace(/\.js$/, ".ts");
-          try {
-            const tsFullPath = await realpath(resolve(join(baseDir, tsPath)));
-            if (!tsFullPath.startsWith(baseDir.endsWith(sep) ? baseDir : baseDir + sep)) {
-              if (config.logging) console.log(`[403] Fallback TS path outside of root: ${tsFullPath}`);
-              return send403(res, "403 Forbidden");
-            }
-            resolvedPath = tsFullPath;
-          } catch {
-          }
-        }
-        if (!resolvedPath && !normalizedPath.includes(".")) {
-          try {
-            resolvedPath = await realpath(resolve(join(baseDir, normalizedPath + ".ts")));
-            if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}.ts`);
-          } catch {
-            try {
-              resolvedPath = await realpath(resolve(join(baseDir, normalizedPath + ".js")));
-              if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}.js`);
-            } catch {
-              try {
-                resolvedPath = await realpath(resolve(join(baseDir, normalizedPath, "index.ts")));
-                if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}/index.ts`);
-              } catch {
-                try {
-                  resolvedPath = await realpath(resolve(join(baseDir, normalizedPath, "index.js")));
-                  if (config.logging) console.log(`[DEBUG] Found: ${normalizedPath}/index.js`);
-                } catch {
-                  if (config.logging) console.log(`[DEBUG] Not found: all attempts failed for ${normalizedPath}`);
-                }
-              }
-            }
+      const baseDirs = await getClientBaseDirs(matchedClient, isDistRequest, isNodeModulesRequest);
+      for (const baseDir of baseDirs) {
+        fullPath = await resolveClientPathFromBaseDir(baseDir, normalizedPath);
+        if (fullPath) {
+          if (config.logging && filePath === "/src/pages") {
+            console.log(`[DEBUG] Initial resolve succeeded: ${fullPath}`);
           }
+          break;
         }
-        if (!resolvedPath) {
-          if (!res.headersSent) {
-            if (filePath === "/index.html" && matchedClient.ssr) {
-              return await serveSSR(res, matchedClient);
-            }
-            if (config.logging) console.log(`[404] ${filePath}`);
-            return send404(res, "404 Not Found");
+      }
+      if (!fullPath) {
+        if (!res.headersSent) {
+          if (filePath === "/index.html" && matchedClient.ssr) {
+            return await serveSSR(res, matchedClient);
           }
-          return;
+          if (config.logging) console.log(`[404] ${filePath}`);
+          return send404(res, "404 Not Found");
         }
-        fullPath = resolvedPath;
+        return;
       }
       try {
         const stats = await stat(fullPath);
@@ -64319,11 +64381,12 @@ tell application "System Events" to get value of property list item "CFBundleNam
         return send404(res, "404 Not Found");
       }
       try {
+        const allowedRoots = await getAllowedClientRoots(matchedClient);
         const stats = await stat(fullPath);
         if (stats.isDirectory()) {
           try {
             const indexPath = await realpath(resolve(join(fullPath, "index.html")));
-            if (!indexPath.startsWith(rootDir + sep) && indexPath !== rootDir) {
+            if (!isPathWithinRoot(indexPath, fullPath) && !allowedRoots.some((rootDir) => isPathWithinRoot(indexPath, rootDir))) {
               return send403(res, "403 Forbidden");
             }
             await stat(indexPath);
@@ -64345,10 +64408,11 @@ tell application "System Events" to get value of property list item "CFBundleNam
         return input.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
       }
       try {
-        const rootDir = await realpath(resolve(client.root));
+        const allowedRoots = await getAllowedClientRoots(client);
+        const rootDir = allowedRoots[0] || await realpath(resolve(client.root));
         const unresolvedPath = resolve(filePath);
         if (!isNodeModulesOrDist) {
-          if (!unresolvedPath.startsWith(rootDir + sep) && unresolvedPath !== rootDir) {
+          if (!allowedRoots.some((allowedRoot) => isPathWithinRoot(unresolvedPath, allowedRoot))) {
             if (config.logging) console.log(`[403] Attempted to serve file outside allowed directories: ${filePath}`);
             return send403(res, "403 Forbidden");
           }