Skip to content

Vite dev server file system restriction rules are inconsistent across package managers. #15945

Description

@smeng9

Describe the bug

I am following the https://mui.com/material-ui/getting-started/installation/#roboto-font to install roboto font through package manager because the CDN is blocked by a firewall.

After the installation is completed, the project still cannot serve the fonts correctly.

It appears relative url access for woff2 files from a css file in @fontsource/roboto is blocked by Vite dev server when using yarn PnP.

The woff2 file should be a safe file included in safeModulesPath

if (server.moduleGraph.safeModulesPath.has(file)) return true

It has a workaround to change server.fs.strict to false but this will be less safe.

Reproduction

https://stackblitz.com/edit/github-tmpxuz-g4gr11?file=src%2FApp.jsx

Steps to reproduce

Clone the repo in reproduction url.

When the project is launched with $npm i && npm run dev no problem raised when the browser is opened
When the project is launched with $yarn set version berry && yarn && yarn dev it will raise an issue about The request url "~/.yarn/berry/cache/@fontsource-roboto-npm-5.0.8-35f6bafae2-10c0.zip/node_modules/@fontsource/roboto/files/roboto-latin-500-normal.woff" is outside of Vite serving allow list when opened from browser. The fonts cannot be displayed correctly.

Vite dev server's file system access rules should be consistent across package managers.

System Info

System:
    OS: macOS 14.2
    CPU: (8) arm64 Apple M2
    Memory: 32.42 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.10.0 - /usr/local/bin/node
    Yarn: 4.1.0 - /usr/local/bin/yarn
    npm: 10.2.3 - /usr/local/bin/npm
  Browsers:
    Safari: 17.2
  npmPackages:
    @vitejs/plugin-react: ^4.2.1 => 4.2.1
    vite: ^5.1.1 => 5.1.3

Used Package Manager

yarn

Logs

No response

Validations

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions