vite 5.4.6 → 5.4.18

package/dist/node/chunks/{dep-DyBnyoVI.js → dep-DbT5NFX0.js}

@@ -6,10 +6,11 @@ import { fileURLToPath, URL as URL$3, parse as parse$h, pathToFileURL } from 'no
 import { promisify as promisify$4, format as format$2, inspect } from 'node:util';
 import { performance as performance$1 } from 'node:perf_hooks';
 import { createRequire as createRequire$1, builtinModules } from 'node:module';
+import crypto$2, { createHash as createHash$2 } from 'node:crypto';
 import require$$0$3 from 'tty';
 import require$$0$4, { win32, posix, isAbsolute, resolve as resolve$3, relative as relative$1, basename as basename$1, extname, dirname as dirname$1, join as join$1, sep as sep$1, normalize as normalize$1 } from 'path';
 import esbuild, { transform as transform$1, formatMessages, build as build$3 } from 'esbuild';
-import { CLIENT_ENTRY, OPTIMIZABLE_ENTRY_RE, wildcardHosts, loopbackHosts, FS_PREFIX, CLIENT_PUBLIC_PATH, ENV_PUBLIC_PATH, DEFAULT_ASSETS_INLINE_LIMIT, CSS_LANGS_RE, ESBUILD_MODULES_TARGET, SPECIAL_QUERY_RE, ENV_ENTRY, DEP_VERSION_RE, DEFAULT_MAIN_FIELDS, DEFAULT_EXTENSIONS, KNOWN_ASSET_TYPES, JS_TYPES_RE, METADATA_FILENAME, VITE_PACKAGE_DIR, DEFAULT_DEV_PORT, CLIENT_DIR, VERSION, DEFAULT_PREVIEW_PORT, DEFAULT_ASSETS_RE, DEFAULT_CONFIG_FILES } from '../constants.js';
+import { CLIENT_ENTRY, OPTIMIZABLE_ENTRY_RE, wildcardHosts, loopbackHosts, FS_PREFIX, CLIENT_PUBLIC_PATH, ENV_PUBLIC_PATH, DEFAULT_ASSETS_INLINE_LIMIT, CSS_LANGS_RE, ESBUILD_MODULES_TARGET, SPECIAL_QUERY_RE, ENV_ENTRY, DEP_VERSION_RE, DEFAULT_MAIN_FIELDS, DEFAULT_EXTENSIONS, KNOWN_ASSET_TYPES, JS_TYPES_RE, METADATA_FILENAME, VITE_PACKAGE_DIR, defaultAllowedOrigins, DEFAULT_DEV_PORT, CLIENT_DIR, VERSION, DEFAULT_PREVIEW_PORT, DEFAULT_ASSETS_RE, DEFAULT_CONFIG_FILES } from '../constants.js';
 import * as require$$0$2 from 'fs';
 import require$$0__default, { lstatSync, readdir as readdir$4, readdirSync, readlinkSync, realpathSync as realpathSync$1, existsSync, readFileSync, statSync as statSync$1 } from 'fs';
 import { EventEmitter as EventEmitter$4 } from 'node:events';
@@ -27,7 +28,6 @@ import require$$0$6 from 'stream';
 import require$$2 from 'os';
 import require$$2$1 from 'child_process';
 import os$5 from 'node:os';
-import { createHash as createHash$2 } from 'node:crypto';
 import { promises } from 'node:dns';
 import require$$3$1 from 'crypto';
 import require$$0$8, { createRequire as createRequire$2 } from 'module';
@@ -42,6 +42,7 @@ import zlib$1 from 'zlib';
 import require$$0$a from 'buffer';
 import require$$1$1 from 'https';
 import require$$4$2 from 'tls';
+import net$1 from 'node:net';
 import require$$4$3 from 'assert';
 import { gzip } from 'node:zlib';
 
@@ -16864,10 +16865,10 @@ function removeImportQuery(url) {
 function removeDirectQuery(url) {
   return url.replace(directRequestRE$1, "$1").replace(trailingSeparatorRE, "");
 }
-const urlRE = /(\?|&)url(?:&|$)/;
-const rawRE = /(\?|&)raw(?:&|$)/;
+const urlRE$1 = /(\?|&)url(?:&|$)/;
+const rawRE$1 = /(\?|&)raw(?:&|$)/;
 function removeUrlQuery(url) {
-  return url.replace(urlRE, "$1").replace(trailingSeparatorRE, "");
+  return url.replace(urlRE$1, "$1").replace(trailingSeparatorRE, "");
 }
 const replacePercentageRE = /%/g;
 function injectQuery(url, queryToInject) {
@@ -18221,13 +18222,35 @@ function isGlobMatch(filename, dir, patterns, allowJs) {
 		// filename must end with part of pattern that comes after last wildcard
 		let lastWildcardIndex = pattern.length;
 		let hasWildcard = false;
+		let hasExtension = false;
+		let hasSlash = false;
+		let lastSlashIndex = -1;
 		for (let i = pattern.length - 1; i > -1; i--) {
-			if (pattern[i] === '*' || pattern[i] === '?') {
-				lastWildcardIndex = i;
-				hasWildcard = true;
+			const c = pattern[i];
+			if (!hasWildcard) {
+				if (c === '*' || c === '?') {
+					lastWildcardIndex = i;
+					hasWildcard = true;
+				}
+			}
+			if (!hasSlash) {
+				if (c === '.') {
+					hasExtension = true;
+				} else if (c === '/') {
+					lastSlashIndex = i;
+					hasSlash = true;
+				}
+			}
+			if (hasWildcard && hasSlash) {
 				break;
 			}
 		}
+		if (!hasExtension && (!hasWildcard || lastWildcardIndex < lastSlashIndex)) {
+			// add implicit glob
+			pattern += `${pattern.endsWith('/') ? '' : '/'}${GLOB_ALL_PATTERN}`;
+			lastWildcardIndex = pattern.length - 1;
+			hasWildcard = true;
+		}
 
 		// if pattern does not end with wildcard, filename must end with pattern after last wildcard
 		if (
@@ -18265,11 +18288,18 @@ function isGlobMatch(filename, dir, patterns, allowJs) {
 			return false;
 		}
 
-		// if no wildcard in pattern, filename must be equal to resolved pattern
 		if (!hasWildcard) {
+			//  no wildcard in pattern, filename must be equal to resolved pattern
 			return filename === resolvedPattern;
+		} else if (
+			firstWildcardIndex + GLOB_ALL_PATTERN.length ===
+				resolvedPattern.length - (pattern.length - 1 - lastWildcardIndex) &&
+			resolvedPattern.slice(firstWildcardIndex, firstWildcardIndex + GLOB_ALL_PATTERN.length) ===
+				GLOB_ALL_PATTERN
+		) {
+			// singular glob-all pattern and we already validated prefix and suffix matches
+			return true;
 		}
-
 		// complex pattern, use regex to check it
 		if (PATTERN_REGEX_CACHE.has(resolvedPattern)) {
 			return PATTERN_REGEX_CACHE.get(resolvedPattern).test(filename);
@@ -20272,7 +20302,7 @@ function assetPlugin(config) {
       moduleGraph = server.moduleGraph;
     },
     resolveId(id) {
-      if (!config.assetsInclude(cleanUrl(id)) && !urlRE.test(id)) {
+      if (!config.assetsInclude(cleanUrl(id)) && !urlRE$1.test(id)) {
         return;
       }
       const publicFile = checkPublicFile(id, config);
@@ -20284,14 +20314,14 @@ function assetPlugin(config) {
       if (id[0] === "\0") {
         return;
       }
-      if (rawRE.test(id)) {
+      if (rawRE$1.test(id)) {
         const file = checkPublicFile(id, config) || cleanUrl(id);
         this.addWatchFile(file);
         return `export default ${JSON.stringify(
           await fsp.readFile(file, "utf-8")
         )}`;
       }
-      if (!urlRE.test(id) && !config.assetsInclude(cleanUrl(id))) {
+      if (!urlRE$1.test(id) && !config.assetsInclude(cleanUrl(id))) {
         return;
       }
       id = removeUrlQuery(id);
@@ -20605,7 +20635,7 @@ function dataURIPlugin() {
       resolved = /* @__PURE__ */ new Map();
     },
     resolveId(id) {
-      if (!dataUriRE.test(id)) {
+      if (!id.trimStart().startsWith("data:")) {
         return;
       }
       const uri = new URL$3(id);
@@ -36032,7 +36062,7 @@ const directRequestRE = /[?&]direct\b/;
 const htmlProxyRE = /[?&]html-proxy\b/;
 const htmlProxyIndexRE = /&index=(\d+)/;
 const commonjsProxyRE = /\?commonjs-proxy/;
-const inlineRE$1 = /[?&]inline\b/;
+const inlineRE$2 = /[?&]inline\b/;
 const inlineCSSRE = /[?&]inline-css\b/;
 const styleAttrRE = /[?&]style-attr\b/;
 const functionCallRE = /^[A-Z_][\w-]*\(/i;
@@ -36081,7 +36111,7 @@ function cssPlugin(config) {
     },
     async load(id) {
       if (!isCSSRequest(id)) return;
-      if (urlRE.test(id)) {
+      if (urlRE$1.test(id)) {
         if (isModuleCSSRequest(id)) {
           throw new Error(
             `?url is not supported with CSS modules. (tried to import ${JSON.stringify(
@@ -36215,7 +36245,7 @@ function cssPostPlugin(config) {
         );
         return `export default ''`;
       }
-      const inlined = inlineRE$1.test(id);
+      const inlined = inlineRE$2.test(id);
       const modules = cssModulesCache.get(config).get(id);
       const modulesCode = modules && !inlined && dataToEsm(modules, { namedExports: true, preferConst: true });
       if (config.command === "serve") {
@@ -36564,6 +36594,14 @@ function cssPostPlugin(config) {
           delete bundle[`${fileName}.map`];
         });
       }
+      const cssAssets = Object.values(bundle).filter(
+        (asset) => asset.type === "asset" && asset.fileName.endsWith(".css")
+      );
+      for (const cssAsset of cssAssets) {
+        if (typeof cssAsset.source === "string") {
+          cssAsset.source = cssAsset.source.replace(viteHashUpdateMarkerRE, "");
+        }
+      }
     }
   };
 }
@@ -36582,7 +36620,7 @@ function cssAnalysisPlugin(config) {
       const { moduleGraph } = server;
       const thisModule = moduleGraph.getModuleById(id);
       if (thisModule) {
-        const isSelfAccepting = !cssModulesCache.get(config)?.get(id) && !inlineRE$1.test(id) && !htmlProxyRE.test(id);
+        const isSelfAccepting = !cssModulesCache.get(config)?.get(id) && !inlineRE$2.test(id) && !htmlProxyRE.test(id);
         const pluginImports = this._addedImports;
         if (pluginImports) {
           const depModules = /* @__PURE__ */ new Set();
@@ -36953,8 +36991,8 @@ function createCachedImport(imp) {
     return cached;
   };
 }
-const importPostcssImport = createCachedImport(() => import('./dep-CxMW8ntG.js').then(function (n) { return n.i; }));
-const importPostcssModules = createCachedImport(() => import('./dep-Due-rusG.js').then(function (n) { return n.i; }));
+const importPostcssImport = createCachedImport(() => import('./dep-75Pw0qnz.js').then(function (n) { return n.i; }));
+const importPostcssModules = createCachedImport(() => import('./dep-nOVVHa2_.js').then(function (n) { return n.i; }));
 const importPostcss = createCachedImport(() => import('postcss'));
 const preprocessorWorkerControllerCache = /* @__PURE__ */ new WeakMap();
 let alwaysFakeWorkerWorkerControllerCache;
@@ -36992,6 +37030,8 @@ function combineSourcemapsIfExists(filename, map1, map2) {
     map2
   ]) : map1;
 }
+const viteHashUpdateMarker = "/*$vite$:1*/";
+const viteHashUpdateMarkerRE = /\/\*\$vite\$:\d+\*\//;
 async function finalizeCss(css, minify, config) {
   if (css.includes("@import") || css.includes("@charset")) {
     css = await hoistAtRules(css);
@@ -36999,6 +37039,7 @@ async function finalizeCss(css, minify, config) {
   if (config.build.cssMinify) {
     css = await minifyCSS(css, config, false);
   }
+  css += viteHashUpdateMarker;
   return css;
 }
 async function resolvePostcssConfig(config) {
@@ -37416,7 +37457,7 @@ const makeModernScssWorker = (resolvers, alias, maxWorkers) => {
             fileURLToPath2(canonicalUrl),
             options.filename
           );
-          return { contents, syntax };
+          return { contents, syntax, sourceMapUrl: canonicalUrl };
         }
       };
       sassOptions.importers = [
@@ -37446,11 +37487,12 @@ const makeModernScssWorker = (resolvers, alias, maxWorkers) => {
   return worker;
 };
 const makeModernCompilerScssWorker = (resolvers, alias, _maxWorkers) => {
-  let compiler;
+  let compilerPromise;
   const worker = {
     async run(sassPath, data, options) {
       const sass = (await import(pathToFileURL(sassPath).href)).default;
-      compiler ??= await sass.initAsyncCompiler();
+      compilerPromise ??= sass.initAsyncCompiler();
+      const compiler = await compilerPromise;
       const sassOptions = { ...options };
       sassOptions.url = pathToFileURL(options.filename);
       sassOptions.sourceMap = options.enableSourcemap;
@@ -37476,7 +37518,7 @@ const makeModernCompilerScssWorker = (resolvers, alias, _maxWorkers) => {
             resolvers.sass
           );
           const contents = result2.contents ?? await fsp.readFile(result2.file, "utf-8");
-          return { contents, syntax };
+          return { contents, syntax, sourceMapUrl: canonicalUrl };
         }
       };
       sassOptions.importers = [
@@ -37493,8 +37535,8 @@ const makeModernCompilerScssWorker = (resolvers, alias, _maxWorkers) => {
       };
     },
     async stop() {
-      compiler?.dispose();
-      compiler = void 0;
+      (await compilerPromise)?.dispose();
+      compilerPromise = void 0;
     }
   };
   return worker;
@@ -37962,7 +38004,10 @@ async function compileLightningCSS(id, src, config, urlReplacer) {
         }
         deps.add(dep.url);
         if (urlReplacer) {
-          const replaceUrl = await urlReplacer(dep.url, dep.loc.filePath);
+          const replaceUrl = await urlReplacer(
+            dep.url,
+            toAbsolute(dep.loc.filePath)
+          );
           css = css.replace(dep.placeholder, () => replaceUrl);
         } else {
           css = css.replace(dep.placeholder, () => dep.url);
@@ -45061,14 +45106,21 @@ var linux = {
   codium: 'codium',
   emacs: 'emacs',
   gvim: 'gvim',
+  idea: 'idea',
   'idea.sh': 'idea',
+  phpstorm: 'phpstorm',
   'phpstorm.sh': 'phpstorm',
+  pycharm: 'pycharm',
   'pycharm.sh': 'pycharm',
+  rubymine: 'rubymine',
   'rubymine.sh': 'rubymine',
   sublime_text: 'subl',
   vim: 'vim',
+  webstorm: 'webstorm',
   'webstorm.sh': 'webstorm',
+  goland: 'goland',
   'goland.sh': 'goland',
+  rider: 'rider',
   'rider.sh': 'rider'
 };
 
@@ -45378,36 +45430,6 @@ function launchEditor (file, specifiedEditor, onErrorCallback) {
     fileName = path$5.relative('', fileName);
   }
 
-  // cmd.exe on Windows is vulnerable to RCE attacks given a file name of the
-  // form "C:\Users\myusername\Downloads\& curl 172.21.93.52". Use a safe file
-  // name pattern to validate user-provided file names. This doesn't cover the
-  // entire range of valid file names but should cover almost all of them in practice.
-  // (Backport of
-  // https://github.com/facebook/create-react-app/pull/4866
-  // and
-  // https://github.com/facebook/create-react-app/pull/5431)
-
-  // Allows alphanumeric characters, periods, dashes, slashes, underscores, plus and space.
-  const WINDOWS_CMD_SAFE_FILE_NAME_PATTERN = /^([A-Za-z]:[/\\])?[\p{L}0-9/.\-\\_+ ]+$/u;
-  if (
-    process.platform === 'win32' &&
-    !WINDOWS_CMD_SAFE_FILE_NAME_PATTERN.test(fileName.trim())
-  ) {
-    console.log();
-    console.log(
-      colors.red('Could not open ' + path$5.basename(fileName) + ' in the editor.')
-    );
-    console.log();
-    console.log(
-      'When running on Windows, file names are checked against a safe file name ' +
-        'pattern to protect against remote code execution attacks. File names ' +
-        'may consist only of alphanumeric characters (all languages), periods, ' +
-        'dashes, slashes, and underscores.'
-    );
-    console.log();
-    return
-  }
-
   if (lineNumber) {
     const extraArgs = getArgumentsForPosition(editor, fileName, lineNumber, columnNumber);
     args.push.apply(args, extraArgs);
@@ -45423,13 +45445,55 @@ function launchEditor (file, specifiedEditor, onErrorCallback) {
   }
 
   if (process.platform === 'win32') {
-    // On Windows, launch the editor in a shell because spawn can only
-    // launch .exe files.
-    _childProcess = childProcess$1.spawn(
-      'cmd.exe',
-      ['/C', editor].concat(args),
-      { stdio: 'inherit' }
-    );
+    // On Windows, we need to use `exec` with the `shell: true` option,
+    // and some more sanitization is required.
+
+    // However, CMD.exe on Windows is vulnerable to RCE attacks given a file name of the
+    // form "C:\Users\myusername\Downloads\& curl 172.21.93.52".
+    // `create-react-app` used a safe file name pattern to validate user-provided file names:
+    // - https://github.com/facebook/create-react-app/pull/4866
+    // - https://github.com/facebook/create-react-app/pull/5431
+    // But that's not a viable solution for this package because
+    // it's depended on by so many meta frameworks that heavily rely on
+    // special characters in file names for filesystem-based routing.
+    // We need to at least:
+    // - Support `+` because it's used in SvelteKit and Vike
+    // - Support `$` because it's used in Remix
+    // - Support `(` and `)` because they are used in Analog, SolidStart, and Vike
+    // - Support `@` because it's used in Vike
+    // - Support `[` and `]` because they are widely used for [slug]
+    // So here we choose to use `^` to escape special characters instead.
+
+    // According to https://ss64.com/nt/syntax-esc.html,
+    // we can use `^` to escape `&`, `<`, `>`, `|`, `%`, and `^`
+    // I'm not sure if we have to escape all of these, but let's do it anyway
+    function escapeCmdArgs (cmdArgs) {
+      return cmdArgs.replace(/([&|<>,;=^])/g, '^$1')
+    }
+
+    // Need to double quote the editor path in case it contains spaces;
+    // If the fileName contains spaces, we also need to double quote it in the arguments
+    // However, there's a case that it's concatenated with line number and column number
+    // which is separated by `:`. We need to double quote the whole string in this case.
+    // Also, if the string contains the escape character `^`, it needs to be quoted, too.
+    function doubleQuoteIfNeeded(str) {
+      if (str.includes('^')) {
+        // If a string includes an escaped character, not only does it need to be quoted,
+        // but the quotes need to be escaped too.
+        return `^"${str}^"`
+      } else if (str.includes(' ')) {
+        return `"${str}"`
+      } 
+      return str
+    }
+    const launchCommand = [editor, ...args.map(escapeCmdArgs)]
+      .map(doubleQuoteIfNeeded)
+      .join(' ');
+
+    _childProcess = childProcess$1.exec(launchCommand, {
+      stdio: 'inherit',
+      shell: true
+    });
   } else {
     _childProcess = childProcess$1.spawn(editor, args, { stdio: 'inherit' });
   }
@@ -45553,7 +45617,7 @@ function setClientErrorHandler(server, logger) {
       msg = "431 Request Header Fields Too Large";
       logger.warn(
         colors$1.yellow(
-          "Server responded with status code 431. See https://vitejs.dev/guide/troubleshooting.html#_431-request-header-fields-too-large."
+          "Server responded with status code 431. See https://vite.dev/guide/troubleshooting.html#_431-request-header-fields-too-large."
         )
       );
     }
@@ -46168,7 +46232,7 @@ function resolvePlugin(resolveOptions) {
               );
             } else if (isProduction) {
               this.warn(
-                `Module "${id}" has been externalized for browser compatibility, imported by "${importer}". See https://vitejs.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.`
+                `Module "${id}" has been externalized for browser compatibility, imported by "${importer}". See https://vite.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.`
               );
             }
             return isProduction ? browserExternalId : `${browserExternalId}:${id}`;
@@ -46185,7 +46249,7 @@ function resolvePlugin(resolveOptions) {
           id = id.slice(browserExternalId.length + 1);
           return `export default new Proxy({}, {
   get(_, key) {
-    throw new Error(\`Module "${id}" has been externalized for browser compatibility. Cannot access "${id}.\${key}" in client code.  See https://vitejs.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.\`)
+    throw new Error(\`Module "${id}" has been externalized for browser compatibility. Cannot access "${id}.\${key}" in client code.  See https://vite.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.\`)
   }
 })`;
         }
@@ -46924,7 +46988,7 @@ function esbuildDepPlugin(qualified, external, config, ssr) {
       key !== 'constructor' &&
       key !== 'splice'
     ) {
-      console.warn(\`Module "${path2}" has been externalized for browser compatibility. Cannot access "${path2}.\${key}" in client code. See https://vitejs.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.\`)
+      console.warn(\`Module "${path2}" has been externalized for browser compatibility. Cannot access "${path2}.\${key}" in client code. See https://vite.dev/guide/troubleshooting.html#module-externalized-for-browser-compatibility for more details.\`)
     }
   }
 }))`
@@ -47433,8 +47497,9 @@ function clientInjectionsPlugin(config) {
       const hmrTimeoutReplacement = escapeReplacement(timeout);
       const hmrEnableOverlayReplacement = escapeReplacement(overlay);
       const hmrConfigNameReplacement = escapeReplacement(hmrConfigName);
+      const wsTokenReplacement = escapeReplacement(config.webSocketToken);
       injectConfigValues = (code) => {
-        return code.replace(`__MODE__`, modeReplacement).replace(/__BASE__/g, baseReplacement).replace(`__DEFINES__`, definesReplacement).replace(`__SERVER_HOST__`, serverHostReplacement).replace(`__HMR_PROTOCOL__`, hmrProtocolReplacement).replace(`__HMR_HOSTNAME__`, hmrHostnameReplacement).replace(`__HMR_PORT__`, hmrPortReplacement).replace(`__HMR_DIRECT_TARGET__`, hmrDirectTargetReplacement).replace(`__HMR_BASE__`, hmrBaseReplacement).replace(`__HMR_TIMEOUT__`, hmrTimeoutReplacement).replace(`__HMR_ENABLE_OVERLAY__`, hmrEnableOverlayReplacement).replace(`__HMR_CONFIG_NAME__`, hmrConfigNameReplacement);
+        return code.replace(`__MODE__`, modeReplacement).replace(/__BASE__/g, baseReplacement).replace(`__DEFINES__`, definesReplacement).replace(`__SERVER_HOST__`, serverHostReplacement).replace(`__HMR_PROTOCOL__`, hmrProtocolReplacement).replace(`__HMR_HOSTNAME__`, hmrHostnameReplacement).replace(`__HMR_PORT__`, hmrPortReplacement).replace(`__HMR_DIRECT_TARGET__`, hmrDirectTargetReplacement).replace(`__HMR_BASE__`, hmrBaseReplacement).replace(`__HMR_TIMEOUT__`, hmrTimeoutReplacement).replace(`__HMR_ENABLE_OVERLAY__`, hmrEnableOverlayReplacement).replace(`__HMR_CONFIG_NAME__`, hmrConfigNameReplacement).replace(`__WS_TOKEN__`, wsTokenReplacement);
       };
     },
     async transform(code, id, options) {
@@ -47462,6 +47527,7 @@ function escapeReplacement(value) {
 }
 
 const wasmHelperId = "\0vite/wasm-helper.js";
+const wasmInitRE = /(?<![?#].*)\.wasm\?init/;
 const wasmHelper = async (opts = {}, url) => {
   let result;
   if (url.startsWith("data:")) {
@@ -47506,7 +47572,7 @@ const wasmHelperPlugin = (config) => {
       if (id === wasmHelperId) {
         return `export default ${wasmHelperCode}`;
       }
-      if (!id.endsWith(".wasm?init")) {
+      if (!wasmInitRE.test(id)) {
         return;
       }
       const url = await fileToUrl$1(id, config, this);
@@ -47525,7 +47591,7 @@ const wasmFallbackPlugin = () => {
         return;
       }
       throw new Error(
-        '"ESM integration proposal for Wasm" is not supported currently. Use vite-plugin-wasm or other community plugins to handle this. Alternatively, you can use `.wasm?init` or `.wasm?url`. See https://vitejs.dev/guide/features.html#webassembly for more details.'
+        '"ESM integration proposal for Wasm" is not supported currently. Use vite-plugin-wasm or other community plugins to handle this. Alternatively, you can use `.wasm?init` or `.wasm?url`. See https://vite.dev/guide/features.html#webassembly for more details.'
       );
     }
   };
@@ -47533,7 +47599,7 @@ const wasmFallbackPlugin = () => {
 
 const workerOrSharedWorkerRE = /(?:\?|&)(worker|sharedworker)(?:&|$)/;
 const workerFileRE = /(?:\?|&)worker_file&type=(\w+)(?:&|$)/;
-const inlineRE = /[?&]inline\b/;
+const inlineRE$1 = /[?&]inline\b/;
 const WORKER_FILE_ID = "worker_file";
 const workerCache = /* @__PURE__ */ new WeakMap();
 function saveEmitWorkerAsset(config, asset) {
@@ -47731,7 +47797,7 @@ function webWorkerPlugin(config) {
       if (isBuild) {
         if (isWorker && config.bundleChain.at(-1) === cleanUrl(id)) {
           urlCode = "self.location.href";
-        } else if (inlineRE.test(id)) {
+        } else if (inlineRE$1.test(id)) {
           const chunk = await bundleWorkerEntry(config, id);
           const encodedJs = `const encodedJs = "${Buffer.from(
             chunk.code
@@ -47786,7 +47852,7 @@ function webWorkerPlugin(config) {
         url = injectQuery(url, `${WORKER_FILE_ID}&type=${workerType}`);
         urlCode = JSON.stringify(url);
       }
-      if (urlRE.test(id)) {
+      if (urlRE$1.test(id)) {
         return {
           code: `export default ${urlCode}`,
           map: { mappings: "" }
@@ -48423,7 +48489,7 @@ function parseDynamicImportPattern(strings) {
   let globParams = null;
   if (search) {
     search = "?" + search;
-    if (workerOrSharedWorkerRE.test(search) || urlRE.test(search) || rawRE.test(search)) {
+    if (workerOrSharedWorkerRE.test(search) || urlRE$1.test(search) || rawRE$1.test(search)) {
       globParams = {
         query: search,
         import: "*"
@@ -51575,7 +51641,7 @@ function servePublicMiddleware(server, publicFiles) {
   };
   return function viteServePublicMiddleware(req, res, next) {
     if (publicFiles && !publicFiles.has(toFilePath(req.url)) || isImportRequest(req.url) || isInternalRequest(req.url) || // for `/public-file.js?url` to be transformed
-    urlRE.test(req.url)) {
+    urlRE$1.test(req.url)) {
       return next();
     }
     serve(req, res, next);
@@ -51671,7 +51737,7 @@ function ensureServingAccess(url, server, res, next) {
     const hintMessage = `
 ${server.config.server.fs.allow.map((i) => `- ${i}`).join("\n")}
 
-Refer to docs https://vitejs.dev/config/server-options.html#server-fs-allow for configurations and more details.`;
+Refer to docs https://vite.dev/config/server-options.html#server-fs-allow for configurations and more details.`;
     server.config.logger.error(urlMessage);
     server.config.logger.warnOnce(hintMessage + "\n");
     res.statusCode = 403;
@@ -51699,6 +51765,7 @@ function renderRestrictedErrorHTML(msg) {
 
 const ERR_LOAD_URL = "ERR_LOAD_URL";
 const ERR_LOAD_PUBLIC_URL = "ERR_LOAD_PUBLIC_URL";
+const ERR_DENIED_ID = "ERR_DENIED_ID";
 const debugLoad = createDebugger("vite:load");
 const debugTransform = createDebugger("vite:transform");
 const debugCache$1 = createDebugger("vite:cache");
@@ -51800,6 +51867,11 @@ async function loadAndTransform(id, url, server, options, timestamp, mod, resolv
   const prettyUrl = debugLoad || debugTransform ? prettifyUrl(url, config.root) : "";
   const ssr = !!options.ssr;
   const file = cleanUrl(id);
+  if (options.allowId && !options.allowId(id)) {
+    const err = new Error(`Denied ID ${id}`);
+    err.code = ERR_DENIED_ID;
+    throw err;
+  }
   let code = null;
   let map = null;
   const loadStart = debugLoad ? performance$1.now() : 0;
@@ -52512,18 +52584,13 @@ Object.defineProperty(${ssrModuleExportsKey}, "default", { enumerable: true, con
     }
   });
   let map = s.generateMap({ hires: "boundary" });
+  map.sources = [path$n.basename(url)];
+  map.sourcesContent = [originalCode];
   if (inMap && inMap.mappings && "sources" in inMap && inMap.sources.length > 0) {
     map = combineSourcemaps(url, [
-      {
-        ...map,
-        sources: inMap.sources,
-        sourcesContent: inMap.sourcesContent
-      },
+      map,
       inMap
     ]);
-  } else {
-    map.sources = [path$n.basename(url)];
-    map.sourcesContent = [originalCode];
   }
   return {
     code: s.toString(),
@@ -59117,6 +59184,107 @@ function abortHandshakeOrEmitwsClientError(server, req, socket, code, message) {
 
 var WebSocketServerRaw_ = /*@__PURE__*/getDefaultExportFromCjs(websocketServer);
 
+const allowedHostsServerCache = /* @__PURE__ */ new WeakMap();
+const allowedHostsPreviewCache = /* @__PURE__ */ new WeakMap();
+const isFileOrExtensionProtocolRE = /^(?:file|.+-extension):/i;
+function getAdditionalAllowedHosts(resolvedServerOptions, resolvedPreviewOptions) {
+  const list = [];
+  if (typeof resolvedServerOptions.host === "string" && resolvedServerOptions.host) {
+    list.push(resolvedServerOptions.host);
+  }
+  if (typeof resolvedServerOptions.hmr === "object" && resolvedServerOptions.hmr.host) {
+    list.push(resolvedServerOptions.hmr.host);
+  }
+  if (typeof resolvedPreviewOptions.host === "string" && resolvedPreviewOptions.host) {
+    list.push(resolvedPreviewOptions.host);
+  }
+  if (resolvedServerOptions.origin) {
+    try {
+      const serverOriginUrl = new URL(resolvedServerOptions.origin);
+      list.push(serverOriginUrl.hostname);
+    } catch {
+    }
+  }
+  return list;
+}
+function isHostAllowedWithoutCache(allowedHosts, additionalAllowedHosts, host) {
+  if (isFileOrExtensionProtocolRE.test(host)) {
+    return true;
+  }
+  const trimmedHost = host.trim();
+  if (trimmedHost[0] === "[") {
+    const endIpv6 = trimmedHost.indexOf("]");
+    if (endIpv6 < 0) {
+      return false;
+    }
+    return net$1.isIP(trimmedHost.slice(1, endIpv6)) === 6;
+  }
+  const colonPos = trimmedHost.indexOf(":");
+  const hostname = colonPos === -1 ? trimmedHost : trimmedHost.slice(0, colonPos);
+  if (net$1.isIP(hostname) === 4) {
+    return true;
+  }
+  if (hostname === "localhost" || hostname.endsWith(".localhost")) {
+    return true;
+  }
+  for (const additionalAllowedHost of additionalAllowedHosts) {
+    if (additionalAllowedHost === hostname) {
+      return true;
+    }
+  }
+  for (const allowedHost of allowedHosts) {
+    if (allowedHost === hostname) {
+      return true;
+    }
+    if (allowedHost[0] === "." && (allowedHost.slice(1) === hostname || hostname.endsWith(allowedHost))) {
+      return true;
+    }
+  }
+  return false;
+}
+function isHostAllowed(config, isPreview, host) {
+  const allowedHosts = isPreview ? config.preview.allowedHosts : config.server.allowedHosts;
+  if (allowedHosts === true) {
+    return true;
+  }
+  const cache = isPreview ? allowedHostsPreviewCache : allowedHostsServerCache;
+  if (!cache.has(config)) {
+    cache.set(config, /* @__PURE__ */ new Set());
+  }
+  const cachedAllowedHosts = cache.get(config);
+  if (cachedAllowedHosts.has(host)) {
+    return true;
+  }
+  const result = isHostAllowedWithoutCache(
+    allowedHosts ?? [],
+    config.additionalAllowedHosts,
+    host
+  );
+  if (result) {
+    cachedAllowedHosts.add(host);
+  }
+  return result;
+}
+function hostCheckMiddleware(config, isPreview) {
+  return function viteHostCheckMiddleware(req, res, next) {
+    const hostHeader = req.headers.host;
+    if (!hostHeader || !isHostAllowed(config, isPreview, hostHeader)) {
+      const hostname = hostHeader?.replace(/:\d+$/, "");
+      const hostnameWithQuotes = JSON.stringify(hostname);
+      const optionName = `${isPreview ? "preview" : "server"}.allowedHosts`;
+      res.writeHead(403, {
+        "Content-Type": "text/plain"
+      });
+      res.end(
+        `Blocked request. This host (${hostnameWithQuotes}) is not allowed.
+To allow this host, add ${hostnameWithQuotes} to \`${optionName}\` in vite.config.js.`
+      );
+      return;
+    }
+    return next();
+  };
+}
+
 const WebSocketServerRaw = process.versions.bun ? (
   // @ts-expect-error: Bun defines `import.meta.require`
   import.meta.require("ws").WebSocketServer
@@ -59131,6 +59299,19 @@ const wsServerEvents = [
 ];
 function noop$1() {
 }
+function hasValidToken(config, url) {
+  const token = url.searchParams.get("token");
+  if (!token) return false;
+  try {
+    const isValidToken = crypto$2.timingSafeEqual(
+      Buffer.from(token),
+      Buffer.from(config.webSocketToken)
+    );
+    return isValidToken;
+  } catch {
+  }
+  return false;
+}
 function createWebSocketServer(server, config, httpsOptions) {
   if (config.server.ws === false) {
     return {
@@ -59146,7 +59327,6 @@ function createWebSocketServer(server, config, httpsOptions) {
       send: noop$1
     };
   }
-  let wss;
   let wsHttpServer = void 0;
   const hmr = isObject$1(config.server.hmr) && config.server.hmr;
   const hmrServer = hmr && hmr.server;
@@ -59158,18 +59338,37 @@ function createWebSocketServer(server, config, httpsOptions) {
   const clientsMap = /* @__PURE__ */ new WeakMap();
   const port = hmrPort || 24678;
   const host = hmr && hmr.host || void 0;
+  const shouldHandle = (req) => {
+    const hostHeader = req.headers.host;
+    if (!hostHeader || !isHostAllowed(config, false, hostHeader)) {
+      return false;
+    }
+    if (config.legacy?.skipWebSocketTokenCheck) {
+      return true;
+    }
+    if (req.headers.origin) {
+      const parsedUrl = new URL(`http://example.com${req.url}`);
+      return hasValidToken(config, parsedUrl);
+    }
+    return true;
+  };
+  const handleUpgrade = (req, socket, head, _isPing) => {
+    wss.handleUpgrade(req, socket, head, (ws) => {
+      wss.emit("connection", ws, req);
+    });
+  };
+  const wss = new WebSocketServerRaw({ noServer: true });
+  wss.shouldHandle = shouldHandle;
   if (wsServer) {
     let hmrBase = config.base;
     const hmrPath = hmr ? hmr.path : void 0;
     if (hmrPath) {
       hmrBase = path$n.posix.join(hmrBase, hmrPath);
     }
-    wss = new WebSocketServerRaw({ noServer: true });
     hmrServerWsListener = (req, socket, head) => {
-      if (req.headers["sec-websocket-protocol"] === HMR_HEADER && req.url === hmrBase) {
-        wss.handleUpgrade(req, socket, head, (ws) => {
-          wss.emit("connection", ws, req);
-        });
+      const parsedUrl = new URL(`http://example.com${req.url}`);
+      if (req.headers["sec-websocket-protocol"] === HMR_HEADER && parsedUrl.pathname === hmrBase) {
+        handleUpgrade(req, socket, head);
       }
     };
     wsServer.on("upgrade", hmrServerWsListener);
@@ -59190,7 +59389,23 @@ function createWebSocketServer(server, config, httpsOptions) {
     } else {
       wsHttpServer = createServer$3(route);
     }
-    wss = new WebSocketServerRaw({ server: wsHttpServer });
+    wsHttpServer.on("upgrade", (req, socket, head) => {
+      handleUpgrade(req, socket, head);
+    });
+    wsHttpServer.on("error", (e) => {
+      if (e.code === "EADDRINUSE") {
+        config.logger.error(
+          colors$1.red(`WebSocket server error: Port is already in use`),
+          { error: e }
+        );
+      } else {
+        config.logger.error(
+          colors$1.red(`WebSocket server error:
+${e.stack || e.message}`),
+          { error: e }
+        );
+      }
+    });
   }
   wss.on("connection", (socket) => {
     socket.on("message", (raw) => {
@@ -61720,6 +61935,14 @@ function send(req, res, content, type, options) {
 
 const debugCache = createDebugger("vite:cache");
 const knownIgnoreList = /* @__PURE__ */ new Set(["/", "/favicon.ico"]);
+const trailingQuerySeparatorsRE = /[?&]+$/;
+const urlRE = /[?&]url\b/;
+const rawRE = /[?&]raw\b/;
+const inlineRE = /[?&]inline\b/;
+const svgRE = /\.svg\b/;
+function deniedServingAccessForTransform(url, server, res, next) {
+  return (rawRE.test(url) || urlRE.test(url) || inlineRE.test(url) || svgRE.test(url)) && !ensureServingAccess(url, server, res, next);
+}
 function cachedTransformMiddleware(server) {
   return function viteCachedTransformMiddleware(req, res, next) {
     const ifNoneMatch = req.headers["if-none-match"];
@@ -61803,7 +62026,16 @@ function transformMiddleware(server) {
       if (publicDirInRoot && url.startsWith(publicPath)) {
         warnAboutExplicitPublicPathInUrl(url);
       }
-      if ((rawRE.test(url) || urlRE.test(url)) && !ensureServingAccess(url, server, res, next)) {
+      const urlWithoutTrailingQuerySeparators = url.replace(
+        trailingQuerySeparatorsRE,
+        ""
+      );
+      if (deniedServingAccessForTransform(
+        urlWithoutTrailingQuerySeparators,
+        server,
+        res,
+        next
+      )) {
         return;
       }
       if (isJSRequest(url) || isImportRequest(url) || isCSSRequest(url) || isHTMLProxy(url)) {
@@ -61821,7 +62053,10 @@ function transformMiddleware(server) {
           }
         }
         const result = await transformRequest(url, server, {
-          html: req.headers.accept?.includes("text/html")
+          html: req.headers.accept?.includes("text/html"),
+          allowId(id) {
+            return !deniedServingAccessForTransform(id, server, res, next);
+          }
         });
         if (result) {
           const depsOptimizer = getDepsOptimizer(server.config, false);
@@ -61873,6 +62108,9 @@ function transformMiddleware(server) {
       if (e?.code === ERR_LOAD_URL) {
         return next();
       }
+      if (e?.code === ERR_DENIED_ID) {
+        return;
+      }
       return next(e);
     }
     next();
@@ -62374,7 +62612,7 @@ class ModuleGraph {
     mod.ssrError = null;
     mod.importers.forEach((importer) => {
       if (!importer.acceptedHmrDeps.has(mod)) {
-        const shouldSoftInvalidateImporter = importer.staticImportedUrls?.has(mod.url) || softInvalidate;
+        const shouldSoftInvalidateImporter = (importer.staticImportedUrls?.has(mod.url) || softInvalidate) && importer.type !== "css";
         this.invalidateModule(
           importer,
           seen,
@@ -62693,6 +62931,17 @@ function mapFiles(files, root) {
   });
 }
 
+function rejectInvalidRequestMiddleware() {
+  return function viteRejectInvalidRequestMiddleware(req, res, next) {
+    if (req.url?.includes("#")) {
+      res.writeHead(400);
+      res.end();
+      return;
+    }
+    return next();
+  };
+}
+
 function createServer(inlineConfig = {}) {
   return _createServer(inlineConfig, { hotListen: true });
 }
@@ -63024,9 +63273,18 @@ async function _createServer(inlineConfig = {}, options) {
   if (process.env.DEBUG) {
     middlewares.use(timeMiddleware(root));
   }
+  middlewares.use(rejectInvalidRequestMiddleware());
   const { cors } = serverConfig;
   if (cors !== false) {
-    middlewares.use(corsMiddleware(typeof cors === "boolean" ? {} : cors));
+    middlewares.use(
+      corsMiddleware(
+        typeof cors === "boolean" ? {} : cors ?? { origin: defaultAllowedOrigins }
+      )
+    );
+  }
+  const { allowedHosts } = serverConfig;
+  if (allowedHosts !== true && !serverConfig.https) {
+    middlewares.use(hostCheckMiddleware(config, false));
   }
   middlewares.use(cachedTransformMiddleware(server));
   const { proxy } = serverConfig;
@@ -64104,7 +64362,7 @@ function importAnalysisPlugin(config) {
             if (specifier === clientPublicPath) {
               return;
             }
-            if (specifier[0] === "/" && !(config.assetsInclude(cleanUrl(specifier)) || urlRE.test(specifier)) && checkPublicFile(specifier, config)) {
+            if (specifier[0] === "/" && !(config.assetsInclude(cleanUrl(specifier)) || urlRE$1.test(specifier)) && checkPublicFile(specifier, config)) {
               throw new Error(
                 `Cannot import non-asset file ${specifier} which is inside /public. JS/CSS files inside /public are copied as-is on build and can only be referenced via <script src> or <link href> in html. If you want to get the URL of that file, use ${injectQuery(
                   specifier,
@@ -64450,7 +64708,7 @@ function __vite__injectQuery(url, queryToInject) {
     return url;
   }
   const pathname = url.replace(/[?#].*$/, "");
-  const { search, hash } = new URL(url, "http://vitejs.dev");
+  const { search, hash } = new URL(url, "http://vite.dev");
   return `${pathname}?${queryToInject}${search ? `&` + search.slice(1) : ""}${hash || ""}`;
 }
 
@@ -65885,6 +66143,7 @@ function resolvePreviewOptions(preview2, server) {
     port: preview2?.port,
     strictPort: preview2?.strictPort ?? server.strictPort,
     host: preview2?.host ?? server.host,
+    allowedHosts: preview2?.allowedHosts ?? server.allowedHosts,
     https: preview2?.https ?? server.https,
     open: preview2?.open ?? server.open,
     proxy: preview2?.proxy ?? server.proxy,
@@ -65953,7 +66212,15 @@ async function preview(inlineConfig = {}) {
   }
   const { cors } = config.preview;
   if (cors !== false) {
-    app.use(corsMiddleware(typeof cors === "boolean" ? {} : cors));
+    app.use(
+      corsMiddleware(
+        typeof cors === "boolean" ? {} : cors ?? { origin: defaultAllowedOrigins }
+      )
+    );
+  }
+  const { allowedHosts } = config.preview;
+  if (allowedHosts !== true && !config.preview.https) {
+    app.use(hostCheckMiddleware(config, true));
   }
   const { proxy } = config.preview;
   if (proxy) {
@@ -66271,6 +66538,7 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
     rollupOptions: config.worker?.rollupOptions || {}
   };
   const base = withTrailingSlash(resolvedBase);
+  const preview = resolvePreviewOptions(config.preview, server);
   resolved = {
     configFile: configFile ? normalizePath$3(configFile) : void 0,
     configFileDependencies: configFileDependencies.map(
@@ -66299,7 +66567,7 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
     },
     server,
     build: resolvedBuildOptions,
-    preview: resolvePreviewOptions(config.preview, server),
+    preview,
     envDir,
     env: {
       ...userEnv,
@@ -66329,6 +66597,13 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
       hmrPartialAccept: false,
       ...config.experimental
     },
+    // random 72 bits (12 base64 chars)
+    // at least 64bits is recommended
+    // https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length
+    webSocketToken: Buffer.from(
+      crypto$2.getRandomValues(new Uint8Array(9))
+    ).toString("base64url"),
+    additionalAllowedHosts: getAdditionalAllowedHosts(server, preview),
     getSortedPlugins: void 0,
     getSortedPluginHooks: void 0
   };
@@ -66430,7 +66705,7 @@ function resolveBaseUrl(base = "/", isBuild, logger) {
     );
   }
   if (!isBuild || !isExternal) {
-    base = new URL(base, "http://vitejs.dev").pathname;
+    base = new URL(base, "http://vite.dev").pathname;
     if (base[0] !== "/") {
       base = "/" + base;
     }
@@ -66468,7 +66743,7 @@ async function loadConfigFromFile(configEnv, configFile, configRoot = process.cw
     debug?.("no config file found.");
     return null;
   }
-  const isESM = isFilePathESM(resolvedPath);
+  const isESM = typeof process.versions.deno === "string" || isFilePathESM(resolvedPath);
   try {
     const bundled = await bundleConfigFile(resolvedPath, isESM);
     const userConfig = await loadConfigFromBundledFile(
@@ -66573,7 +66848,7 @@ async function bundleConfigFile(fileName, isESM) {
                     throw new Error(
                       `Failed to resolve ${JSON.stringify(
                         id
-                      )}. This package is ESM only but it was tried to load by \`require\`. See https://vitejs.dev/guide/troubleshooting.html#this-package-is-esm-only for more details.`
+                      )}. This package is ESM only but it was tried to load by \`require\`. See https://vite.dev/guide/troubleshooting.html#this-package-is-esm-only for more details.`
                     );
                   }
                 }
@@ -66586,7 +66861,7 @@ async function bundleConfigFile(fileName, isESM) {
                 throw new Error(
                   `${JSON.stringify(
                     id
-                  )} resolved to an ESM file. ESM file cannot be loaded by \`require\`. See https://vitejs.dev/guide/troubleshooting.html#this-package-is-esm-only for more details.`
+                  )} resolved to an ESM file. ESM file cannot be loaded by \`require\`. See https://vite.dev/guide/troubleshooting.html#this-package-is-esm-only for more details.`
                 );
               }
               return {