vite 6.0.8 → 6.0.9

package/dist/client/client.mjs

@@ -748,10 +748,14 @@ const socketHost = `${__HMR_HOSTNAME__ || importMetaUrl.hostname}:${hmrPort || i
 const directSocketHost = __HMR_DIRECT_TARGET__;
 const base = __BASE__ || "/";
 const hmrTimeout = __HMR_TIMEOUT__;
+const wsToken = __WS_TOKEN__;
 const transport = normalizeModuleRunnerTransport(
   (() => {
     let wsTransport = createWebSocketModuleRunnerTransport({
-      createConnection: () => new WebSocket(`${socketProtocol}://${socketHost}`, "vite-hmr"),
+      createConnection: () => new WebSocket(
+        `${socketProtocol}://${socketHost}?token=${wsToken}`,
+        "vite-hmr"
+      ),
       pingInterval: hmrTimeout
     });
     return {
@@ -762,7 +766,7 @@ const transport = normalizeModuleRunnerTransport(
           if (!hmrPort) {
             wsTransport = createWebSocketModuleRunnerTransport({
               createConnection: () => new WebSocket(
-                `${socketProtocol}://${directSocketHost}`,
+                `${socketProtocol}://${directSocketHost}?token=${wsToken}`,
                 "vite-hmr"
               ),
               pingInterval: hmrTimeout
@@ -912,7 +916,9 @@ async function handleMessage(payload) {
         if (hasDocument && !willUnload) {
           console.log(`[vite] server connection lost. Polling for restart...`);
           const socket = payload.data.webSocket;
-          await waitForSuccessfulPing(socket.url);
+          const url = new URL(socket.url);
+          url.search = "";
+          await waitForSuccessfulPing(url.href);
           location.reload();
         }
       }

package/dist/node/chunks/{dep-Beq30MX9.js → dep-BdTvomPN.js}

@@ -6,6 +6,7 @@ import require$$1$1, { fileURLToPath as fileURLToPath$1, URL as URL$3, pathToFil
 import { promisify as promisify$4, format as format$2, inspect, stripVTControlCharacters } from 'node:util';
 import { performance } from 'node:perf_hooks';
 import require$$0$6, { createRequire as createRequire$1, builtinModules } from 'node:module';
+import crypto$2 from 'node:crypto';
 import esbuild, { transform as transform$1, formatMessages, build as build$b } from 'esbuild';
 import { CLIENT_ENTRY, OPTIMIZABLE_ENTRY_RE, wildcardHosts, loopbackHosts, FS_PREFIX, CLIENT_PUBLIC_PATH, ENV_PUBLIC_PATH, DEFAULT_ASSETS_INLINE_LIMIT, ENV_ENTRY, DEP_VERSION_RE, SPECIAL_QUERY_RE, DEV_PROD_CONDITION, JS_TYPES_RE, KNOWN_ASSET_TYPES, CSS_LANGS_RE, METADATA_FILENAME, ESBUILD_MODULES_TARGET, ERR_OPTIMIZE_DEPS_PROCESSING_ERROR, ERR_FILE_NOT_FOUND_IN_OPTIMIZED_DEP_DIR, VITE_PACKAGE_DIR, DEFAULT_DEV_PORT, CLIENT_DIR, VERSION, ROLLUP_HOOKS, DEFAULT_PREVIEW_PORT, DEFAULT_ASSETS_RE, DEFAULT_CONFIG_FILES, DEFAULT_CLIENT_MAIN_FIELDS, DEFAULT_SERVER_MAIN_FIELDS, DEFAULT_CLIENT_CONDITIONS, DEFAULT_SERVER_CONDITIONS } from '../constants.js';
 import require$$0$2, { posix, win32, isAbsolute, resolve as resolve$3, relative as relative$1, basename as basename$1, extname, dirname as dirname$1, join, sep } from 'path';
@@ -23,7 +24,6 @@ import require$$0$8 from 'stream';
 import require$$2 from 'os';
 import require$$2$1 from 'child_process';
 import os$3 from 'node:os';
-import crypto$2 from 'node:crypto';
 import { promises } from 'node:dns';
 import { ModuleRunner, ESModulesEvaluator } from 'vite/module-runner';
 import { parseAstAsync, parseAst } from 'rollup/parseAst';
@@ -40,6 +40,7 @@ import zlib$1 from 'zlib';
 import require$$0$9 from 'buffer';
 import require$$1$3 from 'https';
 import require$$4$2 from 'tls';
+import net$1 from 'node:net';
 import require$$4$3 from 'assert';
 import * as qs from 'node:querystring';
 import { gzip } from 'node:zlib';
@@ -37669,6 +37670,100 @@ function abortHandshakeOrEmitwsClientError(server, req, socket, code, message) {
 
 var WebSocketServerRaw_ = /*@__PURE__*/getDefaultExportFromCjs(websocketServer);
 
+const allowedHostsCache = /* @__PURE__ */ new WeakMap();
+const isFileOrExtensionProtocolRE = /^(?:file|.+-extension):/i;
+function getAdditionalAllowedHosts(resolvedServerOptions, resolvedPreviewOptions) {
+  const list = [];
+  if (typeof resolvedServerOptions.host === "string" && resolvedServerOptions.host) {
+    list.push(resolvedServerOptions.host);
+  }
+  if (typeof resolvedServerOptions.hmr === "object" && resolvedServerOptions.hmr.host) {
+    list.push(resolvedServerOptions.hmr.host);
+  }
+  if (typeof resolvedPreviewOptions.host === "string" && resolvedPreviewOptions.host) {
+    list.push(resolvedPreviewOptions.host);
+  }
+  if (resolvedServerOptions.origin) {
+    const serverOriginUrl = new URL(resolvedServerOptions.origin);
+    list.push(serverOriginUrl.hostname);
+  }
+  return list;
+}
+function isHostAllowedWithoutCache(allowedHosts, additionalAllowedHosts, host) {
+  if (isFileOrExtensionProtocolRE.test(host)) {
+    return true;
+  }
+  const trimmedHost = host.trim();
+  if (trimmedHost[0] === "[") {
+    const endIpv6 = trimmedHost.indexOf("]");
+    if (endIpv6 < 0) {
+      return false;
+    }
+    return net$1.isIP(trimmedHost.slice(1, endIpv6)) === 6;
+  }
+  const colonPos = trimmedHost.indexOf(":");
+  const hostname = colonPos === -1 ? trimmedHost : trimmedHost.slice(0, colonPos);
+  if (net$1.isIP(hostname) === 4) {
+    return true;
+  }
+  if (hostname === "localhost" || hostname.endsWith(".localhost")) {
+    return true;
+  }
+  for (const additionalAllowedHost of additionalAllowedHosts) {
+    if (additionalAllowedHost === hostname) {
+      return true;
+    }
+  }
+  for (const allowedHost of allowedHosts) {
+    if (allowedHost === hostname) {
+      return true;
+    }
+    if (allowedHost[0] === "." && (allowedHost.slice(1) === hostname || hostname.endsWith(allowedHost))) {
+      return true;
+    }
+  }
+  return false;
+}
+function isHostAllowed(config, host) {
+  if (config.server.allowedHosts === true) {
+    return true;
+  }
+  if (!allowedHostsCache.has(config)) {
+    allowedHostsCache.set(config, /* @__PURE__ */ new Set());
+  }
+  const allowedHosts = allowedHostsCache.get(config);
+  if (allowedHosts.has(host)) {
+    return true;
+  }
+  const result = isHostAllowedWithoutCache(
+    config.server.allowedHosts,
+    config.additionalAllowedHosts,
+    host
+  );
+  if (result) {
+    allowedHosts.add(host);
+  }
+  return result;
+}
+function hostCheckMiddleware(config) {
+  return function viteHostCheckMiddleware(req, res, next) {
+    const hostHeader = req.headers.host;
+    if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+      const hostname = hostHeader?.replace(/:\d+$/, "");
+      const hostnameWithQuotes = JSON.stringify(hostname);
+      res.writeHead(403, {
+        "Content-Type": "text/plain"
+      });
+      res.end(
+        `Blocked request. This host (${hostnameWithQuotes}) is not allowed.
+To allow this host, add ${hostnameWithQuotes} to \`server.allowedHosts\` in vite.config.js.`
+      );
+      return;
+    }
+    return next();
+  };
+}
+
 const WebSocketServerRaw = process.versions.bun ? (
   // @ts-expect-error: Bun defines `import.meta.require`
   import.meta.require("ws").WebSocketServer
@@ -37684,6 +37779,19 @@ const wsServerEvents = [
 ];
 function noop$3() {
 }
+function hasValidToken(config, url) {
+  const token = url.searchParams.get("token");
+  if (!token) return false;
+  try {
+    const isValidToken = crypto$2.timingSafeEqual(
+      Buffer.from(token),
+      Buffer.from(config.webSocketToken)
+    );
+    return isValidToken;
+  } catch {
+  }
+  return false;
+}
 function createWebSocketServer(server, config, httpsOptions) {
   if (config.server.ws === false) {
     return {
@@ -37707,7 +37815,6 @@ function createWebSocketServer(server, config, httpsOptions) {
       send: noop$3
     };
   }
-  let wss;
   let wsHttpServer = undefined;
   const hmr = isObject$2(config.server.hmr) && config.server.hmr;
   const hmrServer = hmr && hmr.server;
@@ -37719,20 +37826,47 @@ function createWebSocketServer(server, config, httpsOptions) {
   const clientsMap = /* @__PURE__ */ new WeakMap();
   const port = hmrPort || 24678;
   const host = hmr && hmr.host || undefined;
+  const shouldHandle = (req) => {
+    const protocol = req.headers["sec-websocket-protocol"];
+    if (protocol === "vite-ping") return true;
+    const hostHeader = req.headers.host;
+    if (!hostHeader || !isHostAllowed(config, hostHeader)) {
+      return false;
+    }
+    if (config.legacy?.skipWebSocketTokenCheck) {
+      return true;
+    }
+    if (req.headers.origin) {
+      const parsedUrl = new URL(`http://example.com${req.url}`);
+      return hasValidToken(config, parsedUrl);
+    }
+    return true;
+  };
+  const handleUpgrade = (req, socket, head, isPing) => {
+    wss.handleUpgrade(req, socket, head, (ws) => {
+      if (isPing) {
+        ws.close(
+          /* Normal Closure */
+          1e3
+        );
+        return;
+      }
+      wss.emit("connection", ws, req);
+    });
+  };
+  const wss = new WebSocketServerRaw({ noServer: true });
+  wss.shouldHandle = shouldHandle;
   if (wsServer) {
     let hmrBase = config.base;
     const hmrPath = hmr ? hmr.path : undefined;
     if (hmrPath) {
       hmrBase = path$d.posix.join(hmrBase, hmrPath);
     }
-    wss = new WebSocketServerRaw({ noServer: true });
     hmrServerWsListener = (req, socket, head) => {
-      if ([HMR_HEADER, "vite-ping"].includes(
-        req.headers["sec-websocket-protocol"]
-      ) && req.url === hmrBase) {
-        wss.handleUpgrade(req, socket, head, (ws) => {
-          wss.emit("connection", ws, req);
-        });
+      const protocol = req.headers["sec-websocket-protocol"];
+      const parsedUrl = new URL(`http://example.com${req.url}`);
+      if ([HMR_HEADER, "vite-ping"].includes(protocol) && parsedUrl.pathname === hmrBase) {
+        handleUpgrade(req, socket, head, protocol === "vite-ping");
       }
     };
     wsServer.on("upgrade", hmrServerWsListener);
@@ -37753,16 +37887,13 @@ function createWebSocketServer(server, config, httpsOptions) {
     } else {
       wsHttpServer = createServer$3(route);
     }
-    wss = new WebSocketServerRaw({ noServer: true });
     wsHttpServer.on("upgrade", (req, socket, head) => {
       const protocol = req.headers["sec-websocket-protocol"];
       if (protocol === "vite-ping" && server && !server.listening) {
         req.destroy();
         return;
       }
-      wss.handleUpgrade(req, socket, head, (ws) => {
-        wss.emit("connection", ws, req);
-      });
+      handleUpgrade(req, socket, head, protocol === "vite-ping");
     });
     wsHttpServer.on("error", (e) => {
       if (e.code === "EADDRINUSE") {
@@ -37780,9 +37911,6 @@ ${e.stack || e.message}`),
     });
   }
   wss.on("connection", (socket) => {
-    if (socket.protocol === "vite-ping") {
-      return;
-    }
     socket.on("message", (raw) => {
       if (!customListeners.size) return;
       let parsed;
@@ -43900,6 +44028,10 @@ async function _createServer(inlineConfig = {}, options) {
   if (cors !== false) {
     middlewares.use(corsMiddleware(typeof cors === "boolean" ? {} : cors));
   }
+  const { allowedHosts } = serverConfig;
+  if (allowedHosts !== true && !serverConfig.https) {
+    middlewares.use(hostCheckMiddleware(config));
+  }
   middlewares.use(cachedTransformMiddleware(server));
   const { proxy } = serverConfig;
   if (proxy) {
@@ -44020,10 +44152,11 @@ const serverConfigDefaults = Object.freeze({
   port: DEFAULT_DEV_PORT,
   strictPort: false,
   host: "localhost",
+  allowedHosts: [],
   https: undefined,
   open: false,
   proxy: undefined,
-  cors: true,
+  cors: false,
   headers: {},
   // hmr
   // ws
@@ -46190,8 +46323,9 @@ function clientInjectionsPlugin(config) {
       const hmrTimeoutReplacement = escapeReplacement(timeout);
       const hmrEnableOverlayReplacement = escapeReplacement(overlay);
       const hmrConfigNameReplacement = escapeReplacement(hmrConfigName);
+      const wsTokenReplacement = escapeReplacement(config.webSocketToken);
       injectConfigValues = (code) => {
-        return code.replace(`__MODE__`, modeReplacement).replace(/__BASE__/g, baseReplacement).replace(`__SERVER_HOST__`, serverHostReplacement).replace(`__HMR_PROTOCOL__`, hmrProtocolReplacement).replace(`__HMR_HOSTNAME__`, hmrHostnameReplacement).replace(`__HMR_PORT__`, hmrPortReplacement).replace(`__HMR_DIRECT_TARGET__`, hmrDirectTargetReplacement).replace(`__HMR_BASE__`, hmrBaseReplacement).replace(`__HMR_TIMEOUT__`, hmrTimeoutReplacement).replace(`__HMR_ENABLE_OVERLAY__`, hmrEnableOverlayReplacement).replace(`__HMR_CONFIG_NAME__`, hmrConfigNameReplacement);
+        return code.replace(`__MODE__`, modeReplacement).replace(/__BASE__/g, baseReplacement).replace(`__SERVER_HOST__`, serverHostReplacement).replace(`__HMR_PROTOCOL__`, hmrProtocolReplacement).replace(`__HMR_HOSTNAME__`, hmrHostnameReplacement).replace(`__HMR_PORT__`, hmrPortReplacement).replace(`__HMR_DIRECT_TARGET__`, hmrDirectTargetReplacement).replace(`__HMR_BASE__`, hmrBaseReplacement).replace(`__HMR_TIMEOUT__`, hmrTimeoutReplacement).replace(`__HMR_ENABLE_OVERLAY__`, hmrEnableOverlayReplacement).replace(`__HMR_CONFIG_NAME__`, hmrConfigNameReplacement).replace(`__WS_TOKEN__`, wsTokenReplacement);
       };
     },
     async transform(code, id, options) {
@@ -48738,8 +48872,8 @@ function createCachedImport(imp) {
     return cached;
   };
 }
-const importPostcssImport = createCachedImport(() => import('./dep-BthWCIj2.js').then(function (n) { return n.i; }));
-const importPostcssModules = createCachedImport(() => import('./dep-C-SVMOic.js').then(function (n) { return n.i; }));
+const importPostcssImport = createCachedImport(() => import('./dep-CgjxNdwk.js').then(function (n) { return n.i; }));
+const importPostcssModules = createCachedImport(() => import('./dep-BurZv_3i.js').then(function (n) { return n.i; }));
 const importPostcss = createCachedImport(() => import('postcss'));
 const preprocessorWorkerControllerCache = /* @__PURE__ */ new WeakMap();
 let alwaysFakeWorkerWorkerControllerCache;
@@ -52882,6 +53016,7 @@ function resolvePreviewOptions(preview2, server) {
     port: preview2?.port ?? DEFAULT_PREVIEW_PORT,
     strictPort: preview2?.strictPort ?? server.strictPort,
     host: preview2?.host ?? server.host,
+    allowedHosts: preview2?.allowedHosts ?? server.allowedHosts,
     https: preview2?.https ?? server.https,
     open: preview2?.open ?? server.open,
     proxy: preview2?.proxy ?? server.proxy,
@@ -52962,6 +53097,10 @@ async function preview(inlineConfig = {}) {
   if (cors !== false) {
     app.use(corsMiddleware(typeof cors === "boolean" ? {} : cors));
   }
+  const { allowedHosts } = config.preview;
+  if (allowedHosts !== true && !config.preview.https) {
+    app.use(hostCheckMiddleware(config));
+  }
   const { proxy } = config.preview;
   if (proxy) {
     app.use(proxyMiddleware(httpServer, proxy, config));
@@ -53122,7 +53261,8 @@ const configDefaults = Object.freeze({
     removeSsrLoadModule: undefined
   },
   legacy: {
-    proxySsrExternalModules: false
+    proxySsrExternalModules: false,
+    skipWebSocketTokenCheck: false
   },
   logLevel: "info",
   customLogger: undefined,
@@ -53567,6 +53707,7 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
     rollupOptions: config.worker?.rollupOptions || {}
   };
   const base = withTrailingSlash(resolvedBase);
+  const preview = resolvePreviewOptions(config.preview, server);
   resolved = {
     configFile: configFile ? normalizePath$3(configFile) : undefined,
     configFileDependencies: configFileDependencies.map(
@@ -53595,7 +53736,7 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
     },
     server,
     builder,
-    preview: resolvePreviewOptions(config.preview, server),
+    preview,
     envDir,
     env: {
       ...userEnv,
@@ -53623,6 +53764,12 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
     dev: resolvedDevEnvironmentOptions,
     build: resolvedBuildOptions,
     environments: resolvedEnvironments,
+    // random 72 bits (12 base64 chars)
+    // at least 64bits is recommended
+    // https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length
+    webSocketToken: Buffer.from(
+      crypto$2.getRandomValues(new Uint8Array(9))
+    ).toString("base64url"),
     getSortedPlugins: undefined,
     getSortedPluginHooks: undefined,
     /**
@@ -53661,7 +53808,8 @@ async function resolveConfig(inlineConfig, command, defaultMode = "development",
         dot: true
       }
     ),
-    safeModulePaths: /* @__PURE__ */ new Set()
+    safeModulePaths: /* @__PURE__ */ new Set(),
+    additionalAllowedHosts: getAdditionalAllowedHosts(server, preview)
   };
   resolved = {
     ...config,

package/dist/node/chunks/{dep-C-SVMOic.js → dep-BurZv_3i.js}

@@ -1,4 +1,4 @@
-import { O as commonjsGlobal, N as getDefaultExportFromCjs } from './dep-Beq30MX9.js';
+import { O as commonjsGlobal, N as getDefaultExportFromCjs } from './dep-BdTvomPN.js';
 import require$$0$2 from 'fs';
 import require$$0 from 'postcss';
 import require$$0$1 from 'path';

package/dist/node/chunks/{dep-BthWCIj2.js → dep-CgjxNdwk.js}

@@ -1,4 +1,4 @@
-import { N as getDefaultExportFromCjs } from './dep-Beq30MX9.js';
+import { N as getDefaultExportFromCjs } from './dep-BdTvomPN.js';
 import require$$0 from 'path';
 import { l as lib } from './dep-3RmXg9uo.js';
 

package/dist/node/cli.js

@@ -2,12 +2,13 @@ import path from 'node:path';
 import fs__default from 'node:fs';
 import { performance } from 'node:perf_hooks';
 import { EventEmitter } from 'events';
-import { M as colors, G as createLogger, r as resolveConfig } from './chunks/dep-Beq30MX9.js';
+import { M as colors, G as createLogger, r as resolveConfig } from './chunks/dep-BdTvomPN.js';
 import { VERSION } from './constants.js';
 import 'node:fs/promises';
 import 'node:url';
 import 'node:util';
 import 'node:module';
+import 'node:crypto';
 import 'esbuild';
 import 'path';
 import 'fs';
@@ -23,7 +24,6 @@ import 'stream';
 import 'os';
 import 'child_process';
 import 'node:os';
-import 'node:crypto';
 import 'node:dns';
 import 'vite/module-runner';
 import 'rollup/parseAst';
@@ -40,6 +40,7 @@ import 'zlib';
 import 'buffer';
 import 'https';
 import 'tls';
+import 'node:net';
 import 'assert';
 import 'node:querystring';
 import 'node:zlib';
@@ -740,7 +741,7 @@ cli.command("[root]", "start dev server").alias("serve").alias("dev").option("--
   `[boolean] force the optimizer to ignore the cache and re-bundle`
 ).action(async (root, options) => {
   filterDuplicateOptions(options);
-  const { createServer } = await import('./chunks/dep-Beq30MX9.js').then(function (n) { return n.Q; });
+  const { createServer } = await import('./chunks/dep-BdTvomPN.js').then(function (n) { return n.Q; });
   try {
     const server = await createServer({
       root,
@@ -833,7 +834,7 @@ cli.command("build [root]", "build for production").option("--target <target>",
 ).option("-w, --watch", `[boolean] rebuilds when modules have changed on disk`).option("--app", `[boolean] same as \`builder: {}\``).action(
   async (root, options) => {
     filterDuplicateOptions(options);
-    const { createBuilder } = await import('./chunks/dep-Beq30MX9.js').then(function (n) { return n.R; });
+    const { createBuilder } = await import('./chunks/dep-BdTvomPN.js').then(function (n) { return n.R; });
     const buildOptions = cleanGlobalCLIOptions(
       cleanBuilderCLIOptions(options)
     );
@@ -868,7 +869,7 @@ cli.command("optimize [root]", "pre-bundle dependencies").option(
 ).action(
   async (root, options) => {
     filterDuplicateOptions(options);
-    const { optimizeDeps } = await import('./chunks/dep-Beq30MX9.js').then(function (n) { return n.P; });
+    const { optimizeDeps } = await import('./chunks/dep-BdTvomPN.js').then(function (n) { return n.P; });
     try {
       const config = await resolveConfig(
         {
@@ -894,7 +895,7 @@ ${e.stack}`),
 cli.command("preview [root]", "locally preview production build").option("--host [host]", `[string] specify hostname`, { type: [convertHost] }).option("--port <port>", `[number] specify port`).option("--strictPort", `[boolean] exit if specified port is already in use`).option("--open [path]", `[boolean | string] open browser on startup`).option("--outDir <dir>", `[string] output directory (default: dist)`).action(
   async (root, options) => {
     filterDuplicateOptions(options);
-    const { preview } = await import('./chunks/dep-Beq30MX9.js').then(function (n) { return n.S; });
+    const { preview } = await import('./chunks/dep-BdTvomPN.js').then(function (n) { return n.S; });
     try {
       const server = await preview({
         root,

package/dist/node/index.d.ts

@@ -674,6 +674,18 @@ interface CommonServerOptions {
      * Set to 0.0.0.0 to listen on all addresses, including LAN and public addresses.
      */
     host?: string | boolean;
+    /**
+     * The hostnames that Vite is allowed to respond to.
+     * `localhost` and subdomains under `.localhost` and all IP addresses are allowed by default.
+     * When using HTTPS, this check is skipped.
+     *
+     * If a string starts with `.`, it will allow that hostname without the `.` and all subdomains under the hostname.
+     * For example, `.example.com` will allow `example.com`, `foo.example.com`, and `foo.bar.example.com`.
+     *
+     * If set to `true`, the server is allowed to respond to requests for any hosts.
+     * This is not recommended as it will be vulnerable to DNS rebinding attacks.
+     */
+    allowedHosts?: string[] | true;
     /**
      * Enable TLS + HTTP/2.
      * Note: this downgrades to TLS only when the proxy option is also used.
@@ -709,8 +721,14 @@ interface CommonServerOptions {
     /**
      * Configure CORS for the dev server.
      * Uses https://github.com/expressjs/cors.
+     *
+     * When enabling this option, **we recommend setting a specific value
+     * rather than `true`** to avoid exposing the source code to untrusted origins.
+     *
      * Set to `true` to allow all methods from any origin, or configure separately
      * using an object.
+     *
+     * @default false
      */
     cors?: CorsOptions | boolean;
     /**
@@ -722,6 +740,12 @@ interface CommonServerOptions {
  * https://github.com/expressjs/cors#configuration-options
  */
 interface CorsOptions {
+    /**
+     * Configures the Access-Control-Allow-Origin CORS header.
+     *
+     * **We recommend setting a specific value rather than
+     * `true`** to avoid exposing the source code to untrusted origins.
+     */
     origin?: CorsOrigin | ((origin: string | undefined, cb: (err: Error, origins: CorsOrigin) => void) => void);
     methods?: string | string[];
     allowedHeaders?: string | string[];
@@ -3900,6 +3924,18 @@ interface LegacyOptions {
      * https://github.com/vitejs/vite/discussions/14697.
      */
     proxySsrExternalModules?: boolean;
+    /**
+     * In Vite 6.0.8 and below, WebSocket server was able to connect from any web pages. However,
+     * that could be exploited by a malicious web page.
+     *
+     * In Vite 6.0.9+, the WebSocket server now requires a token to connect from a web page.
+     * But this may break some plugins and frameworks that connects to the WebSocket server
+     * on their own. Enabling this option will make Vite skip the token check.
+     *
+     * **We do not recommend enabling this option unless you are sure that you are fine with
+     * that security weakness.**
+     */
+    skipWebSocketTokenCheck?: boolean;
 }
 interface ResolvedWorkerOptions {
     format: 'es' | 'iife';
@@ -3946,6 +3982,17 @@ type ResolvedConfig = Readonly<Omit<UserConfig, 'plugins' | 'css' | 'json' | 'as
     appType: AppType;
     experimental: ExperimentalOptions;
     environments: Record<string, ResolvedEnvironmentOptions>;
+    /**
+     * The token to connect to the WebSocket server from browsers.
+     *
+     * We recommend using `import.meta.hot` rather than connecting
+     * to the WebSocket server directly.
+     * If you have a usecase that requires connecting to the WebSocket
+     * server, please create an issue so that we can discuss.
+     *
+     * @deprecated
+     */
+    webSocketToken: string;
 } & PluginHookUtils>;
 interface PluginHookUtils {
     getSortedPlugins: <K extends keyof Plugin>(hookName: K) => PluginWithRequiredHook<K>[];

package/dist/node/index.js

@@ -1,6 +1,6 @@
 export { parseAst, parseAstAsync } from 'rollup/parseAst';
-import { i as isInNodeModules, a as arraify } from './chunks/dep-Beq30MX9.js';
-export { B as BuildEnvironment, D as DevEnvironment, f as build, m as buildErrorMessage, g as createBuilder, C as createFilter, h as createIdResolver, G as createLogger, n as createRunnableDevEnvironment, c as createServer, w as createServerHotChannel, v as createServerModuleRunner, d as defineConfig, u as fetchModule, j as formatPostcssSourceMap, J as isFileLoadingAllowed, I as isFileServingAllowed, q as isRunnableDevEnvironment, l as loadConfigFromFile, K as loadEnv, A as mergeAlias, z as mergeConfig, x as moduleRunnerTransform, y as normalizePath, o as optimizeDeps, p as perEnvironmentPlugin, b as perEnvironmentState, k as preprocessCSS, e as preview, r as resolveConfig, L as resolveEnvPrefix, E as rollupVersion, H as searchForWorkspaceRoot, F as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-Beq30MX9.js';
+import { i as isInNodeModules, a as arraify } from './chunks/dep-BdTvomPN.js';
+export { B as BuildEnvironment, D as DevEnvironment, f as build, m as buildErrorMessage, g as createBuilder, C as createFilter, h as createIdResolver, G as createLogger, n as createRunnableDevEnvironment, c as createServer, w as createServerHotChannel, v as createServerModuleRunner, d as defineConfig, u as fetchModule, j as formatPostcssSourceMap, J as isFileLoadingAllowed, I as isFileServingAllowed, q as isRunnableDevEnvironment, l as loadConfigFromFile, K as loadEnv, A as mergeAlias, z as mergeConfig, x as moduleRunnerTransform, y as normalizePath, o as optimizeDeps, p as perEnvironmentPlugin, b as perEnvironmentState, k as preprocessCSS, e as preview, r as resolveConfig, L as resolveEnvPrefix, E as rollupVersion, H as searchForWorkspaceRoot, F as send, s as sortUserPlugins, t as transformWithEsbuild } from './chunks/dep-BdTvomPN.js';
 export { DEFAULT_CLIENT_CONDITIONS as defaultClientConditions, DEFAULT_CLIENT_MAIN_FIELDS as defaultClientMainFields, DEFAULT_SERVER_CONDITIONS as defaultServerConditions, DEFAULT_SERVER_MAIN_FIELDS as defaultServerMainFields, VERSION as version } from './constants.js';
 export { version as esbuildVersion } from 'esbuild';
 import 'node:fs';
@@ -10,6 +10,7 @@ import 'node:url';
 import 'node:util';
 import 'node:perf_hooks';
 import 'node:module';
+import 'node:crypto';
 import 'path';
 import 'fs';
 import 'node:child_process';
@@ -25,7 +26,6 @@ import 'stream';
 import 'os';
 import 'child_process';
 import 'node:os';
-import 'node:crypto';
 import 'node:dns';
 import 'vite/module-runner';
 import 'module';
@@ -41,6 +41,7 @@ import 'zlib';
 import 'buffer';
 import 'https';
 import 'tls';
+import 'node:net';
 import 'assert';
 import 'node:querystring';
 import 'node:zlib';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vite",
-  "version": "6.0.8",
+  "version": "6.0.9",
   "type": "module",
   "license": "MIT",
   "author": "Evan You",