vite 4.5.7 → 4.5.9

package/dist/node/chunks/{dep-9c3982ed.js → dep-3936e161.js}

@@ -23,7 +23,7 @@ import require$$2$1 from 'child_process';
 import os$4 from 'node:os';
 import { exec } from 'node:child_process';
 import { promises } from 'node:dns';
-import { CLIENT_ENTRY, OPTIMIZABLE_ENTRY_RE, wildcardHosts, loopbackHosts, VALID_ID_PREFIX, NULL_BYTE_PLACEHOLDER, FS_PREFIX, CLIENT_PUBLIC_PATH, ENV_PUBLIC_PATH, ENV_ENTRY, DEP_VERSION_RE, DEFAULT_MAIN_FIELDS, DEFAULT_EXTENSIONS as DEFAULT_EXTENSIONS$1, SPECIAL_QUERY_RE, CSS_LANGS_RE, ESBUILD_MODULES_TARGET, KNOWN_ASSET_TYPES, CLIENT_DIR, JS_TYPES_RE, VERSION as VERSION$1, VITE_PACKAGE_DIR, DEFAULT_DEV_PORT, DEFAULT_PREVIEW_PORT, DEFAULT_ASSETS_RE, DEFAULT_CONFIG_FILES } from '../constants.js';
+import { CLIENT_ENTRY, OPTIMIZABLE_ENTRY_RE, wildcardHosts, loopbackHosts, VALID_ID_PREFIX, NULL_BYTE_PLACEHOLDER, FS_PREFIX, CLIENT_PUBLIC_PATH, ENV_PUBLIC_PATH, ENV_ENTRY, DEP_VERSION_RE, DEFAULT_MAIN_FIELDS, DEFAULT_EXTENSIONS as DEFAULT_EXTENSIONS$1, SPECIAL_QUERY_RE, CSS_LANGS_RE, ESBUILD_MODULES_TARGET, KNOWN_ASSET_TYPES, CLIENT_DIR, JS_TYPES_RE, VERSION as VERSION$1, VITE_PACKAGE_DIR, defaultAllowedOrigins, DEFAULT_DEV_PORT, DEFAULT_PREVIEW_PORT, DEFAULT_ASSETS_RE, DEFAULT_CONFIG_FILES } from '../constants.js';
 import require$$3$1 from 'crypto';
 import { Buffer as Buffer$1 } from 'node:buffer';
 import require$$0$8, { createRequire as createRequire$2 } from 'module';
@@ -38995,8 +38995,8 @@ function createCachedImport(imp) {
         return cached;
     };
 }
-const importPostcssImport = createCachedImport(() => import('./dep-ba729824.js').then(function (n) { return n.i; }));
-const importPostcssModules = createCachedImport(() => import('./dep-f6eb8138.js').then(function (n) { return n.i; }));
+const importPostcssImport = createCachedImport(() => import('./dep-8defca0d.js').then(function (n) { return n.i; }));
+const importPostcssModules = createCachedImport(() => import('./dep-4e2b6ecb.js').then(function (n) { return n.i; }));
 const importPostcss = createCachedImport(() => import('postcss'));
 /**
  * @experimental
@@ -61749,7 +61749,8 @@ function abortHandshakeOrEmitwsClientError(server, req, socket, code, message) {
 
 var WebSocketServerRaw_ = /*@__PURE__*/getDefaultExportFromCjs(websocketServer);
 
-const allowedHostsCache = new WeakMap();
+const allowedHostsServerCache = new WeakMap();
+const allowedHostsPreviewCache = new WeakMap();
 const isFileOrExtensionProtocolRE = /^(?:file|.+-extension):/i;
 function getAdditionalAllowedHosts(resolvedServerOptions, resolvedPreviewOptions) {
     const list = [];
@@ -61770,8 +61771,13 @@ function getAdditionalAllowedHosts(resolvedServerOptions, resolvedPreviewOptions
     // allow server origin by default as that indicates that the user is
     // expecting Vite to respond on that host
     if (resolvedServerOptions.origin) {
-        const serverOriginUrl = new URL(resolvedServerOptions.origin);
-        list.push(serverOriginUrl.hostname);
+        // some frameworks may pass the origin as a placeholder, so it's not
+        // possible to parse as URL, so use a try-catch here as a best effort
+        try {
+            const serverOriginUrl = new URL(resolvedServerOptions.origin);
+            list.push(serverOriginUrl.hostname);
+        }
+        catch { }
     }
     return list;
 }
@@ -61828,37 +61834,43 @@ function isHostAllowedWithoutCache(allowedHosts, additionalAllowedHosts, host) {
 }
 /**
  * @param config resolved config
+ * @param isPreview whether it's for the preview server or not
  * @param host the value of host header. See [RFC 9110 7.2](https://datatracker.ietf.org/doc/html/rfc9110#name-host-and-authority).
  */
-function isHostAllowed(config, host) {
-    if (config.server.allowedHosts === true) {
+function isHostAllowed(config, isPreview, host) {
+    const allowedHosts = isPreview
+        ? config.preview.allowedHosts
+        : config.server.allowedHosts;
+    if (allowedHosts === true) {
         return true;
     }
-    if (!allowedHostsCache.has(config)) {
-        allowedHostsCache.set(config, new Set());
+    const cache = isPreview ? allowedHostsPreviewCache : allowedHostsServerCache;
+    if (!cache.has(config)) {
+        cache.set(config, new Set());
     }
-    const allowedHosts = allowedHostsCache.get(config);
-    if (allowedHosts.has(host)) {
+    const cachedAllowedHosts = cache.get(config);
+    if (cachedAllowedHosts.has(host)) {
         return true;
     }
-    const result = isHostAllowedWithoutCache(config.server.allowedHosts ?? [], config.additionalAllowedHosts, host);
+    const result = isHostAllowedWithoutCache(allowedHosts ?? [], config.additionalAllowedHosts, host);
     if (result) {
-        allowedHosts.add(host);
+        cachedAllowedHosts.add(host);
     }
     return result;
 }
-function hostCheckMiddleware(config) {
+function hostCheckMiddleware(config, isPreview) {
     // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
     return function viteHostCheckMiddleware(req, res, next) {
         const hostHeader = req.headers.host;
-        if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+        if (!hostHeader || !isHostAllowed(config, isPreview, hostHeader)) {
             const hostname = hostHeader?.replace(/:\d+$/, '');
             const hostnameWithQuotes = JSON.stringify(hostname);
+            const optionName = `${isPreview ? 'preview' : 'server'}.allowedHosts`;
             res.writeHead(403, {
                 'Content-Type': 'text/plain',
             });
             res.end(`Blocked request. This host (${hostnameWithQuotes}) is not allowed.\n` +
-                `To allow this host, add ${hostnameWithQuotes} to \`server.allowedHosts\` in vite.config.js.`);
+                `To allow this host, add ${hostnameWithQuotes} to \`${optionName}\` in vite.config.js.`);
             return;
         }
         return next();
@@ -61915,7 +61927,7 @@ function createWebSocketServer(server, config, httpsOptions) {
     const host = (hmr && hmr.host) || undefined;
     const shouldHandle = (req) => {
         const hostHeader = req.headers.host;
-        if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+        if (!hostHeader || !isHostAllowed(config, false, hostHeader)) {
             return false;
         }
         if (config.legacy?.skipWebSocketTokenCheck) {
@@ -65436,14 +65448,16 @@ async function _createServer(inlineConfig = {}, options) {
     }
     // cors
     const { cors } = serverConfig;
-    if (cors !== undefined && cors !== false) {
-        middlewares.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors));
+    if (cors !== false) {
+        middlewares.use(corsMiddleware(typeof cors === 'boolean'
+            ? {}
+            : cors ?? { origin: defaultAllowedOrigins }));
     }
     // host check (to prevent DNS rebinding attacks)
     const { allowedHosts } = serverConfig;
     // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
     if (allowedHosts !== true && !serverConfig.https) {
-        middlewares.use(hostCheckMiddleware(config));
+        middlewares.use(hostCheckMiddleware(config, false));
     }
     // proxy
     const { proxy } = serverConfig;
@@ -65863,14 +65877,16 @@ async function preview(inlineConfig = {}) {
     }
     // cors
     const { cors } = config.preview;
-    if (cors !== undefined && cors !== false) {
-        app.use(corsMiddleware(typeof cors === 'boolean' ? {} : cors));
+    if (cors !== false) {
+        app.use(corsMiddleware(typeof cors === 'boolean'
+            ? {}
+            : cors ?? { origin: defaultAllowedOrigins }));
     }
     // host check (to prevent DNS rebinding attacks)
     const { allowedHosts } = config.preview;
     // no need to check for HTTPS as HTTPS is not vulnerable to DNS rebinding attacks
     if (allowedHosts !== true && !config.preview.https) {
-        app.use(hostCheckMiddleware(config));
+        app.use(hostCheckMiddleware(config, true));
     }
     // proxy
     const { proxy } = config.preview;

package/dist/node/chunks/{dep-f6eb8138.js → dep-4e2b6ecb.js}

@@ -1,4 +1,4 @@
-import { F as commonjsGlobal, E as getDefaultExportFromCjs } from './dep-9c3982ed.js';
+import { F as commonjsGlobal, E as getDefaultExportFromCjs } from './dep-3936e161.js';
 import require$$0__default from 'fs';
 import require$$0 from 'postcss';
 import require$$0$1 from 'path';

package/dist/node/chunks/{dep-ba729824.js → dep-8defca0d.js}

@@ -1,4 +1,4 @@
-import { E as getDefaultExportFromCjs } from './dep-9c3982ed.js';
+import { E as getDefaultExportFromCjs } from './dep-3936e161.js';
 import require$$0 from 'path';
 import require$$0__default from 'fs';
 import { l as lib } from './dep-c423598f.js';

package/dist/node/cli.js

@@ -2,7 +2,7 @@ import path from 'node:path';
 import fs from 'node:fs';
 import { performance } from 'node:perf_hooks';
 import { EventEmitter } from 'events';
-import { C as colors, D as bindShortcuts, x as createLogger, h as resolveConfig } from './chunks/dep-9c3982ed.js';
+import { C as colors, D as bindShortcuts, x as createLogger, h as resolveConfig } from './chunks/dep-3936e161.js';
 import { VERSION } from './constants.js';
 import 'node:fs/promises';
 import 'node:url';
@@ -759,7 +759,7 @@ cli
     filterDuplicateOptions(options);
     // output structure is preserved even after bundling so require()
     // is ok here
-    const { createServer } = await import('./chunks/dep-9c3982ed.js').then(function (n) { return n.I; });
+    const { createServer } = await import('./chunks/dep-3936e161.js').then(function (n) { return n.I; });
     try {
         const server = await createServer({
             root,
@@ -837,7 +837,7 @@ cli
     .option('-w, --watch', `[boolean] rebuilds when modules have changed on disk`)
     .action(async (root, options) => {
     filterDuplicateOptions(options);
-    const { build } = await import('./chunks/dep-9c3982ed.js').then(function (n) { return n.H; });
+    const { build } = await import('./chunks/dep-3936e161.js').then(function (n) { return n.H; });
     const buildOptions = cleanOptions(options);
     try {
         await build({
@@ -865,7 +865,7 @@ cli
     .option('--force', `[boolean] force the optimizer to ignore the cache and re-bundle`)
     .action(async (root, options) => {
     filterDuplicateOptions(options);
-    const { optimizeDeps } = await import('./chunks/dep-9c3982ed.js').then(function (n) { return n.G; });
+    const { optimizeDeps } = await import('./chunks/dep-3936e161.js').then(function (n) { return n.G; });
     try {
         const config = await resolveConfig({
             root,
@@ -892,7 +892,7 @@ cli
     .option('--outDir <dir>', `[string] output directory (default: dist)`)
     .action(async (root, options) => {
     filterDuplicateOptions(options);
-    const { preview } = await import('./chunks/dep-9c3982ed.js').then(function (n) { return n.J; });
+    const { preview } = await import('./chunks/dep-3936e161.js').then(function (n) { return n.J; });
     try {
         const server = await preview({
             root,

package/dist/node/constants.js

@@ -121,5 +121,10 @@ const wildcardHosts = new Set([
 ]);
 const DEFAULT_DEV_PORT = 5173;
 const DEFAULT_PREVIEW_PORT = 4173;
+// the regex to allow loopback address origins:
+// - localhost domains (which will always resolve to the loopback address by RFC 6761 section 6.3)
+// - 127.0.0.1
+// - ::1
+const defaultAllowedOrigins = /^https?:\/\/(?:(?:[^:]+\.)?localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/;
 
-export { CLIENT_DIR, CLIENT_ENTRY, CLIENT_PUBLIC_PATH, CSS_LANGS_RE, DEFAULT_ASSETS_RE, DEFAULT_CONFIG_FILES, DEFAULT_DEV_PORT, DEFAULT_EXTENSIONS, DEFAULT_MAIN_FIELDS, DEFAULT_PREVIEW_PORT, DEP_VERSION_RE, ENV_ENTRY, ENV_PUBLIC_PATH, ESBUILD_MODULES_TARGET, FS_PREFIX, JS_TYPES_RE, KNOWN_ASSET_TYPES, NULL_BYTE_PLACEHOLDER, OPTIMIZABLE_ENTRY_RE, SPECIAL_QUERY_RE, VALID_ID_PREFIX, VERSION, VITE_PACKAGE_DIR, loopbackHosts, wildcardHosts };
+export { CLIENT_DIR, CLIENT_ENTRY, CLIENT_PUBLIC_PATH, CSS_LANGS_RE, DEFAULT_ASSETS_RE, DEFAULT_CONFIG_FILES, DEFAULT_DEV_PORT, DEFAULT_EXTENSIONS, DEFAULT_MAIN_FIELDS, DEFAULT_PREVIEW_PORT, DEP_VERSION_RE, ENV_ENTRY, ENV_PUBLIC_PATH, ESBUILD_MODULES_TARGET, FS_PREFIX, JS_TYPES_RE, KNOWN_ASSET_TYPES, NULL_BYTE_PLACEHOLDER, OPTIMIZABLE_ENTRY_RE, SPECIAL_QUERY_RE, VALID_ID_PREFIX, VERSION, VITE_PACKAGE_DIR, defaultAllowedOrigins, loopbackHosts, wildcardHosts };

package/dist/node/index.js

@@ -1,5 +1,5 @@
-import { i as isInNodeModules } from './chunks/dep-9c3982ed.js';
-export { b as build, e as buildErrorMessage, v as createFilter, x as createLogger, c as createServer, g as defineConfig, f as formatPostcssSourceMap, k as getDepOptimizationConfig, m as isDepsOptimizerEnabled, z as isFileServingAllowed, l as loadConfigFromFile, A as loadEnv, u as mergeAlias, q as mergeConfig, n as normalizePath, o as optimizeDeps, a as preprocessCSS, p as preview, j as resolveBaseUrl, h as resolveConfig, B as resolveEnvPrefix, d as resolvePackageData, r as resolvePackageEntry, y as searchForWorkspaceRoot, w as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-9c3982ed.js';
+import { i as isInNodeModules } from './chunks/dep-3936e161.js';
+export { b as build, e as buildErrorMessage, v as createFilter, x as createLogger, c as createServer, g as defineConfig, f as formatPostcssSourceMap, k as getDepOptimizationConfig, m as isDepsOptimizerEnabled, z as isFileServingAllowed, l as loadConfigFromFile, A as loadEnv, u as mergeAlias, q as mergeConfig, n as normalizePath, o as optimizeDeps, a as preprocessCSS, p as preview, j as resolveBaseUrl, h as resolveConfig, B as resolveEnvPrefix, d as resolvePackageData, r as resolvePackageEntry, y as searchForWorkspaceRoot, w as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-3936e161.js';
 export { VERSION as version } from './constants.js';
 export { version as esbuildVersion } from 'esbuild';
 export { VERSION as rollupVersion } from 'rollup';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite",
-  "version": "4.5.7",
+  "version": "4.5.9",
   "type": "module",
   "license": "MIT",
   "author": "Evan You",