vite 5.4.10 → 5.4.12

package/dist/client/client.mjs

@@ -500,6 +500,7 @@ const hmrPort = __HMR_PORT__;
 const socketHost = `${__HMR_HOSTNAME__ || importMetaUrl.hostname}:${hmrPort || importMetaUrl.port}${__HMR_BASE__}`;
 const directSocketHost = __HMR_DIRECT_TARGET__;
 const base = __BASE__ || "/";
+const wsToken = __WS_TOKEN__;
 let socket;
 try {
   let fallback;
@@ -532,7 +533,10 @@ Check out your Vite / network configuration and https://vite.dev/config/server-o
   console.error(`[vite] failed to connect to websocket (${error}). `);
 }
 function setupWebSocket(protocol, hostAndPath, onCloseWithoutOpen) {
-  const socket2 = new WebSocket(`${protocol}://${hostAndPath}`, "vite-hmr");
+  const socket2 = new WebSocket(
+    `${protocol}://${hostAndPath}?token=${wsToken}`,
+    "vite-hmr"
+  );
   let isOpened = false;
   socket2.addEventListener(
     "open",

package/dist/node/chunks/{dep-BASfdaBA.js → dep-B0RN4094.js}

@@ -1,4 +1,4 @@
-import { C as commonjsGlobal, B as getDefaultExportFromCjs } from './dep-BWSbWtLw.js';
+import { C as commonjsGlobal, B as getDefaultExportFromCjs } from './dep-CjorC8P2.js';
 import require$$0__default from 'fs';
 import require$$0 from 'postcss';
 import require$$0$1 from 'path';
@@ -1327,54 +1327,63 @@ src$3.exports = (options = {}) => {
           });
 
           root.walkDecls(/^composes$/, (declaration) => {
-            const matches = declaration.value.match(matchImports$1);
+            const multiple = declaration.value.split(",");
+            const values = [];
 
-            if (!matches) {
-              return;
-            }
+            multiple.forEach((value) => {
+              const matches = value.trim().match(matchImports$1);
 
-            let tmpSymbols;
-            let [
-              ,
-              /*match*/ symbols,
-              doubleQuotePath,
-              singleQuotePath,
-              global,
-            ] = matches;
-
-            if (global) {
-              // Composing globals simply means changing these classes to wrap them in global(name)
-              tmpSymbols = symbols.split(/\s+/).map((s) => `global(${s})`);
-            } else {
-              const importPath = doubleQuotePath || singleQuotePath;
+              if (!matches) {
+                values.push(value);
 
-              let parent = declaration.parent;
-              let parentIndexes = "";
-
-              while (parent.type !== "root") {
-                parentIndexes =
-                  parent.parent.index(parent) + "_" + parentIndexes;
-                parent = parent.parent;
+                return;
               }
 
-              const { selector } = declaration.parent;
-              const parentRule = `_${parentIndexes}${selector}`;
-
-              addImportToGraph(importPath, parentRule, graph, visited);
+              let tmpSymbols;
+              let [
+                ,
+                /*match*/ symbols,
+                doubleQuotePath,
+                singleQuotePath,
+                global,
+              ] = matches;
+
+              if (global) {
+                // Composing globals simply means changing these classes to wrap them in global(name)
+                tmpSymbols = symbols.split(/\s+/).map((s) => `global(${s})`);
+              } else {
+                const importPath = doubleQuotePath || singleQuotePath;
 
-              importDecls[importPath] = declaration;
-              imports[importPath] = imports[importPath] || {};
+                let parent = declaration.parent;
+                let parentIndexes = "";
 
-              tmpSymbols = symbols.split(/\s+/).map((s) => {
-                if (!imports[importPath][s]) {
-                  imports[importPath][s] = createImportedName(s, importPath);
+                while (parent.type !== "root") {
+                  parentIndexes =
+                    parent.parent.index(parent) + "_" + parentIndexes;
+                  parent = parent.parent;
                 }
 
-                return imports[importPath][s];
-              });
-            }
+                const { selector } = declaration.parent;
+                const parentRule = `_${parentIndexes}${selector}`;
+
+                addImportToGraph(importPath, parentRule, graph, visited);
+
+                importDecls[importPath] = declaration;
+                imports[importPath] = imports[importPath] || {};
 
-            declaration.value = tmpSymbols.join(" ");
+                tmpSymbols = symbols.split(/\s+/).map((s) => {
+                  if (!imports[importPath][s]) {
+                    imports[importPath][s] = createImportedName(s, importPath);
+                  }
+
+                  return imports[importPath][s];
+                });
+              }
+
+              values.push(tmpSymbols.join(" "));
+            });
+
+            declaration.value = values.join(", ");
           });
 
           const importsOrder = topologicalSort(graph, failOnWrongOrder);
@@ -5767,9 +5776,19 @@ function localizeNode(rule, mode, localAliasMap) {
               hasLocals: false,
               explicit: context.explicit,
             };
-            newNodes = node.map((childNode) =>
-              transform(childNode, childContext)
-            );
+            newNodes = node.map((childNode) => {
+              const newContext = {
+                ...childContext,
+                enforceNoSpacing: false,
+              };
+
+              const result = transform(childNode, newContext);
+
+              childContext.global = newContext.global;
+              childContext.hasLocals = newContext.hasLocals;
+
+              return result;
+            });
 
             node = node.clone();
             node.nodes = normalizeNodeArray(newNodes);
@@ -5838,6 +5857,11 @@ function localizeNode(rule, mode, localAliasMap) {
 
         break;
       }
+      case "nesting": {
+        if (node.value === "&") {
+          context.hasLocals = true;
+        }
+      }
     }
 
     context.lastWasSpacing = false;
@@ -5910,19 +5934,34 @@ function localizeDeclNode(node, context) {
   return node;
 }
 
-function isWordAFunctionArgument(wordNode, functionNode) {
-  return functionNode
-    ? functionNode.nodes.some(
-        (functionNodeChild) =>
-          functionNodeChild.sourceIndex === wordNode.sourceIndex
-      )
-    : false;
-}
+// `none` is special value, other is global values
+const specialKeywords = [
+  "none",
+  "inherit",
+  "initial",
+  "revert",
+  "revert-layer",
+  "unset",
+];
 
 function localizeDeclarationValues(localize, declaration, context) {
   const valueNodes = valueParser(declaration.value);
 
   valueNodes.walk((node, index, nodes) => {
+    if (
+      node.type === "function" &&
+      (node.value.toLowerCase() === "var" || node.value.toLowerCase() === "env")
+    ) {
+      return false;
+    }
+
+    if (
+      node.type === "word" &&
+      specialKeywords.includes(node.value.toLowerCase())
+    ) {
+      return;
+    }
+
     const subContext = {
       options: context.options,
       global: context.global,
@@ -5939,57 +5978,80 @@ function localizeDeclaration(declaration, context) {
   const isAnimation = /animation$/i.test(declaration.prop);
 
   if (isAnimation) {
-    const validIdent = /^-?[_a-z][_a-z0-9-]*$/i;
+    // letter
+    // An uppercase letter or a lowercase letter.
+    //
+    // ident-start code point
+    // A letter, a non-ASCII code point, or U+005F LOW LINE (_).
+    //
+    // ident code point
+    // An ident-start code point, a digit, or U+002D HYPHEN-MINUS (-).
+
+    // We don't validate `hex digits`, because we don't need it, it is work of linters.
+    const validIdent =
+      /^-?([a-z\u0080-\uFFFF_]|(\\[^\r\n\f])|-(?![0-9]))((\\[^\r\n\f])|[a-z\u0080-\uFFFF_0-9-])*$/i;
 
     /*
     The spec defines some keywords that you can use to describe properties such as the timing
     function. These are still valid animation names, so as long as there is a property that accepts
     a keyword, it is given priority. Only when all the properties that can take a keyword are
     exhausted can the animation name be set to the keyword. I.e.
-  
+
     animation: infinite infinite;
-  
+
     The animation will repeat an infinite number of times from the first argument, and will have an
     animation name of infinite from the second.
     */
     const animationKeywords = {
+      // animation-direction
+      $normal: 1,
+      $reverse: 1,
       $alternate: 1,
       "$alternate-reverse": 1,
+      // animation-fill-mode
+      $forwards: 1,
       $backwards: 1,
       $both: 1,
+      // animation-iteration-count
+      $infinite: 1,
+      // animation-play-state
+      $paused: 1,
+      $running: 1,
+      // animation-timing-function
       $ease: 1,
       "$ease-in": 1,
-      "$ease-in-out": 1,
       "$ease-out": 1,
-      $forwards: 1,
-      $infinite: 1,
+      "$ease-in-out": 1,
       $linear: 1,
-      $none: Infinity, // No matter how many times you write none, it will never be an animation name
-      $normal: 1,
-      $paused: 1,
-      $reverse: 1,
-      $running: 1,
       "$step-end": 1,
       "$step-start": 1,
+      // Special
+      $none: Infinity, // No matter how many times you write none, it will never be an animation name
+      // Global values
       $initial: Infinity,
       $inherit: Infinity,
       $unset: Infinity,
+      $revert: Infinity,
+      "$revert-layer": Infinity,
     };
     let parsedAnimationKeywords = {};
-    let stepsFunctionNode = null;
     const valueNodes = valueParser(declaration.value).walk((node) => {
-      /* If div-token appeared (represents as comma ','), a possibility of an animation-keywords should be reflesh. */
+      // If div-token appeared (represents as comma ','), a possibility of an animation-keywords should be reflesh.
       if (node.type === "div") {
         parsedAnimationKeywords = {};
+
+        return;
+      }
+      // Do not handle nested functions
+      else if (node.type === "function") {
+        return false;
       }
-      if (node.type === "function" && node.value.toLowerCase() === "steps") {
-        stepsFunctionNode = node;
+      // Ignore all except word
+      else if (node.type !== "word") {
+        return;
       }
-      const value =
-        node.type === "word" &&
-        !isWordAFunctionArgument(node, stepsFunctionNode)
-          ? node.value.toLowerCase()
-          : null;
+
+      const value = node.type === "word" ? node.value.toLowerCase() : null;
 
       let shouldParseAnimationName = false;
 
@@ -6014,6 +6076,7 @@ function localizeDeclaration(declaration, context) {
         localizeNextItem: shouldParseAnimationName && !context.global,
         localAliasMap: context.localAliasMap,
       };
+
       return localizeDeclNode(node, subContext);
     });
 
@@ -6088,10 +6151,12 @@ src$2.exports = (options = {}) => {
               } else if (localMatch) {
                 atRule.params = localMatch[0];
                 globalKeyframes = false;
-              } else if (!globalMode) {
-                if (atRule.params && !localAliasMap.has(atRule.params)) {
-                  atRule.params = ":local(" + atRule.params + ")";
-                }
+              } else if (
+                atRule.params &&
+                !globalMode &&
+                !localAliasMap.has(atRule.params)
+              ) {
+                atRule.params = ":local(" + atRule.params + ")";
               }
 
               atRule.walkDecls((declaration) => {
@@ -6101,6 +6166,44 @@ src$2.exports = (options = {}) => {
                   global: globalKeyframes,
                 });
               });
+            } else if (/scope$/i.test(atRule.name)) {
+              if (atRule.params) {
+                atRule.params = atRule.params
+                  .split("to")
+                  .map((item) => {
+                    const selector = item.trim().slice(1, -1).trim();
+                    const context = localizeNode(
+                      selector,
+                      options.mode,
+                      localAliasMap
+                    );
+
+                    context.options = options;
+                    context.localAliasMap = localAliasMap;
+
+                    if (pureMode && context.hasPureGlobals) {
+                      throw atRule.error(
+                        'Selector in at-rule"' +
+                          selector +
+                          '" is not pure ' +
+                          "(pure selectors must contain at least one local class or id)"
+                      );
+                    }
+
+                    return `(${context.selector})`;
+                  })
+                  .join(" to ");
+              }
+
+              atRule.nodes.forEach((declaration) => {
+                if (declaration.type === "decl") {
+                  localizeDeclaration(declaration, {
+                    localAliasMap,
+                    options: options,
+                    global: globalMode,
+                  });
+                }
+              });
             } else if (atRule.nodes) {
               atRule.nodes.forEach((declaration) => {
                 if (declaration.type === "decl") {
@@ -6160,7 +6263,23 @@ const selectorParser = distExports;
 
 const hasOwnProperty = Object.prototype.hasOwnProperty;
 
-function getSingleLocalNamesForComposes(root) {
+function isNestedRule(rule) {
+  if (!rule.parent || rule.parent.type === "root") {
+    return false;
+  }
+
+  if (rule.parent.type === "rule") {
+    return true;
+  }
+
+  return isNestedRule(rule.parent);
+}
+
+function getSingleLocalNamesForComposes(root, rule) {
+  if (isNestedRule(rule)) {
+    throw new Error(`composition is not allowed in nested rule \n\n${rule}`);
+  }
+
   return root.nodes.map((node) => {
     if (node.type !== "selector" || node.nodes.length !== 1) {
       throw new Error(
@@ -6247,17 +6366,19 @@ const plugin = (options = {}) => {
     Once(root, { rule }) {
       const exports = Object.create(null);
 
-      function exportScopedName(name, rawName) {
+      function exportScopedName(name, rawName, node) {
         const scopedName = generateScopedName(
           rawName ? rawName : name,
           root.source.input.from,
-          root.source.input.css
+          root.source.input.css,
+          node
         );
         const exportEntry = generateExportEntry(
           rawName ? rawName : name,
           scopedName,
           root.source.input.from,
-          root.source.input.css
+          root.source.input.css,
+          node
         );
         const { key, value } = exportEntry;
 
@@ -6273,23 +6394,35 @@ const plugin = (options = {}) => {
       function localizeNode(node) {
         switch (node.type) {
           case "selector":
-            node.nodes = node.map(localizeNode);
+            node.nodes = node.map((item) => localizeNode(item));
             return node;
           case "class":
             return selectorParser.className({
               value: exportScopedName(
                 node.value,
-                node.raws && node.raws.value ? node.raws.value : null
+                node.raws && node.raws.value ? node.raws.value : null,
+                node
               ),
             });
           case "id": {
             return selectorParser.id({
               value: exportScopedName(
                 node.value,
-                node.raws && node.raws.value ? node.raws.value : null
+                node.raws && node.raws.value ? node.raws.value : null,
+                node
               ),
             });
           }
+          case "attribute": {
+            if (node.attribute === "class" && node.operator === "=") {
+              return selectorParser.attribute({
+                attribute: node.attribute,
+                operator: node.operator,
+                quoteMark: "'",
+                value: exportScopedName(node.value, null, null),
+              });
+            }
+          }
         }
 
         throw new Error(
@@ -6306,7 +6439,7 @@ const plugin = (options = {}) => {
               }
 
               const selector = localizeNode(node.first);
-              // move the spaces that were around the psuedo selector to the first
+              // move the spaces that were around the pseudo selector to the first
               // non-container node
               selector.first.spaces = node.spaces;
 
@@ -6328,7 +6461,7 @@ const plugin = (options = {}) => {
           /* falls through */
           case "root":
           case "selector": {
-            node.each(traverseNode);
+            node.each((item) => traverseNode(item));
             break;
           }
           case "id":
@@ -6356,32 +6489,39 @@ const plugin = (options = {}) => {
 
         rule.selector = traverseNode(parsedSelector.clone()).toString();
 
-        rule.walkDecls(/composes|compose-with/i, (decl) => {
-          const localNames = getSingleLocalNamesForComposes(parsedSelector);
-          const classes = decl.value.split(/\s+/);
+        rule.walkDecls(/^(composes|compose-with)$/i, (decl) => {
+          const localNames = getSingleLocalNamesForComposes(
+            parsedSelector,
+            decl.parent
+          );
+          const multiple = decl.value.split(",");
 
-          classes.forEach((className) => {
-            const global = /^global\(([^)]+)\)$/.exec(className);
+          multiple.forEach((value) => {
+            const classes = value.trim().split(/\s+/);
 
-            if (global) {
-              localNames.forEach((exportedName) => {
-                exports[exportedName].push(global[1]);
-              });
-            } else if (hasOwnProperty.call(importedNames, className)) {
-              localNames.forEach((exportedName) => {
-                exports[exportedName].push(className);
-              });
-            } else if (hasOwnProperty.call(exports, className)) {
-              localNames.forEach((exportedName) => {
-                exports[className].forEach((item) => {
-                  exports[exportedName].push(item);
+            classes.forEach((className) => {
+              const global = /^global\(([^)]+)\)$/.exec(className);
+
+              if (global) {
+                localNames.forEach((exportedName) => {
+                  exports[exportedName].push(global[1]);
                 });
-              });
-            } else {
-              throw decl.error(
-                `referenced class name "${className}" in ${decl.prop} not found`
-              );
-            }
+              } else if (hasOwnProperty.call(importedNames, className)) {
+                localNames.forEach((exportedName) => {
+                  exports[exportedName].push(className);
+                });
+              } else if (hasOwnProperty.call(exports, className)) {
+                localNames.forEach((exportedName) => {
+                  exports[className].forEach((item) => {
+                    exports[exportedName].push(item);
+                  });
+                });
+              } else {
+                throw decl.error(
+                  `referenced class name "${className}" in ${decl.prop} not found`
+                );
+              }
+            });
           });
 
           decl.remove();
@@ -6433,6 +6573,27 @@ const plugin = (options = {}) => {
         atRule.params = exportScopedName(localMatch[1]);
       });
 
+      root.walkAtRules(/scope$/i, (atRule) => {
+        if (atRule.params) {
+          atRule.params = atRule.params
+            .split("to")
+            .map((item) => {
+              const selector = item.trim().slice(1, -1).trim();
+
+              const localMatch = /^\s*:local\s*\((.+?)\)\s*$/.exec(selector);
+
+              if (!localMatch) {
+                return `(${selector})`;
+              }
+
+              let parsedSelector = selectorParser().astSync(selector);
+
+              return `(${traverseNode(parsedSelector).toString()})`;
+            })
+            .join(" to ");
+        }
+      });
+
       // If we found any :locals, insert an :export rule
       const exportedNames = Object.keys(exports);
 

package/dist/node/chunks/{dep-BWSbWtLw.js → dep-CjorC8P2.js}

@@ -6,6 +6,7 @@ import { fileURLToPath, URL as URL$3, parse as parse$h, pathToFileURL } from 'no
 import { promisify as promisify$4, format as format$2, inspect } from 'node:util';
 import { performance as performance$1 } from 'node:perf_hooks';
 import { createRequire as createRequire$1, builtinModules } from 'node:module';
+import crypto$2, { createHash as createHash$2 } from 'node:crypto';
 import require$$0$3 from 'tty';
 import require$$0$4, { win32, posix, isAbsolute, resolve as resolve$3, relative as relative$1, basename as basename$1, extname, dirname as dirname$1, join as join$1, sep as sep$1, normalize as normalize$1 } from 'path';
 import esbuild, { transform as transform$1, formatMessages, build as build$3 } from 'esbuild';
@@ -27,7 +28,6 @@ import require$$0$6 from 'stream';
 import require$$2 from 'os';
 import require$$2$1 from 'child_process';
 import os$5 from 'node:os';
-import { createHash as createHash$2 } from 'node:crypto';
 import { promises } from 'node:dns';
 import require$$3$1 from 'crypto';
 import require$$0$8, { createRequire as createRequire$2 } from 'module';
@@ -42,6 +42,7 @@ import zlib$1 from 'zlib';
 import require$$0$a from 'buffer';
 import require$$1$1 from 'https';
 import require$$4$2 from 'tls';
+import net$1 from 'node:net';
 import require$$4$3 from 'assert';
 import { gzip } from 'node:zlib';
 
@@ -36990,8 +36991,8 @@ function createCachedImport(imp) {
     return cached;
   };
 }
-const importPostcssImport = createCachedImport(() => import('./dep-GkhNNjoY.js').then(function (n) { return n.i; }));
-const importPostcssModules = createCachedImport(() => import('./dep-BASfdaBA.js').then(function (n) { return n.i; }));
+const importPostcssImport = createCachedImport(() => import('./dep-gXhP-2iO.js').then(function (n) { return n.i; }));
+const importPostcssModules = createCachedImport(() => import('./dep-B0RN4094.js').then(function (n) { return n.i; }));
 const importPostcss = createCachedImport(() => import('postcss'));
 const preprocessorWorkerControllerCache = /* @__PURE__ */ new WeakMap();
 let alwaysFakeWorkerWorkerControllerCache;
@@ -47496,8 +47497,9 @@ function clientInjectionsPlugin(config) {
       const hmrTimeoutReplacement = escapeReplacement(timeout);
       const hmrEnableOverlayReplacement = escapeReplacement(overlay);
       const hmrConfigNameReplacement = escapeReplacement(hmrConfigName);
+      const wsTokenReplacement = escapeReplacement(config.webSocketToken);
       injectConfigValues = (code) => {
-        return code.replace(`__MODE__`, modeReplacement).replace(/__BASE__/g, baseReplacement).replace(`__DEFINES__`, definesReplacement).replace(`__SERVER_HOST__`, serverHostReplacement).replace(`__HMR_PROTOCOL__`, hmrProtocolReplacement).replace(`__HMR_HOSTNAME__`, hmrHostnameReplacement).replace(`__HMR_PORT__`, hmrPortReplacement).replace(`__HMR_DIRECT_TARGET__`, hmrDirectTargetReplacement).replace(`__HMR_BASE__`, hmrBaseReplacement).replace(`__HMR_TIMEOUT__`, hmrTimeoutReplacement).replace(`__HMR_ENABLE_OVERLAY__`, hmrEnableOverlayReplacement).replace(`__HMR_CONFIG_NAME__`, hmrConfigNameReplacement);
+        return code.replace(`__MODE__`, modeReplacement).replace(/__BASE__/g, baseReplacement).replace(`__DEFINES__`, definesReplacement).replace(`__SERVER_HOST__`, serverHostReplacement).replace(`__HMR_PROTOCOL__`, hmrProtocolReplacement).replace(`__HMR_HOSTNAME__`, hmrHostnameReplacement).replace(`__HMR_PORT__`, hmrPortReplacement).replace(`__HMR_DIRECT_TARGET__`, hmrDirectTargetReplacement).replace(`__HMR_BASE__`, hmrBaseReplacement).replace(`__HMR_TIMEOUT__`, hmrTimeoutReplacement).replace(`__HMR_ENABLE_OVERLAY__`, hmrEnableOverlayReplacement).replace(`__HMR_CONFIG_NAME__`, hmrConfigNameReplacement).replace(`__WS_TOKEN__`, wsTokenReplacement);
       };
     },
     async transform(code, id, options) {
@@ -59175,6 +59177,100 @@ function abortHandshakeOrEmitwsClientError(server, req, socket, code, message) {
 
 var WebSocketServerRaw_ = /*@__PURE__*/getDefaultExportFromCjs(websocketServer);
 
+const allowedHostsCache = /* @__PURE__ */ new WeakMap();
+const isFileOrExtensionProtocolRE = /^(?:file|.+-extension):/i;
+function getAdditionalAllowedHosts(resolvedServerOptions, resolvedPreviewOptions) {
+  const list = [];
+  if (typeof resolvedServerOptions.host === "string" && resolvedServerOptions.host) {
+    list.push(resolvedServerOptions.host);
+  }
+  if (typeof resolvedServerOptions.hmr === "object" && resolvedServerOptions.hmr.host) {
+    list.push(resolvedServerOptions.hmr.host);
+  }
+  if (typeof resolvedPreviewOptions.host === "string" && resolvedPreviewOptions.host) {
+    list.push(resolvedPreviewOptions.host);
+  }
+  if (resolvedServerOptions.origin) {
+    const serverOriginUrl = new URL(resolvedServerOptions.origin);
+    list.push(serverOriginUrl.hostname);
+  }
+  return list;
+}
+function isHostAllowedWithoutCache(allowedHosts, additionalAllowedHosts, host) {
+  if (isFileOrExtensionProtocolRE.test(host)) {
+    return true;
+  }
+  const trimmedHost = host.trim();
+  if (trimmedHost[0] === "[") {
+    const endIpv6 = trimmedHost.indexOf("]");
+    if (endIpv6 < 0) {
+      return false;
+    }
+    return net$1.isIP(trimmedHost.slice(1, endIpv6)) === 6;
+  }
+  const colonPos = trimmedHost.indexOf(":");
+  const hostname = colonPos === -1 ? trimmedHost : trimmedHost.slice(0, colonPos);
+  if (net$1.isIP(hostname) === 4) {
+    return true;
+  }
+  if (hostname === "localhost" || hostname.endsWith(".localhost")) {
+    return true;
+  }
+  for (const additionalAllowedHost of additionalAllowedHosts) {
+    if (additionalAllowedHost === hostname) {
+      return true;
+    }
+  }
+  for (const allowedHost of allowedHosts) {
+    if (allowedHost === hostname) {
+      return true;
+    }
+    if (allowedHost[0] === "." && (allowedHost.slice(1) === hostname || hostname.endsWith(allowedHost))) {
+      return true;
+    }
+  }
+  return false;
+}
+function isHostAllowed(config, host) {
+  if (config.server.allowedHosts === true) {
+    return true;
+  }
+  if (!allowedHostsCache.has(config)) {
+    allowedHostsCache.set(config, /* @__PURE__ */ new Set());
+  }
+  const allowedHosts = allowedHostsCache.get(config);
+  if (allowedHosts.has(host)) {
+    return true;
+  }
+  const result = isHostAllowedWithoutCache(
+    config.server.allowedHosts ?? [],
+    config.additionalAllowedHosts,
+    host
+  );
+  if (result) {
+    allowedHosts.add(host);
+  }
+  return result;
+}
+function hostCheckMiddleware(config) {
+  return function viteHostCheckMiddleware(req, res, next) {
+    const hostHeader = req.headers.host;
+    if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+      const hostname = hostHeader?.replace(/:\d+$/, "");
+      const hostnameWithQuotes = JSON.stringify(hostname);
+      res.writeHead(403, {
+        "Content-Type": "text/plain"
+      });
+      res.end(
+        `Blocked request. This host (${hostnameWithQuotes}) is not allowed.
+To allow this host, add ${hostnameWithQuotes} to \`server.allowedHosts\` in vite.config.js.`
+      );
+      return;
+    }
+    return next();
+  };
+}
+
 const WebSocketServerRaw = process.versions.bun ? (
   // @ts-expect-error: Bun defines `import.meta.require`
   import.meta.require("ws").WebSocketServer
@@ -59189,6 +59285,19 @@ const wsServerEvents = [
 ];
 function noop$1() {
 }
+function hasValidToken(config, url) {
+  const token = url.searchParams.get("token");
+  if (!token) return false;
+  try {
+    const isValidToken = crypto$2.timingSafeEqual(
+      Buffer.from(token),
+      Buffer.from(config.webSocketToken)
+    );
+    return isValidToken;
+  } catch {
+  }
+  return false;
+}
 function createWebSocketServer(server, config, httpsOptions) {
   if (config.server.ws === false) {
     return {
@@ -59204,7 +59313,6 @@ function createWebSocketServer(server, config, httpsOptions) {
       send: noop$1
     };
   }
-  let wss;
   let wsHttpServer = void 0;
   const hmr = isObject$1(config.server.hmr) && config.server.hmr;
   const hmrServer = hmr && hmr.server;
@@ -59216,18 +59324,37 @@ function createWebSocketServer(server, config, httpsOptions) {
   const clientsMap = /* @__PURE__ */ new WeakMap();
   const port = hmrPort || 24678;
   const host = hmr && hmr.host || void 0;
+  const shouldHandle = (req) => {
+    const hostHeader = req.headers.host;
+    if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+      return false;
+    }
+    if (config.legacy?.skipWebSocketTokenCheck) {
+      return true;
+    }
+    if (req.headers.origin) {
+      const parsedUrl = new URL(`http://example.com${req.url}`);
+      return hasValidToken(config, parsedUrl);
+    }
+    return true;
+  };
+  const handleUpgrade = (req, socket, head, _isPing) => {
+    wss.handleUpgrade(req, socket, head, (ws) => {
+      wss.emit("connection", ws, req);
+    });
+  };
+  const wss = new WebSocketServerRaw({ noServer: true });
+  wss.shouldHandle = shouldHandle;
   if (wsServer) {
     let hmrBase = config.base;
     const hmrPath = hmr ? hmr.path : void 0;
     if (hmrPath) {
       hmrBase = path$n.posix.join(hmrBase, hmrPath);
     }
-    wss = new WebSocketServerRaw({ noServer: true });
     hmrServerWsListener = (req, socket, head) => {
-      if (req.headers["sec-websocket-protocol"] === HMR_HEADER && req.url === hmrBase) {
-        wss.handleUpgrade(req, socket, head, (ws) => {
-          wss.emit("connection", ws, req);
-        });
+      const parsedUrl = new URL(`http://example.com${req.url}`);
+      if (req.headers["sec-websocket-protocol"] === HMR_HEADER && parsedUrl.pathname === hmrBase) {
+        handleUpgrade(req, socket, head);
       }
     };
     wsServer.on("upgrade", hmrServerWsListener);
@@ -59248,7 +59375,23 @@ function createWebSocketServer(server, config, httpsOptions) {
     } else {
       wsHttpServer = createServer$3(route);
     }
-    wss = new WebSocketServerRaw({ server: wsHttpServer });
+    wsHttpServer.on("upgrade", (req, socket, head) => {
+      handleUpgrade(req, socket, head);
+    });
+    wsHttpServer.on("error", (e) => {
+      if (e.code === "EADDRINUSE") {
+        config.logger.error(
+          colors$1.red(`WebSocket server error: Port is already in use`),
+          { error: e }
+        );
+      } else {
+        config.logger.error(
+          colors$1.red(`WebSocket server error:
+${e.stack || e.message}`),
+          { error: e }
+        );
+      }
+    });
   }
   wss.on("connection", (socket) => {
     socket.on("message", (raw) => {
@@ -63083,9 +63226,13 @@ async function _createServer(inlineConfig = {}, options) {
     middlewares.use(timeMiddleware(root));
   }
   const { cors } = serverConfig;
-  if (cors !== false) {
+  if (cors !== void 0 && cors !== false) {
     middlewares.use(corsMiddleware(typeof cors === "boolean" ? {} : cors));
   }
+  const { allowedHosts } = serverConfig;
+  if (allowedHosts !== true && !serverConfig.https) {
+    middlewares.use(hostCheckMiddleware(config));
+  }
   middlewares.use(cachedTransformMiddleware(server));
   const { proxy } = serverConfig;
   if (proxy) {
@@ -65943,6 +66090,7 @@ function resolvePreviewOptions(preview2, server) {
     port: preview2?.port,
     strictPort: preview2?.strictPort ?? server.strictPort,
     host: preview2?.host ?? server.host,
+    allowedHosts: preview2?.allowedHosts ?? server.allowedHosts,
     https: preview2?.https ?? server.https,
     open: preview2?.open ?? server.open,
     proxy: preview2?.proxy ?? server.proxy,
@@ -66010,9 +66158,13 @@ async function preview(inlineConfig = {}) {
     postHooks.push(await hook(server));
   }
   const { cors } = config.preview;
-  if (cors !== false) {
+  if (cors !== void 0 && cors !== false) {
     app.use(corsMiddleware(typeof cors === "boolean" ? {} : cors));
   }
+  const { allowedHosts } = config.preview;
+  if (allowedHosts !== true && !config.preview.https) {
+    app.use(hostCheckMiddleware(config));
+  }
   const { proxy } = config.preview;
   if (proxy) {
     app.use(proxyMiddleware(httpServer, proxy, config));
@@ -66329,6 +66481,7 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
     rollupOptions: config.worker?.rollupOptions || {}
   };
   const base = withTrailingSlash(resolvedBase);
+  const preview = resolvePreviewOptions(config.preview, server);
   resolved = {
     configFile: configFile ? normalizePath$3(configFile) : void 0,
     configFileDependencies: configFileDependencies.map(
@@ -66357,7 +66510,7 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
     },
     server,
     build: resolvedBuildOptions,
-    preview: resolvePreviewOptions(config.preview, server),
+    preview,
     envDir,
     env: {
       ...userEnv,
@@ -66387,6 +66540,13 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
       hmrPartialAccept: false,
       ...config.experimental
     },
+    // random 72 bits (12 base64 chars)
+    // at least 64bits is recommended
+    // https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length
+    webSocketToken: Buffer.from(
+      crypto$2.getRandomValues(new Uint8Array(9))
+    ).toString("base64url"),
+    additionalAllowedHosts: getAdditionalAllowedHosts(server, preview),
     getSortedPlugins: void 0,
     getSortedPluginHooks: void 0
   };

package/dist/node/chunks/{dep-GkhNNjoY.js → dep-gXhP-2iO.js}

@@ -1,4 +1,4 @@
-import { B as getDefaultExportFromCjs } from './dep-BWSbWtLw.js';
+import { B as getDefaultExportFromCjs } from './dep-CjorC8P2.js';
 import require$$0 from 'path';
 import require$$0__default from 'fs';
 import { l as lib } from './dep-IQS-Za7F.js';

package/dist/node/cli.js

@@ -2,12 +2,13 @@ import path from 'node:path';
 import fs__default from 'node:fs';
 import { performance } from 'node:perf_hooks';
 import { EventEmitter } from 'events';
-import { A as colors, v as createLogger, r as resolveConfig } from './chunks/dep-BWSbWtLw.js';
+import { A as colors, v as createLogger, r as resolveConfig } from './chunks/dep-CjorC8P2.js';
 import { VERSION } from './constants.js';
 import 'node:fs/promises';
 import 'node:url';
 import 'node:util';
 import 'node:module';
+import 'node:crypto';
 import 'tty';
 import 'path';
 import 'esbuild';
@@ -26,7 +27,6 @@ import 'stream';
 import 'os';
 import 'child_process';
 import 'node:os';
-import 'node:crypto';
 import 'node:dns';
 import 'crypto';
 import 'module';
@@ -41,6 +41,7 @@ import 'zlib';
 import 'buffer';
 import 'https';
 import 'tls';
+import 'node:net';
 import 'assert';
 import 'node:zlib';
 
@@ -730,7 +731,7 @@ cli.command("[root]", "start dev server").alias("serve").alias("dev").option("--
   `[boolean] force the optimizer to ignore the cache and re-bundle`
 ).action(async (root, options) => {
   filterDuplicateOptions(options);
-  const { createServer } = await import('./chunks/dep-BWSbWtLw.js').then(function (n) { return n.E; });
+  const { createServer } = await import('./chunks/dep-CjorC8P2.js').then(function (n) { return n.E; });
   try {
     const server = await createServer({
       root,
@@ -822,7 +823,7 @@ cli.command("build [root]", "build for production").option("--target <target>",
   `[boolean] force empty outDir when it's outside of root`
 ).option("-w, --watch", `[boolean] rebuilds when modules have changed on disk`).action(async (root, options) => {
   filterDuplicateOptions(options);
-  const { build } = await import('./chunks/dep-BWSbWtLw.js').then(function (n) { return n.F; });
+  const { build } = await import('./chunks/dep-CjorC8P2.js').then(function (n) { return n.F; });
   const buildOptions = cleanOptions(options);
   try {
     await build({
@@ -851,7 +852,7 @@ cli.command("optimize [root]", "pre-bundle dependencies").option(
 ).action(
   async (root, options) => {
     filterDuplicateOptions(options);
-    const { optimizeDeps } = await import('./chunks/dep-BWSbWtLw.js').then(function (n) { return n.D; });
+    const { optimizeDeps } = await import('./chunks/dep-CjorC8P2.js').then(function (n) { return n.D; });
     try {
       const config = await resolveConfig(
         {
@@ -877,7 +878,7 @@ ${e.stack}`),
 cli.command("preview [root]", "locally preview production build").option("--host [host]", `[string] specify hostname`, { type: [convertHost] }).option("--port <port>", `[number] specify port`).option("--strictPort", `[boolean] exit if specified port is already in use`).option("--open [path]", `[boolean | string] open browser on startup`).option("--outDir <dir>", `[string] output directory (default: dist)`).action(
   async (root, options) => {
     filterDuplicateOptions(options);
-    const { preview } = await import('./chunks/dep-BWSbWtLw.js').then(function (n) { return n.G; });
+    const { preview } = await import('./chunks/dep-CjorC8P2.js').then(function (n) { return n.G; });
     try {
       const server = await preview({
         root,

package/dist/node/index.d.ts

@@ -669,6 +669,18 @@ interface CommonServerOptions {
      * Set to 0.0.0.0 to listen on all addresses, including LAN and public addresses.
      */
     host?: string | boolean;
+    /**
+     * The hostnames that Vite is allowed to respond to.
+     * `localhost` and subdomains under `.localhost` and all IP addresses are allowed by default.
+     * When using HTTPS, this check is skipped.
+     *
+     * If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname.
+     * For example, `.example.com` will allow `example.com`, `foo.example.com`, and `foo.bar.example.com`.
+     *
+     * If set to `true`, the server is allowed to respond to requests for any hosts.
+     * This is not recommended as it will be vulnerable to DNS rebinding attacks.
+     */
+    allowedHosts?: string[] | true;
     /**
      * Enable TLS + HTTP/2.
      * Note: this downgrades to TLS only when the proxy option is also used.
@@ -704,8 +716,14 @@ interface CommonServerOptions {
     /**
      * Configure CORS for the dev server.
      * Uses https://github.com/expressjs/cors.
+     *
+     * When enabling this option, **we recommend setting a specific value
+     * rather than `true`** to avoid exposing the source code to untrusted origins.
+     *
      * Set to `true` to allow all methods from any origin, or configure separately
      * using an object.
+     *
+     * @default false
      */
     cors?: CorsOptions | boolean;
     /**
@@ -717,6 +735,12 @@ interface CommonServerOptions {
  * https://github.com/expressjs/cors#configuration-options
  */
 interface CorsOptions {
+    /**
+     * Configures the Access-Control-Allow-Origin CORS header.
+     *
+     * **We recommend setting a specific value rather than
+     * `true`** to avoid exposing the source code to untrusted origins.
+     */
     origin?: CorsOrigin | ((origin: string | undefined, cb: (err: Error, origins: CorsOrigin) => void) => void);
     methods?: string | string[];
     allowedHeaders?: string | string[];
@@ -3402,6 +3426,18 @@ interface LegacyOptions {
      * https://github.com/vitejs/vite/discussions/14697.
      */
     proxySsrExternalModules?: boolean;
+    /**
+     * In Vite 6.0.8 / 5.4.11 and below, WebSocket server was able to connect from any web pages. However,
+     * that could be exploited by a malicious web page.
+     *
+     * In Vite 6.0.9+ / 5.4.12+, the WebSocket server now requires a token to connect from a web page.
+     * But this may break some plugins and frameworks that connects to the WebSocket server
+     * on their own. Enabling this option will make Vite skip the token check.
+     *
+     * **We do not recommend enabling this option unless you are sure that you are fine with
+     * that security weakness.**
+     */
+    skipWebSocketTokenCheck?: boolean;
 }
 interface ResolvedWorkerOptions {
     format: 'es' | 'iife';
@@ -3443,6 +3479,17 @@ type ResolvedConfig = Readonly<Omit<UserConfig, 'plugins' | 'css' | 'assetsInclu
     worker: ResolvedWorkerOptions;
     appType: AppType;
     experimental: ExperimentalOptions;
+    /**
+     * The token to connect to the WebSocket server from browsers.
+     *
+     * We recommend using `import.meta.hot` rather than connecting
+     * to the WebSocket server directly.
+     * If you have a usecase that requires connecting to the WebSocket
+     * server, please create an issue so that we can discuss.
+     *
+     * @deprecated
+     */
+    webSocketToken: string;
 } & PluginHookUtils>;
 interface PluginHookUtils {
     getSortedPlugins: <K extends keyof Plugin>(hookName: K) => PluginWithRequiredHook<K>[];

package/dist/node/index.js

@@ -1,6 +1,6 @@
 export { parseAst, parseAstAsync } from 'rollup/parseAst';
-import { i as isInNodeModules, a as arraify } from './chunks/dep-BWSbWtLw.js';
-export { b as build, g as buildErrorMessage, k as createFilter, v as createLogger, c as createServer, d as defineConfig, h as fetchModule, f as formatPostcssSourceMap, x as isFileServingAllowed, l as loadConfigFromFile, y as loadEnv, j as mergeAlias, m as mergeConfig, n as normalizePath, o as optimizeDeps, e as preprocessCSS, p as preview, r as resolveConfig, z as resolveEnvPrefix, q as rollupVersion, w as searchForWorkspaceRoot, u as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-BWSbWtLw.js';
+import { i as isInNodeModules, a as arraify } from './chunks/dep-CjorC8P2.js';
+export { b as build, g as buildErrorMessage, k as createFilter, v as createLogger, c as createServer, d as defineConfig, h as fetchModule, f as formatPostcssSourceMap, x as isFileServingAllowed, l as loadConfigFromFile, y as loadEnv, j as mergeAlias, m as mergeConfig, n as normalizePath, o as optimizeDeps, e as preprocessCSS, p as preview, r as resolveConfig, z as resolveEnvPrefix, q as rollupVersion, w as searchForWorkspaceRoot, u as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-CjorC8P2.js';
 export { VERSION as version } from './constants.js';
 export { version as esbuildVersion } from 'esbuild';
 import { existsSync, readFileSync } from 'node:fs';
@@ -11,6 +11,7 @@ import 'node:url';
 import 'node:util';
 import 'node:perf_hooks';
 import 'node:module';
+import 'node:crypto';
 import 'tty';
 import 'path';
 import 'fs';
@@ -29,7 +30,6 @@ import 'stream';
 import 'os';
 import 'child_process';
 import 'node:os';
-import 'node:crypto';
 import 'node:dns';
 import 'crypto';
 import 'module';
@@ -43,6 +43,7 @@ import 'zlib';
 import 'buffer';
 import 'https';
 import 'tls';
+import 'node:net';
 import 'assert';
 import 'node:zlib';
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite",
-  "version": "5.4.10",
+  "version": "5.4.12",
   "type": "module",
   "license": "MIT",
   "author": "Evan You",