Skip to content

fix: apply correct fs restrictions for Yarn PnP when serving files from node_modules#15957

Merged
bluwy merged 6 commits into
vitejs:mainfrom
smeng9:fix-dev-file-server
Mar 12, 2024
Merged

fix: apply correct fs restrictions for Yarn PnP when serving files from node_modules#15957
bluwy merged 6 commits into
vitejs:mainfrom
smeng9:fix-dev-file-server

Conversation

@smeng9

@smeng9 smeng9 commented Feb 19, 2024

Copy link
Copy Markdown
Contributor

Description

fixes #15945

Additional context


What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines, especially the Pull Request Guidelines.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Update the corresponding documentation if needed.
  • Ideally, include relevant tests that fail without this PR but pass with it.

@bolt-new-by-stackblitz

Copy link
Copy Markdown

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@smeng9 smeng9 changed the title Fix serving files from node_modules fix: apply correct fs restrictions when serving files from node_modules Feb 19, 2024
@patak-cat

Copy link
Copy Markdown
Member

I don't think we should allow every path from node_modules. The current function will also allow users to access any node_modules folder in your system. We should check what is different in PnP here that makes the current checks fail. As a workaround, you can probably add the folder where this font is to server.fs.allow.

@bluwy

bluwy commented Feb 21, 2024

Copy link
Copy Markdown
Member

Yeah I agree with patak here. Maybe we can check if we're running in yarn pnp and allowlist the yarn directory to be served? I'm not sure if yarn exposes that via process.env.* or pnpapi.

@smeng9

smeng9 commented Feb 24, 2024

Copy link
Copy Markdown
Contributor Author

Hi @bluwy I have checked pnpapi and process.env.* however it seems it does not expose to us where the yarn cache directory is.

@smeng9 smeng9 changed the title fix: apply correct fs restrictions when serving files from node_modules fix: apply correct fs restrictions for Yarn PnP when serving files from node_modules Feb 27, 2024
@smeng9

smeng9 commented Feb 27, 2024

Copy link
Copy Markdown
Contributor Author

Hi @patak-dev Even though the pnpapi does not give us the yarn cache directory, we can get it from the @yarnpkg/core API. Would you mind take another review? Thanks!

@sapphi-red

Copy link
Copy Markdown
Member

@yarnpkg/core has 10.7MB so I don't think we should put it in the dependencies. I think we can call yarn config get <key> as it is supported by yarn v1,v2,v3,v4. Executing a command is a bit slow, but we apply many deopts for pnp so I think it's fine.

@smeng9

smeng9 commented Mar 6, 2024

Copy link
Copy Markdown
Contributor Author

The large @yarnpkg/core dependency is removed.

Comment thread packages/vite/src/node/server/index.ts Outdated
Comment thread packages/vite/src/node/server/index.ts Outdated
Comment thread packages/vite/src/node/server/index.ts Outdated
@smeng9

smeng9 commented Mar 6, 2024

Copy link
Copy Markdown
Contributor Author

Shall we consider add a searchForYarnCacheFolder function similar to searchForWorkspaceRoot to the index.ts and expose that to the user?

@smeng9 smeng9 requested a review from sapphi-red March 7, 2024 00:55
@bluwy

bluwy commented Mar 8, 2024

Copy link
Copy Markdown
Member

I'm thinking we could always add the yarn cache folder to the allow list by default, that way we don't have to expose a new API for it. Similarly we have the resolvedClientDir handling that we always allow. Curious to hear what others think too 🤔

@sapphi-red

sapphi-red commented Mar 9, 2024

Copy link
Copy Markdown
Member

I agree with @bluwy. If users want to disable it, deny can be used as it has higher priority (they'd need to get the path by themselves though).

@smeng9

smeng9 commented Mar 9, 2024

Copy link
Copy Markdown
Contributor Author

Sounds good, the yarnCacheDir is now always added to the allow list.

@smeng9 smeng9 requested a review from bluwy March 9, 2024 13:06

@bluwy bluwy left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for fixing this up! I'll queue this up for the next minor (which we'll start merging tomorrow) as this feels like a substantial change for existing Yarn PnP users.

@bluwy bluwy added this to the 5.2 milestone Mar 11, 2024
@bluwy bluwy merged commit a149d9e into vitejs:main Mar 12, 2024
@smeng9 smeng9 deleted the fix-dev-file-server branch April 6, 2024 03:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Vite dev server file system restriction rules are inconsistent across package managers.

4 participants