vite 2.6.11 → 2.6.12

package/dist/node/chunks/{dep-92cbd8f1.js → dep-81ddae5a.js}

@@ -4143,6 +4143,21 @@ function writeFile(filename, content) {
     }
     fs__default.writeFileSync(filename, content);
 }
+/**
+ * Use instead of fs.existsSync(filename)
+ * #2051 if we don't have read permission on a directory, existsSync() still
+ * works and will result in massively slow subsequent checks (which are
+ * unnecessary in the first place)
+ */
+function isFileReadable(filename) {
+    try {
+        fs__default.accessSync(filename, fs__default.constants.R_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Delete every file and subdirectory. **The given directory must exist.**
  * Pass an optional `skip` array to preserve files in the root directory.
@@ -20242,7 +20257,7 @@ async function compileCSS(id, code, config, urlReplacer, atImportResolvers, serv
         replacer: urlReplacer
     }));
     if (isModule) {
-        postcssPlugins.unshift((await Promise.resolve().then(function () { return require('./dep-536fbbdc.js'); }).then(function (n) { return n.index; })).default({
+        postcssPlugins.unshift((await Promise.resolve().then(function () { return require('./dep-822b9d02.js'); }).then(function (n) { return n.index; })).default({
             ...modulesOptions,
             getJSON(cssFileName, _modules, outputFileName) {
                 modules = _modules;
@@ -21207,7 +21222,7 @@ const assetAttrsConfig = {
 const isAsyncScriptMap = new WeakMap();
 async function traverseHtml(html, filePath, visitor) {
     // lazy load compiler
-    const { parse, transform } = await Promise.resolve().then(function () { return require('./dep-c5e7917e.js'); }).then(function (n) { return n.compilerDom_cjs; });
+    const { parse, transform } = await Promise.resolve().then(function () { return require('./dep-b0d06b66.js'); }).then(function (n) { return n.compilerDom_cjs; });
     // @vue/compiler-core doesn't like lowercase doctypes
     html = html.replace(/<!doctype\s/i, '<!DOCTYPE ');
     try {
@@ -29963,16 +29978,10 @@ function tryFsResolve(fsPath, options, preserveSymlinks, tryIndex = true, target
     }
 }
 function tryResolveFile(file, postfix, options, tryIndex, targetWeb, preserveSymlinks, tryPrefix, skipPackageJson) {
-    let isReadable = false;
-    try {
-        // #2051 if we don't have read permission on a directory, existsSync() still
-        // works and will result in massively slow subsequent checks (which are
-        // unnecessary in the first place)
-        fs__default.accessSync(file, fs__default.constants.R_OK);
-        isReadable = true;
-    }
-    catch (e) { }
-    if (isReadable) {
+    // #2051 if we don't have read permission on a directory, existsSync() still
+    // works and will result in massively slow subsequent checks (which are
+    // unnecessary in the first place)
+    if (isFileReadable(file)) {
         if (!fs__default.statSync(file).isDirectory()) {
             return getRealPath(file, preserveSymlinks) + postfix;
         }
@@ -42059,36 +42068,11 @@ function errorMiddleware(server, allowNext = false) {
             next();
         }
         else {
-            if (err instanceof AccessRestrictedError) {
-                res.statusCode = 403;
-                res.write(renderErrorHTML(err.message));
-                res.end();
-            }
             res.statusCode = 500;
             res.end();
         }
     };
 }
-class AccessRestrictedError extends Error {
-    constructor(msg) {
-        super(msg);
-    }
-}
-function renderErrorHTML(msg) {
-    // to have syntax highlighting and autocompletion in IDE
-    const html = String.raw;
-    return html `
-    <body>
-      <h1>403 Restricted</h1>
-      <p>${msg.replace(/\n/g, '<br/>')}</p>
-      <style>
-        body {
-          padding: 1em 2em;
-        }
-      </style>
-    </body>
-  `;
-}
 
 /**
  * This file is refactored into TypeScript based on
@@ -49054,7 +49038,7 @@ function readFileIfExists(value) {
  * https://github.com/webpack/webpack-dev-server/blob/master/LICENSE
  */
 async function createCertificate() {
-    const { generate } = await Promise.resolve().then(function () { return require('./dep-5031a88d.js'); }).then(function (n) { return n.index; });
+    const { generate } = await Promise.resolve().then(function () { return require('./dep-14140c42.js'); }).then(function (n) { return n.index; });
     const pems = generate(null, {
         algorithm: 'sha256',
         days: 30,
@@ -56580,11 +56564,13 @@ function serveStaticMiddleware(dir, server) {
     const serve = sirv(dir, sirvOptions);
     // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
     return function viteServeStaticMiddleware(req, res, next) {
-        // only serve the file if it's not an html request
+        // only serve the file if it's not an html request or ends with `/`
         // so that html requests can fallthrough to our html middleware for
         // special processing
         // also skip internal requests `/@fs/ /@vite-client` etc...
-        if (path__default.extname(cleanUrl(req.url)) === '.html' ||
+        const cleanedUrl = cleanUrl(req.url);
+        if (cleanedUrl.endsWith('/') ||
+            path__default.extname(cleanedUrl) === '.html' ||
             isInternalRequest(req.url)) {
             return next();
         }
@@ -56609,7 +56595,9 @@ function serveStaticMiddleware(dir, server) {
         if (resolvedUrl.endsWith('/') && !fileUrl.endsWith('/')) {
             fileUrl = fileUrl + '/';
         }
-        ensureServingAccess(fileUrl, server);
+        if (!ensureServingAccess(fileUrl, server, res, next)) {
+            return;
+        }
         if (redirected) {
             req.url = redirected;
         }
@@ -56627,7 +56615,9 @@ function serveRawFsMiddleware(server) {
         // searching based from fs root.
         if (url.startsWith(FS_PREFIX)) {
             // restrict files outside of `fs.allow`
-            ensureServingAccess(slash$3(path__default.resolve(fsPathFromId(url))), server);
+            if (!ensureServingAccess(slash$3(path__default.resolve(fsPathFromId(url))), server, res, next)) {
+                return;
+            }
             url = url.slice(FS_PREFIX.length);
             if (isWindows$4)
                 url = url.replace(/^[A-Z]:/i, '');
@@ -56643,29 +56633,60 @@ function isFileServingAllowed(url, server) {
     // explicitly disabled
     if (server.config.server.fs.strict === false)
         return true;
-    const file = ensureLeadingSlash(normalizePath$4(cleanUrl(url)));
+    const cleanedUrl = cleanUrl(url);
+    const file = ensureLeadingSlash(normalizePath$4(cleanedUrl));
     if (server.moduleGraph.safeModulesPath.has(file))
         return true;
     if (server.config.server.fs.allow.some((i) => file.startsWith(i + '/')))
         return true;
     if (!server.config.server.fs.strict) {
-        server.config.logger.warnOnce(`Unrestricted file system access to "${url}"`);
-        server.config.logger.warnOnce(`For security concerns, accessing files outside of serving allow list will ` +
-            `be restricted by default in the future version of Vite. ` +
-            `Refer to https://vitejs.dev/config/#server-fs-allow for more details.`);
+        if (isFileReadable(cleanedUrl)) {
+            server.config.logger.warnOnce(`Unrestricted file system access to "${url}"`);
+            server.config.logger.warnOnce(`For security concerns, accessing files outside of serving allow list will ` +
+                `be restricted by default in the future version of Vite. ` +
+                `Refer to https://vitejs.dev/config/#server-fs-allow for more details.`);
+        }
         return true;
     }
     return false;
 }
-function ensureServingAccess(url, server) {
-    if (!isFileServingAllowed(url, server)) {
-        const allow = server.config.server.fs.allow;
-        throw new AccessRestrictedError(`The request url "${url}" is outside of Vite serving allow list:
-
-${allow.map((i) => `- ${i}`).join('\n')}
+function ensureServingAccess(url, server, res, next) {
+    if (isFileServingAllowed(url, server)) {
+        return true;
+    }
+    if (isFileReadable(cleanUrl(url))) {
+        const urlMessage = `The request url "${url}" is outside of Vite serving allow list.`;
+        const hintMessage = `
+${server.config.server.fs.allow.map((i) => `- ${i}`).join('\n')}
 
-Refer to docs https://vitejs.dev/config/#server-fs-allow for configurations and more details.`);
+Refer to docs https://vitejs.dev/config/#server-fs-allow for configurations and more details.`;
+        server.config.logger.error(urlMessage);
+        server.config.logger.warnOnce(hintMessage + '\n');
+        res.statusCode = 403;
+        res.write(renderRestrictedErrorHTML(urlMessage + '\n' + hintMessage));
+        res.end();
     }
+    else {
+        // if the file doesn't exist, we shouldn't restrict this path as it can
+        // be an API call. Middlewares would issue a 404 if the file isn't handled
+        next();
+    }
+    return false;
+}
+function renderRestrictedErrorHTML(msg) {
+    // to have syntax highlighting and autocompletion in IDE
+    const html = String.raw;
+    return html `
+    <body>
+      <h1>403 Restricted</h1>
+      <p>${msg.replace(/\n/g, '<br/>')}</p>
+      <style>
+        body {
+          padding: 1em 2em;
+        }
+      </style>
+    </body>
+  `;
 }
 
 const debugLoad = createDebugger('vite:load');
@@ -66634,10 +66655,7 @@ const ROOT_FILES = [
 // yarn: https://classic.yarnpkg.com/en/docs/workspaces/#toc-how-to-use-it
 function hasWorkspacePackageJSON(root) {
     const path = path$t.join(root, 'package.json');
-    try {
-        fs__default.accessSync(path, fs__default.constants.R_OK);
-    }
-    catch {
+    if (!isFileReadable(path)) {
         return false;
     }
     const content = JSON.parse(fs__default.readFileSync(path, 'utf-8')) || {};
@@ -92068,4 +92086,4 @@ exports.send = send$1;
 exports.sortUserPlugins = sortUserPlugins;
 exports.source = source;
 exports.transformWithEsbuild = transformWithEsbuild;
-//# sourceMappingURL=dep-92cbd8f1.js.map
+//# sourceMappingURL=dep-81ddae5a.js.map