vite 5.4.18 → 5.4.20

package/dist/node/chunks/{dep-DbT5NFX0.js → dep-D_zLpgQd.js}

@@ -36991,8 +36991,8 @@ function createCachedImport(imp) {
     return cached;
   };
 }
-const importPostcssImport = createCachedImport(() => import('./dep-75Pw0qnz.js').then(function (n) { return n.i; }));
-const importPostcssModules = createCachedImport(() => import('./dep-nOVVHa2_.js').then(function (n) { return n.i; }));
+const importPostcssImport = createCachedImport(() => import('./dep-YkMKzX4u.js').then(function (n) { return n.i; }));
+const importPostcssModules = createCachedImport(() => import('./dep-e9kYborm.js').then(function (n) { return n.i; }));
 const importPostcss = createCachedImport(() => import('postcss'));
 const preprocessorWorkerControllerCache = /* @__PURE__ */ new WeakMap();
 let alwaysFakeWorkerWorkerControllerCache;
@@ -51568,7 +51568,7 @@ function sirv (dir, opts={}) {
 		});
 	}
 
-	let lookup = opts.dev ? viaLocal.bind(0, dir, isEtag) : viaCache.bind(0, FILES);
+	let lookup = opts.dev ? viaLocal.bind(0, dir.endsWith(sep$1) ? dir : dir + sep$1, isEtag) : viaCache.bind(0, FILES);
 
 	return function (req, res, next) {
 		let extns = [''];
@@ -51601,8 +51601,11 @@ function sirv (dir, opts={}) {
 }
 
 const knownJavascriptExtensionRE = /\.[tj]sx?$/;
+const ERR_DENIED_FILE = "ERR_DENIED_FILE";
 const sirvOptions = ({
-  getHeaders
+  server,
+  getHeaders,
+  disableFsServeCheck
 }) => {
   return {
     dev: true,
@@ -51618,6 +51621,19 @@ const sirvOptions = ({
           res.setHeader(name, headers[name]);
         }
       }
+    },
+    shouldServe: disableFsServeCheck ? void 0 : (filePath) => {
+      const servingAccessResult = checkLoadingAccess(server, filePath);
+      if (servingAccessResult === "denied") {
+        const error = new Error("denied access");
+        error.code = ERR_DENIED_FILE;
+        error.path = filePath;
+        throw error;
+      }
+      if (servingAccessResult === "fallback") {
+        return false;
+      }
+      return true;
     }
   };
 };
@@ -51626,7 +51642,9 @@ function servePublicMiddleware(server, publicFiles) {
   const serve = sirv(
     dir,
     sirvOptions({
-      getHeaders: () => server.config.server.headers
+      server,
+      getHeaders: () => server.config.server.headers,
+      disableFsServeCheck: true
     })
   );
   const toFilePath = (url) => {
@@ -51652,6 +51670,7 @@ function serveStaticMiddleware(server) {
   const serve = sirv(
     dir,
     sirvOptions({
+      server,
       getHeaders: () => server.config.server.headers
     })
   );
@@ -51676,42 +51695,47 @@ function serveStaticMiddleware(server) {
       }
     }
     const resolvedPathname = redirectedPathname || pathname;
-    let fileUrl = path$n.resolve(dir, removeLeadingSlash(resolvedPathname));
-    if (resolvedPathname[resolvedPathname.length - 1] === "/" && fileUrl[fileUrl.length - 1] !== "/") {
-      fileUrl = withTrailingSlash(fileUrl);
-    }
-    if (!ensureServingAccess(fileUrl, server, res, next)) {
-      return;
-    }
+    path$n.resolve(dir, removeLeadingSlash(resolvedPathname));
     if (redirectedPathname) {
       url.pathname = encodeURI(redirectedPathname);
       req.url = url.href.slice(url.origin.length);
     }
-    serve(req, res, next);
+    try {
+      serve(req, res, next);
+    } catch (e) {
+      if (e && "code" in e && e.code === ERR_DENIED_FILE) {
+        respondWithAccessDenied(e.path, server, res);
+        return;
+      }
+      throw e;
+    }
   };
 }
 function serveRawFsMiddleware(server) {
   const serveFromRoot = sirv(
     "/",
-    sirvOptions({ getHeaders: () => server.config.server.headers })
+    sirvOptions({
+      server,
+      getHeaders: () => server.config.server.headers
+    })
   );
   return function viteServeRawFsMiddleware(req, res, next) {
     const url = new URL(req.url.replace(/^\/{2,}/, "/"), "http://example.com");
     if (url.pathname.startsWith(FS_PREFIX)) {
       const pathname = decodeURI(url.pathname);
-      if (!ensureServingAccess(
-        slash$1(path$n.resolve(fsPathFromId(pathname))),
-        server,
-        res,
-        next
-      )) {
-        return;
-      }
       let newPathname = pathname.slice(FS_PREFIX.length);
       if (isWindows$3) newPathname = newPathname.replace(/^[A-Z]:/i, "");
       url.pathname = encodeURI(newPathname);
       req.url = url.href.slice(url.origin.length);
-      serveFromRoot(req, res, next);
+      try {
+        serveFromRoot(req, res, next);
+      } catch (e) {
+        if (e && "code" in e && e.code === ERR_DENIED_FILE) {
+          respondWithAccessDenied(e.path, server, res);
+          return;
+        }
+        throw e;
+      }
     } else {
       next();
     }
@@ -51719,34 +51743,49 @@ function serveRawFsMiddleware(server) {
 }
 function isFileServingAllowed(url, server) {
   if (!server.config.server.fs.strict) return true;
-  const file = fsPathFromUrl(url);
-  if (server._fsDenyGlob(file)) return false;
-  if (server.moduleGraph.safeModulesPath.has(file)) return true;
-  if (server.config.server.fs.allow.some(
-    (uri) => isSameFileUri(uri, file) || isParentDirectory(uri, file)
-  ))
-    return true;
+  const filePath = fsPathFromUrl(url);
+  return isFileLoadingAllowed(server, filePath);
+}
+function isUriInFilePath(uri, filePath) {
+  return isSameFileUri(uri, filePath) || isParentDirectory(uri, filePath);
+}
+function isFileLoadingAllowed(server, filePath) {
+  const { fs } = server.config.server;
+  if (!fs.strict) return true;
+  if (server._fsDenyGlob(filePath)) return false;
+  if (server.moduleGraph.safeModulesPath.has(filePath)) return true;
+  if (fs.allow.some((uri) => isUriInFilePath(uri, filePath))) return true;
   return false;
 }
-function ensureServingAccess(url, server, res, next) {
+function checkLoadingAccess(server, path2) {
+  if (isFileLoadingAllowed(server, slash$1(path2))) {
+    return "allowed";
+  }
+  if (isFileReadable(path2)) {
+    return "denied";
+  }
+  return "fallback";
+}
+function checkServingAccess(url, server) {
   if (isFileServingAllowed(url, server)) {
-    return true;
+    return "allowed";
   }
   if (isFileReadable(cleanUrl(url))) {
-    const urlMessage = `The request url "${url}" is outside of Vite serving allow list.`;
-    const hintMessage = `
+    return "denied";
+  }
+  return "fallback";
+}
+function respondWithAccessDenied(url, server, res) {
+  const urlMessage = `The request url "${url}" is outside of Vite serving allow list.`;
+  const hintMessage = `
 ${server.config.server.fs.allow.map((i) => `- ${i}`).join("\n")}
 
 Refer to docs https://vite.dev/config/server-options.html#server-fs-allow for configurations and more details.`;
-    server.config.logger.error(urlMessage);
-    server.config.logger.warnOnce(hintMessage + "\n");
-    res.statusCode = 403;
-    res.write(renderRestrictedErrorHTML(urlMessage + "\n" + hintMessage));
-    res.end();
-  } else {
-    next();
-  }
-  return false;
+  server.config.logger.error(urlMessage);
+  server.config.logger.warnOnce(hintMessage + "\n");
+  res.statusCode = 403;
+  res.write(renderRestrictedErrorHTML(urlMessage + "\n" + hintMessage));
+  res.end();
 }
 function renderRestrictedErrorHTML(msg) {
   const html = String.raw;
@@ -61941,7 +61980,18 @@ const rawRE = /[?&]raw\b/;
 const inlineRE = /[?&]inline\b/;
 const svgRE = /\.svg\b/;
 function deniedServingAccessForTransform(url, server, res, next) {
-  return (rawRE.test(url) || urlRE.test(url) || inlineRE.test(url) || svgRE.test(url)) && !ensureServingAccess(url, server, res, next);
+  if (rawRE.test(url) || urlRE.test(url) || inlineRE.test(url) || svgRE.test(url)) {
+    const servingAccessResult = checkServingAccess(url, server);
+    if (servingAccessResult === "denied") {
+      respondWithAccessDenied(url, server, res);
+      return true;
+    }
+    if (servingAccessResult === "fallback") {
+      next();
+      return true;
+    }
+  }
+  return false;
 }
 function cachedTransformMiddleware(server) {
   return function viteCachedTransformMiddleware(req, res, next) {
@@ -62420,7 +62470,22 @@ function indexHtmlMiddleware(root, server) {
       if (isDev && url.startsWith(FS_PREFIX)) {
         filePath = decodeURIComponent(fsPathFromId(url));
       } else {
-        filePath = path$n.join(root, decodeURIComponent(url));
+        filePath = normalizePath$3(
+          path$n.resolve(path$n.join(root, decodeURIComponent(url)))
+        );
+      }
+      if (isDev) {
+        const servingAccessResult = checkLoadingAccess(server, filePath);
+        if (servingAccessResult === "denied") {
+          return respondWithAccessDenied(filePath, server, res);
+        }
+        if (servingAccessResult === "fallback") {
+          return next();
+        }
+      } else {
+        if (!isParentDirectory(root, filePath)) {
+          return next();
+        }
       }
       if (fsUtils.existsSync(filePath)) {
         const headers = isDev ? server.config.server.headers : server.config.preview.headers;
@@ -66253,7 +66318,8 @@ async function preview(inlineConfig = {}) {
   }
   postHooks.forEach((fn) => fn && fn());
   if (config.appType === "spa" || config.appType === "mpa") {
-    app.use(indexHtmlMiddleware(distDir, server));
+    const normalizedDistDir = normalizePath$3(distDir);
+    app.use(indexHtmlMiddleware(normalizedDistDir, server));
     app.use(notFoundMiddleware());
   }
   const hostname = await resolveHostname(options.host);
@@ -66978,4 +67044,4 @@ function optimizeDepsDisabledBackwardCompatibility(resolved, optimizeDeps, optim
   }
 }
 
-export { colors$1 as A, getDefaultExportFromCjs as B, commonjsGlobal as C, index$1 as D, index as E, build$1 as F, preview$1 as G, arraify as a, build as b, createServer as c, defineConfig as d, preprocessCSS as e, formatPostcssSourceMap as f, buildErrorMessage as g, fetchModule as h, isInNodeModules$1 as i, mergeAlias as j, createFilter as k, loadConfigFromFile as l, mergeConfig as m, normalizePath$3 as n, optimizeDeps as o, preview as p, rollupVersion as q, resolveConfig as r, sortUserPlugins as s, transformWithEsbuild as t, send as u, createLogger as v, searchForWorkspaceRoot as w, isFileServingAllowed as x, loadEnv as y, resolveEnvPrefix as z };
+export { resolveEnvPrefix as A, colors$1 as B, getDefaultExportFromCjs as C, commonjsGlobal as D, index$1 as E, index as F, build$1 as G, preview$1 as H, arraify as a, build as b, createServer as c, defineConfig as d, preprocessCSS as e, formatPostcssSourceMap as f, buildErrorMessage as g, fetchModule as h, isInNodeModules$1 as i, mergeAlias as j, createFilter as k, loadConfigFromFile as l, mergeConfig as m, normalizePath$3 as n, optimizeDeps as o, preview as p, rollupVersion as q, resolveConfig as r, sortUserPlugins as s, transformWithEsbuild as t, send as u, createLogger as v, searchForWorkspaceRoot as w, isFileServingAllowed as x, isFileLoadingAllowed as y, loadEnv as z };

package/dist/node/chunks/{dep-75Pw0qnz.js → dep-YkMKzX4u.js}

@@ -1,4 +1,4 @@
-import { B as getDefaultExportFromCjs } from './dep-DbT5NFX0.js';
+import { C as getDefaultExportFromCjs } from './dep-D_zLpgQd.js';
 import require$$0 from 'path';
 import require$$0__default from 'fs';
 import { l as lib } from './dep-IQS-Za7F.js';

package/dist/node/chunks/{dep-nOVVHa2_.js → dep-e9kYborm.js}

@@ -1,4 +1,4 @@
-import { C as commonjsGlobal, B as getDefaultExportFromCjs } from './dep-DbT5NFX0.js';
+import { D as commonjsGlobal, C as getDefaultExportFromCjs } from './dep-D_zLpgQd.js';
 import require$$0__default from 'fs';
 import require$$0 from 'postcss';
 import require$$0$1 from 'path';

package/dist/node/cli.js

@@ -2,7 +2,7 @@ import path from 'node:path';
 import fs__default from 'node:fs';
 import { performance } from 'node:perf_hooks';
 import { EventEmitter } from 'events';
-import { A as colors, v as createLogger, r as resolveConfig } from './chunks/dep-DbT5NFX0.js';
+import { B as colors, v as createLogger, r as resolveConfig } from './chunks/dep-D_zLpgQd.js';
 import { VERSION } from './constants.js';
 import 'node:fs/promises';
 import 'node:url';
@@ -731,7 +731,7 @@ cli.command("[root]", "start dev server").alias("serve").alias("dev").option("--
   `[boolean] force the optimizer to ignore the cache and re-bundle`
 ).action(async (root, options) => {
   filterDuplicateOptions(options);
-  const { createServer } = await import('./chunks/dep-DbT5NFX0.js').then(function (n) { return n.E; });
+  const { createServer } = await import('./chunks/dep-D_zLpgQd.js').then(function (n) { return n.F; });
   try {
     const server = await createServer({
       root,
@@ -823,7 +823,7 @@ cli.command("build [root]", "build for production").option("--target <target>",
   `[boolean] force empty outDir when it's outside of root`
 ).option("-w, --watch", `[boolean] rebuilds when modules have changed on disk`).action(async (root, options) => {
   filterDuplicateOptions(options);
-  const { build } = await import('./chunks/dep-DbT5NFX0.js').then(function (n) { return n.F; });
+  const { build } = await import('./chunks/dep-D_zLpgQd.js').then(function (n) { return n.G; });
   const buildOptions = cleanOptions(options);
   try {
     await build({
@@ -852,7 +852,7 @@ cli.command("optimize [root]", "pre-bundle dependencies").option(
 ).action(
   async (root, options) => {
     filterDuplicateOptions(options);
-    const { optimizeDeps } = await import('./chunks/dep-DbT5NFX0.js').then(function (n) { return n.D; });
+    const { optimizeDeps } = await import('./chunks/dep-D_zLpgQd.js').then(function (n) { return n.E; });
     try {
       const config = await resolveConfig(
         {
@@ -878,7 +878,7 @@ ${e.stack}`),
 cli.command("preview [root]", "locally preview production build").option("--host [host]", `[string] specify hostname`, { type: [convertHost] }).option("--port <port>", `[number] specify port`).option("--strictPort", `[boolean] exit if specified port is already in use`).option("--open [path]", `[boolean | string] open browser on startup`).option("--outDir <dir>", `[string] output directory (default: dist)`).action(
   async (root, options) => {
     filterDuplicateOptions(options);
-    const { preview } = await import('./chunks/dep-DbT5NFX0.js').then(function (n) { return n.G; });
+    const { preview } = await import('./chunks/dep-D_zLpgQd.js').then(function (n) { return n.H; });
     try {
       const server = await preview({
         root,

package/dist/node/index.d.ts

@@ -3567,8 +3567,10 @@ declare function searchForWorkspaceRoot(current: string, root?: string): string;
 
 /**
  * Check if the url is allowed to be served, via the `server.fs` config.
+ * @deprecated Use the `isFileLoadingAllowed` function instead.
  */
 declare function isFileServingAllowed(url: string, server: ViteDevServer): boolean;
+declare function isFileLoadingAllowed(server: ViteDevServer, filePath: string): boolean;
 
 declare function loadEnv(mode: string, envDir: string, prefixes?: string | string[]): Record<string, string>;
 declare function resolveEnvPrefix({ envPrefix, }: UserConfig): string[];
@@ -3622,4 +3624,4 @@ declare class ServerHMRConnector implements HMRRuntimeConnection {
     onUpdate(handler: (payload: HMRPayload) => void): void;
 }
 
-export { type Alias, type AliasOptions, type AnymatchFn, type AnymatchPattern, type AppType, type AwaitWriteFinishOptions, type BindCLIShortcutsOptions, type BuildOptions, type CLIShortcut, type CSSModulesOptions, type CSSOptions, type CommonServerOptions, type ConfigEnv, Connect, type CorsOptions, type CorsOrigin, type DepOptimizationConfig, type DepOptimizationMetadata, type DepOptimizationOptions, type ESBuildOptions, type ESBuildTransformResult, type ExperimentalOptions, type ExportsData, FSWatcher, type FetchModuleOptions, type FileSystemServeOptions, type FilterPattern, type HMRBroadcaster, type HMRBroadcasterClient, type HMRChannel, type HTMLOptions, type HmrContext, type HmrOptions, type HookHandler, type HtmlTagDescriptor, HttpProxy, type HttpServer, type IndexHtmlTransform, type IndexHtmlTransformContext, type IndexHtmlTransformHook, type IndexHtmlTransformResult, type InlineConfig, type InternalResolveOptions, type JsonOptions, type LegacyOptions, type LibraryFormats, type LibraryOptions, type LightningCSSOptions, type LogErrorOptions, type LogLevel, type LogOptions, type LogType, type Logger, type LoggerOptions, type MainThreadRuntimeOptions, type Manifest, type ManifestChunk, type MapToFunction, type AnymatchMatcher as Matcher, ModuleGraph, ModuleNode, type ModulePreloadOptions, type OptimizedDepInfo, type Plugin, PluginContainer, type PluginHookUtils, type PluginOption, type PreprocessCSSResult, type PreviewOptions, type PreviewServer, type PreviewServerHook, type ProxyOptions, type RenderBuiltAssetUrl, type ResolveFn, type ResolveModulePreloadDependenciesFn, type ResolveOptions, type ResolvedBuildOptions, type ResolvedCSSOptions, type ResolvedConfig, type ResolvedModulePreloadOptions, type ResolvedPreviewOptions, type ResolvedSSROptions, type ResolvedServerOptions, type ResolvedServerUrls, type ResolvedUrl, type ResolvedWorkerOptions, type ResolverFunction, type ResolverObject, type RollupCommonJSOptions, type RollupDynamicImportVarsOptions, type SSROptions, type SSRTarget, type SendOptions, type ServerHMRChannel, ServerHMRConnector, type ServerHook, type ServerOptions, SplitVendorChunkCache, type SsrDepOptimizationOptions, Terser, type TerserOptions, type TransformOptions, type TransformResult, type UserConfig, type UserConfigExport, type UserConfigFn, type UserConfigFnObject, type UserConfigFnPromise, type ViteDevServer, type WatchOptions, WebSocket, WebSocketAlias, type WebSocketClient, type WebSocketCustomListener, WebSocketServer, build, buildErrorMessage, createFilter, createLogger, createServer, createViteRuntime, defineConfig, fetchModule, formatPostcssSourceMap, isCSSRequest, isFileServingAllowed, loadConfigFromFile, loadEnv, mergeAlias, mergeConfig, normalizePath, optimizeDeps, preprocessCSS, preview, resolveConfig, resolveEnvPrefix, rollupVersion, searchForWorkspaceRoot, send, sortUserPlugins, splitVendorChunk, splitVendorChunkPlugin, transformWithEsbuild, VERSION as version };
+export { type Alias, type AliasOptions, type AnymatchFn, type AnymatchPattern, type AppType, type AwaitWriteFinishOptions, type BindCLIShortcutsOptions, type BuildOptions, type CLIShortcut, type CSSModulesOptions, type CSSOptions, type CommonServerOptions, type ConfigEnv, Connect, type CorsOptions, type CorsOrigin, type DepOptimizationConfig, type DepOptimizationMetadata, type DepOptimizationOptions, type ESBuildOptions, type ESBuildTransformResult, type ExperimentalOptions, type ExportsData, FSWatcher, type FetchModuleOptions, type FileSystemServeOptions, type FilterPattern, type HMRBroadcaster, type HMRBroadcasterClient, type HMRChannel, type HTMLOptions, type HmrContext, type HmrOptions, type HookHandler, type HtmlTagDescriptor, HttpProxy, type HttpServer, type IndexHtmlTransform, type IndexHtmlTransformContext, type IndexHtmlTransformHook, type IndexHtmlTransformResult, type InlineConfig, type InternalResolveOptions, type JsonOptions, type LegacyOptions, type LibraryFormats, type LibraryOptions, type LightningCSSOptions, type LogErrorOptions, type LogLevel, type LogOptions, type LogType, type Logger, type LoggerOptions, type MainThreadRuntimeOptions, type Manifest, type ManifestChunk, type MapToFunction, type AnymatchMatcher as Matcher, ModuleGraph, ModuleNode, type ModulePreloadOptions, type OptimizedDepInfo, type Plugin, PluginContainer, type PluginHookUtils, type PluginOption, type PreprocessCSSResult, type PreviewOptions, type PreviewServer, type PreviewServerHook, type ProxyOptions, type RenderBuiltAssetUrl, type ResolveFn, type ResolveModulePreloadDependenciesFn, type ResolveOptions, type ResolvedBuildOptions, type ResolvedCSSOptions, type ResolvedConfig, type ResolvedModulePreloadOptions, type ResolvedPreviewOptions, type ResolvedSSROptions, type ResolvedServerOptions, type ResolvedServerUrls, type ResolvedUrl, type ResolvedWorkerOptions, type ResolverFunction, type ResolverObject, type RollupCommonJSOptions, type RollupDynamicImportVarsOptions, type SSROptions, type SSRTarget, type SendOptions, type ServerHMRChannel, ServerHMRConnector, type ServerHook, type ServerOptions, SplitVendorChunkCache, type SsrDepOptimizationOptions, Terser, type TerserOptions, type TransformOptions, type TransformResult, type UserConfig, type UserConfigExport, type UserConfigFn, type UserConfigFnObject, type UserConfigFnPromise, type ViteDevServer, type WatchOptions, WebSocket, WebSocketAlias, type WebSocketClient, type WebSocketCustomListener, WebSocketServer, build, buildErrorMessage, createFilter, createLogger, createServer, createViteRuntime, defineConfig, fetchModule, formatPostcssSourceMap, isCSSRequest, isFileLoadingAllowed, isFileServingAllowed, loadConfigFromFile, loadEnv, mergeAlias, mergeConfig, normalizePath, optimizeDeps, preprocessCSS, preview, resolveConfig, resolveEnvPrefix, rollupVersion, searchForWorkspaceRoot, send, sortUserPlugins, splitVendorChunk, splitVendorChunkPlugin, transformWithEsbuild, VERSION as version };

package/dist/node/index.js

@@ -1,6 +1,6 @@
 export { parseAst, parseAstAsync } from 'rollup/parseAst';
-import { i as isInNodeModules, a as arraify } from './chunks/dep-DbT5NFX0.js';
-export { b as build, g as buildErrorMessage, k as createFilter, v as createLogger, c as createServer, d as defineConfig, h as fetchModule, f as formatPostcssSourceMap, x as isFileServingAllowed, l as loadConfigFromFile, y as loadEnv, j as mergeAlias, m as mergeConfig, n as normalizePath, o as optimizeDeps, e as preprocessCSS, p as preview, r as resolveConfig, z as resolveEnvPrefix, q as rollupVersion, w as searchForWorkspaceRoot, u as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-DbT5NFX0.js';
+import { i as isInNodeModules, a as arraify } from './chunks/dep-D_zLpgQd.js';
+export { b as build, g as buildErrorMessage, k as createFilter, v as createLogger, c as createServer, d as defineConfig, h as fetchModule, f as formatPostcssSourceMap, y as isFileLoadingAllowed, x as isFileServingAllowed, l as loadConfigFromFile, z as loadEnv, j as mergeAlias, m as mergeConfig, n as normalizePath, o as optimizeDeps, e as preprocessCSS, p as preview, r as resolveConfig, A as resolveEnvPrefix, q as rollupVersion, w as searchForWorkspaceRoot, u as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-D_zLpgQd.js';
 export { VERSION as version } from './constants.js';
 export { version as esbuildVersion } from 'esbuild';
 import { existsSync, readFileSync } from 'node:fs';

package/dist/node-cjs/publicUtils.cjs

@@ -5543,13 +5543,18 @@ function searchForWorkspaceRoot(current, root = searchForPackageRoot(current)) {
 
 function isFileServingAllowed(url, server) {
   if (!server.config.server.fs.strict) return true;
-  const file = fsPathFromUrl(url);
-  if (server._fsDenyGlob(file)) return false;
-  if (server.moduleGraph.safeModulesPath.has(file)) return true;
-  if (server.config.server.fs.allow.some(
-    (uri) => isSameFileUri(uri, file) || isParentDirectory(uri, file)
-  ))
-    return true;
+  const filePath = fsPathFromUrl(url);
+  return isFileLoadingAllowed(server, filePath);
+}
+function isUriInFilePath(uri, filePath) {
+  return isSameFileUri(uri, filePath) || isParentDirectory(uri, filePath);
+}
+function isFileLoadingAllowed(server, filePath) {
+  const { fs } = server.config.server;
+  if (!fs.strict) return true;
+  if (server._fsDenyGlob(filePath)) return false;
+  if (server.moduleGraph.safeModulesPath.has(filePath)) return true;
+  if (fs.allow.some((uri) => isUriInFilePath(uri, filePath))) return true;
   return false;
 }
 
@@ -6151,6 +6156,7 @@ exports.esbuildVersion = esbuild.version;
 exports.createFilter = createFilter;
 exports.createLogger = createLogger;
 exports.isCSSRequest = isCSSRequest;
+exports.isFileLoadingAllowed = isFileLoadingAllowed;
 exports.isFileServingAllowed = isFileServingAllowed;
 exports.loadEnv = loadEnv;
 exports.mergeAlias = mergeAlias;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite",
-  "version": "5.4.18",
+  "version": "5.4.20",
   "type": "module",
   "license": "MIT",
   "author": "Evan You",