./x.js?foo=/../y.js is resolved as ./y.js instead of ./x.js #19406
Description
Describe the bug
For the following code, Vite resolves import differently from NodeJs.
import repro from "./x.js?foo=/../y.js"This appears to be because Vite's fs resolution normalizes id via path.resolve without stripping off ?, such as:
> path.resolve('/x.js?foo=/../y.js')
'/y.js'
> path.resolve('/x.js/../y.js')
'/y.js'
> path.resolve('/x.js?foo=bar')
'/x.js?foo=bar'Additional note: Going up parent directories with this trick only cheats resolution and the file content is still protected by the same server.fs mechanism, so this is not likely a security issue.
Reproduction
Steps to reproduce
- Open stackblitz and browser shows
[y.js] - Run
node src/main.jsand it shows[x.js]
❯ node src/main.js
{ repro: '[x.js]' }System Info
System:
OS: Linux 5.0 undefined
CPU: (8) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
Memory: 0 Bytes / 0 Bytes
Shell: 1.0 - /bin/jsh
Binaries:
Node: 18.20.3 - /usr/local/bin/node
Yarn: 1.22.19 - /usr/local/bin/yarn
npm: 10.2.3 - /usr/local/bin/npm
pnpm: 8.15.6 - /usr/local/bin/pnpm
npmPackages:
vite: ^6.1.0 => 6.1.0Used Package Manager
npm
Logs
No response
Validations
- Follow our Code of Conduct
- Read the Contributing Guidelines.
- Read the docs.
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
- Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
- The provided reproduction is a minimal reproducible example of the bug.