vite 4.5.13 → 4.5.14

package/dist/node/chunks/{dep-6e2b5186.js → dep-7ec6f216.js}

@@ -1,4 +1,4 @@
-import { E as getDefaultExportFromCjs } from './dep-42dae6ba.js';
+import { F as getDefaultExportFromCjs } from './dep-827b23df.js';
 import require$$0 from 'path';
 import require$$0__default from 'fs';
 import { l as lib } from './dep-c423598f.js';

package/dist/node/chunks/{dep-42dae6ba.js → dep-827b23df.js}

@@ -38995,8 +38995,8 @@ function createCachedImport(imp) {
         return cached;
     };
 }
-const importPostcssImport = createCachedImport(() => import('./dep-6e2b5186.js').then(function (n) { return n.i; }));
-const importPostcssModules = createCachedImport(() => import('./dep-e967375e.js').then(function (n) { return n.i; }));
+const importPostcssImport = createCachedImport(() => import('./dep-7ec6f216.js').then(function (n) { return n.i; }));
+const importPostcssModules = createCachedImport(() => import('./dep-f1e8587f.js').then(function (n) { return n.i; }));
 const importPostcss = createCachedImport(() => import('postcss'));
 /**
  * @experimental
@@ -47624,7 +47624,8 @@ function escapeHtml$1(string) {
 var escapeHtml$2 = /*@__PURE__*/getDefaultExportFromCjs(escapeHtml_1);
 
 const knownJavascriptExtensionRE = /\.[tj]sx?$/;
-const sirvOptions = ({ headers, shouldServe, }) => {
+const ERR_DENIED_FILE = 'ERR_DENIED_FILE';
+const sirvOptions = ({ server, headers, shouldServe, disableFsServeCheck, }) => {
     return {
         dev: true,
         etag: true,
@@ -47644,13 +47645,32 @@ const sirvOptions = ({ headers, shouldServe, }) => {
                 }
             }
         },
-        shouldServe,
+        shouldServe: disableFsServeCheck
+            ? shouldServe
+            : (filePath) => {
+                const servingAccessResult = checkLoadingAccess(server, filePath);
+                if (servingAccessResult === 'denied') {
+                    const error = new Error('denied access');
+                    error.code = ERR_DENIED_FILE;
+                    error.path = filePath;
+                    throw error;
+                }
+                if (servingAccessResult === 'fallback') {
+                    return false;
+                }
+                if (shouldServe) {
+                    return shouldServe(filePath);
+                }
+                return true;
+            },
     };
 };
-function servePublicMiddleware(dir, headers) {
+function servePublicMiddleware(dir, server, headers) {
     const serve = sirv(dir, sirvOptions({
+        server,
         headers,
         shouldServe: (filePath) => shouldServeFile(filePath, dir),
+        disableFsServeCheck: true,
     }));
     // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
     return function viteServePublicMiddleware(req, res, next) {
@@ -47663,6 +47683,7 @@ function servePublicMiddleware(dir, headers) {
 }
 function serveStaticMiddleware(dir, server) {
     const serve = sirv(dir, sirvOptions({
+        server,
         headers: server.config.server.headers,
     }));
     // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
@@ -47697,23 +47718,28 @@ function serveStaticMiddleware(dir, server) {
             }
         }
         const resolvedPathname = redirectedPathname || pathname;
-        let fileUrl = path$o.resolve(dir, removeLeadingSlash(resolvedPathname));
-        if (resolvedPathname[resolvedPathname.length - 1] === '/' &&
-            fileUrl[fileUrl.length - 1] !== '/') {
-            fileUrl = withTrailingSlash(fileUrl);
-        }
-        if (!ensureServingAccess(fileUrl, server, res, next)) {
-            return;
-        }
+        path$o.resolve(dir, removeLeadingSlash(resolvedPathname));
         if (redirectedPathname) {
             url.pathname = encodeURI(redirectedPathname);
             req.url = url.href.slice(url.origin.length);
         }
-        serve(req, res, next);
+        try {
+            serve(req, res, next);
+        }
+        catch (e) {
+            if (e && 'code' in e && e.code === ERR_DENIED_FILE) {
+                respondWithAccessDenied(e.path, server, res);
+                return;
+            }
+            throw e;
+        }
     };
 }
 function serveRawFsMiddleware(server) {
-    const serveFromRoot = sirv('/', sirvOptions({ headers: server.config.server.headers }));
+    const serveFromRoot = sirv('/', sirvOptions({
+        server,
+        headers: server.config.server.headers,
+    }));
     // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
     return function viteServeRawFsMiddleware(req, res, next) {
         const url = new URL(req.url.replace(/^\/{2,}/, '/'), 'http://example.com');
@@ -47723,16 +47749,21 @@ function serveRawFsMiddleware(server) {
         // searching based from fs root.
         if (url.pathname.startsWith(FS_PREFIX)) {
             const pathname = decodeURI(url.pathname);
-            // restrict files outside of `fs.allow`
-            if (!ensureServingAccess(slash$1(path$o.resolve(fsPathFromId(pathname))), server, res, next)) {
-                return;
-            }
             let newPathname = pathname.slice(FS_PREFIX.length);
             if (isWindows$4)
                 newPathname = newPathname.replace(/^[A-Z]:/i, '');
             url.pathname = encodeURI(newPathname);
             req.url = url.href.slice(url.origin.length);
-            serveFromRoot(req, res, next);
+            try {
+                serveFromRoot(req, res, next);
+            }
+            catch (e) {
+                if (e && 'code' in e && e.code === ERR_DENIED_FILE) {
+                    respondWithAccessDenied(e.path, server, res);
+                    return;
+                }
+                throw e;
+            }
         }
         else {
             next();
@@ -47741,41 +47772,62 @@ function serveRawFsMiddleware(server) {
 }
 /**
  * Check if the url is allowed to be served, via the `server.fs` config.
+ * @deprecated Use the `isFileLoadingAllowed` function instead.
  */
 function isFileServingAllowed(url, server) {
     if (!server.config.server.fs.strict)
         return true;
-    const file = fsPathFromUrl(url);
-    if (server._fsDenyGlob(file))
+    const filePath = fsPathFromUrl(url);
+    return isFileLoadingAllowed(server, filePath);
+}
+function isUriInFilePath(uri, filePath) {
+    return isSameFileUri(uri, filePath) || isParentDirectory(uri, filePath);
+}
+function isFileLoadingAllowed(server, filePath) {
+    const { fs } = server.config.server;
+    if (!fs.strict)
+        return true;
+    if (server._fsDenyGlob(filePath))
         return false;
-    if (server.moduleGraph.safeModulesPath.has(file))
+    if (server.moduleGraph.safeModulesPath.has(filePath))
         return true;
-    if (server.config.server.fs.allow.some((uri) => isSameFileUri(uri, file) || isParentDirectory(uri, file)))
+    if (fs.allow.some((uri) => isUriInFilePath(uri, filePath)))
         return true;
     return false;
 }
-function ensureServingAccess(url, server, res, next) {
+function checkLoadingAccess(server, path) {
+    if (isFileLoadingAllowed(server, slash$1(path))) {
+        return 'allowed';
+    }
+    if (isFileReadable(path)) {
+        return 'denied';
+    }
+    // if the file doesn't exist, we shouldn't restrict this path as it can
+    // be an API call. Middlewares would issue a 404 if the file isn't handled
+    return 'fallback';
+}
+function checkServingAccess(url, server) {
     if (isFileServingAllowed(url, server)) {
-        return true;
+        return 'allowed';
     }
     if (isFileReadable(cleanUrl(url))) {
-        const urlMessage = `The request url "${url}" is outside of Vite serving allow list.`;
-        const hintMessage = `
+        return 'denied';
+    }
+    // if the file doesn't exist, we shouldn't restrict this path as it can
+    // be an API call. Middlewares would issue a 404 if the file isn't handled
+    return 'fallback';
+}
+function respondWithAccessDenied(url, server, res) {
+    const urlMessage = `The request url "${url}" is outside of Vite serving allow list.`;
+    const hintMessage = `
 ${server.config.server.fs.allow.map((i) => `- ${i}`).join('\n')}
 
 Refer to docs https://vitejs.dev/config/server-options.html#server-fs-allow for configurations and more details.`;
-        server.config.logger.error(urlMessage);
-        server.config.logger.warnOnce(hintMessage + '\n');
-        res.statusCode = 403;
-        res.write(renderRestrictedErrorHTML(urlMessage + '\n' + hintMessage));
-        res.end();
-    }
-    else {
-        // if the file doesn't exist, we shouldn't restrict this path as it can
-        // be an API call. Middlewares would issue a 404 if the file isn't handled
-        next();
-    }
-    return false;
+    server.config.logger.error(urlMessage);
+    server.config.logger.warnOnce(hintMessage + '\n');
+    res.statusCode = 403;
+    res.write(renderRestrictedErrorHTML(urlMessage + '\n' + hintMessage));
+    res.end();
 }
 function renderRestrictedErrorHTML(msg) {
     // to have syntax highlighting and autocompletion in IDE
@@ -64503,11 +64555,21 @@ const rawRE = /[?&]raw\b/;
 const inlineRE = /[?&]inline\b/;
 const svgRE = /\.svg\b/;
 function deniedServingAccessForTransform(url, server, res, next) {
-    return ((rawRE.test(url) ||
+    if (rawRE.test(url) ||
         urlRE.test(url) ||
         inlineRE.test(url) ||
-        svgRE.test(url)) &&
-        !ensureServingAccess(url, server, res, next));
+        svgRE.test(url)) {
+        const servingAccessResult = checkServingAccess(url, server);
+        if (servingAccessResult === 'denied') {
+            respondWithAccessDenied(url, server, res);
+            return true;
+        }
+        if (servingAccessResult === 'fallback') {
+            next();
+            return true;
+        }
+    }
+    return false;
 }
 function transformMiddleware(server) {
     const { config: { root, logger }, moduleGraph, } = server;
@@ -65532,7 +65594,7 @@ async function _createServer(inlineConfig = {}, options) {
     // this applies before the transform middleware so that these files are served
     // as-is without transforms.
     if (config.publicDir) {
-        middlewares.use(servePublicMiddleware(config.publicDir, config.server.headers));
+        middlewares.use(servePublicMiddleware(config.publicDir, server, config.server.headers));
     }
     // main transform middleware
     middlewares.use(transformMiddleware(server));
@@ -66648,4 +66710,4 @@ function isDepsOptimizerEnabled(config, ssr) {
         (command === 'serve' && disabled === 'dev'));
 }
 
-export { loadEnv as A, resolveEnvPrefix as B, colors$1 as C, bindShortcuts as D, getDefaultExportFromCjs as E, commonjsGlobal as F, index$1 as G, build$1 as H, index as I, preview$1 as J, preprocessCSS as a, build as b, createServer as c, resolvePackageData as d, buildErrorMessage as e, formatPostcssSourceMap as f, defineConfig as g, resolveConfig as h, isInNodeModules as i, resolveBaseUrl as j, getDepOptimizationConfig as k, loadConfigFromFile as l, isDepsOptimizerEnabled as m, normalizePath$3 as n, optimizeDeps as o, preview as p, mergeConfig as q, resolvePackageEntry as r, sortUserPlugins as s, transformWithEsbuild as t, mergeAlias as u, createFilter as v, send$2 as w, createLogger as x, searchForWorkspaceRoot as y, isFileServingAllowed as z };
+export { isFileLoadingAllowed as A, loadEnv as B, resolveEnvPrefix as C, colors$1 as D, bindShortcuts as E, getDefaultExportFromCjs as F, commonjsGlobal as G, index$1 as H, build$1 as I, index as J, preview$1 as K, preprocessCSS as a, build as b, createServer as c, resolvePackageData as d, buildErrorMessage as e, formatPostcssSourceMap as f, defineConfig as g, resolveConfig as h, isInNodeModules as i, resolveBaseUrl as j, getDepOptimizationConfig as k, loadConfigFromFile as l, isDepsOptimizerEnabled as m, normalizePath$3 as n, optimizeDeps as o, preview as p, mergeConfig as q, resolvePackageEntry as r, sortUserPlugins as s, transformWithEsbuild as t, mergeAlias as u, createFilter as v, send$2 as w, createLogger as x, searchForWorkspaceRoot as y, isFileServingAllowed as z };

package/dist/node/chunks/{dep-e967375e.js → dep-f1e8587f.js}

@@ -1,4 +1,4 @@
-import { F as commonjsGlobal, E as getDefaultExportFromCjs } from './dep-42dae6ba.js';
+import { G as commonjsGlobal, F as getDefaultExportFromCjs } from './dep-827b23df.js';
 import require$$0__default from 'fs';
 import require$$0 from 'postcss';
 import require$$0$1 from 'path';

package/dist/node/cli.js

@@ -2,7 +2,7 @@ import path from 'node:path';
 import fs from 'node:fs';
 import { performance } from 'node:perf_hooks';
 import { EventEmitter } from 'events';
-import { C as colors, D as bindShortcuts, x as createLogger, h as resolveConfig } from './chunks/dep-42dae6ba.js';
+import { D as colors, E as bindShortcuts, x as createLogger, h as resolveConfig } from './chunks/dep-827b23df.js';
 import { VERSION } from './constants.js';
 import 'node:fs/promises';
 import 'node:url';
@@ -759,7 +759,7 @@ cli
     filterDuplicateOptions(options);
     // output structure is preserved even after bundling so require()
     // is ok here
-    const { createServer } = await import('./chunks/dep-42dae6ba.js').then(function (n) { return n.I; });
+    const { createServer } = await import('./chunks/dep-827b23df.js').then(function (n) { return n.J; });
     try {
         const server = await createServer({
             root,
@@ -837,7 +837,7 @@ cli
     .option('-w, --watch', `[boolean] rebuilds when modules have changed on disk`)
     .action(async (root, options) => {
     filterDuplicateOptions(options);
-    const { build } = await import('./chunks/dep-42dae6ba.js').then(function (n) { return n.H; });
+    const { build } = await import('./chunks/dep-827b23df.js').then(function (n) { return n.I; });
     const buildOptions = cleanOptions(options);
     try {
         await build({
@@ -865,7 +865,7 @@ cli
     .option('--force', `[boolean] force the optimizer to ignore the cache and re-bundle`)
     .action(async (root, options) => {
     filterDuplicateOptions(options);
-    const { optimizeDeps } = await import('./chunks/dep-42dae6ba.js').then(function (n) { return n.G; });
+    const { optimizeDeps } = await import('./chunks/dep-827b23df.js').then(function (n) { return n.H; });
     try {
         const config = await resolveConfig({
             root,
@@ -892,7 +892,7 @@ cli
     .option('--outDir <dir>', `[string] output directory (default: dist)`)
     .action(async (root, options) => {
     filterDuplicateOptions(options);
-    const { preview } = await import('./chunks/dep-42dae6ba.js').then(function (n) { return n.J; });
+    const { preview } = await import('./chunks/dep-827b23df.js').then(function (n) { return n.K; });
     try {
         const server = await preview({
             root,

package/dist/node/index.d.ts

@@ -1290,8 +1290,11 @@ export declare const isCSSRequest: (request: string) => boolean;
 
 export declare function isDepsOptimizerEnabled(config: ResolvedConfig, ssr: boolean): boolean;
 
+export declare function isFileLoadingAllowed(server: ViteDevServer, filePath: string): boolean;
+
 /**
  * Check if the url is allowed to be served, via the `server.fs` config.
+ * @deprecated Use the `isFileLoadingAllowed` function instead.
  */
 export declare function isFileServingAllowed(url: string, server: ViteDevServer): boolean;
 

package/dist/node/index.js

@@ -1,5 +1,5 @@
-import { i as isInNodeModules } from './chunks/dep-42dae6ba.js';
-export { b as build, e as buildErrorMessage, v as createFilter, x as createLogger, c as createServer, g as defineConfig, f as formatPostcssSourceMap, k as getDepOptimizationConfig, m as isDepsOptimizerEnabled, z as isFileServingAllowed, l as loadConfigFromFile, A as loadEnv, u as mergeAlias, q as mergeConfig, n as normalizePath, o as optimizeDeps, a as preprocessCSS, p as preview, j as resolveBaseUrl, h as resolveConfig, B as resolveEnvPrefix, d as resolvePackageData, r as resolvePackageEntry, y as searchForWorkspaceRoot, w as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-42dae6ba.js';
+import { i as isInNodeModules } from './chunks/dep-827b23df.js';
+export { b as build, e as buildErrorMessage, v as createFilter, x as createLogger, c as createServer, g as defineConfig, f as formatPostcssSourceMap, k as getDepOptimizationConfig, m as isDepsOptimizerEnabled, A as isFileLoadingAllowed, z as isFileServingAllowed, l as loadConfigFromFile, B as loadEnv, u as mergeAlias, q as mergeConfig, n as normalizePath, o as optimizeDeps, a as preprocessCSS, p as preview, j as resolveBaseUrl, h as resolveConfig, C as resolveEnvPrefix, d as resolvePackageData, r as resolvePackageEntry, y as searchForWorkspaceRoot, w as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-827b23df.js';
 export { VERSION as version } from './constants.js';
 export { version as esbuildVersion } from 'esbuild';
 export { VERSION as rollupVersion } from 'rollup';

package/dist/node-cjs/publicUtils.cjs

@@ -3995,16 +3995,26 @@ function searchForWorkspaceRoot(current, root = searchForPackageRoot(current)) {
 
 /**
  * Check if the url is allowed to be served, via the `server.fs` config.
+ * @deprecated Use the `isFileLoadingAllowed` function instead.
  */
 function isFileServingAllowed(url, server) {
     if (!server.config.server.fs.strict)
         return true;
-    const file = fsPathFromUrl(url);
-    if (server._fsDenyGlob(file))
+    const filePath = fsPathFromUrl(url);
+    return isFileLoadingAllowed(server, filePath);
+}
+function isUriInFilePath(uri, filePath) {
+    return isSameFileUri(uri, filePath) || isParentDirectory(uri, filePath);
+}
+function isFileLoadingAllowed(server, filePath) {
+    const { fs } = server.config.server;
+    if (!fs.strict)
+        return true;
+    if (server._fsDenyGlob(filePath))
         return false;
-    if (server.moduleGraph.safeModulesPath.has(file))
+    if (server.moduleGraph.safeModulesPath.has(filePath))
         return true;
-    if (server.config.server.fs.allow.some((uri) => isSameFileUri(uri, file) || isParentDirectory(uri, file)))
+    if (fs.allow.some((uri) => isUriInFilePath(uri, filePath)))
         return true;
     return false;
 }
@@ -4531,6 +4541,7 @@ exports.rollupVersion = rollup.VERSION;
 exports.createFilter = createFilter;
 exports.createLogger = createLogger;
 exports.isCSSRequest = isCSSRequest;
+exports.isFileLoadingAllowed = isFileLoadingAllowed;
 exports.isFileServingAllowed = isFileServingAllowed;
 exports.loadEnv = loadEnv;
 exports.mergeAlias = mergeAlias;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite",
-  "version": "4.5.13",
+  "version": "4.5.14",
   "type": "module",
   "license": "MIT",
   "author": "Evan You",