Skip to content

feat: extend server.fs.deny list with common files#22707

Merged
sapphi-red merged 1 commit into
mainfrom
extend-deny-list
Jun 19, 2026
Merged

feat: extend server.fs.deny list with common files#22707
sapphi-red merged 1 commit into
mainfrom
extend-deny-list

Conversation

@bluwy

@bluwy bluwy commented Jun 19, 2026

Copy link
Copy Markdown
Member

Note: we do not consider this as a vulnerability as it's not possible to cover every sensitive files possible. But we can add common ones as we go. And the server.fs.deny list is documented, so if you need more than these, you should add as you see fit.

Co-authored-by: gasbugs <gasbugs21c@gmail.com>
@bluwy bluwy changed the title Extend server.fs.deny list with common files feat: extend server.fs.deny list with common files Jun 19, 2026
@sapphi-red sapphi-red merged commit 61ba8fd into main Jun 19, 2026
19 of 21 checks passed
@sapphi-red sapphi-red deleted the extend-deny-list branch June 19, 2026 03:13
renovate Bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Jun 24, 2026
| datasource | package | from   | to    |
| ---------- | ------- | ------ | ----- |
| npm        | vite    | 8.0.14 | 8.1.0 |


## [v8.1.0](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#810-2026-06-23)

##### Features

- extend `server.fs.deny` list with common files ([#22707](vitejs/vite#22707)) ([61ba8fd](vitejs/vite@61ba8fd))
- update rolldown to 1.1.2 ([#22695](vitejs/vite#22695)) ([4f008a6](vitejs/vite@4f008a6))
- use `~` for Rolldown ([#22693](vitejs/vite#22693)) ([9928722](vitejs/vite@9928722))

##### Bug Fixes

- **bundled-dev:** errors should be kept when incremental build fails ([#22617](vitejs/vite#22617)) ([9a0dd48](vitejs/vite@9a0dd48))
- cache falsy values in perEnvironmentState ([#22715](vitejs/vite#22715)) ([0e91e79](vitejs/vite@0e91e79))
- **glob:** respect caseSensitive option in hmr matcher ([#22711](vitejs/vite#22711)) ([65f525e](vitejs/vite@65f525e))
- **html:** omit nonce on import map when cspNonce is unset ([#22713](vitejs/vite#22713)) ([8340bb5](vitejs/vite@8340bb5))
- **optimizer:** skip null-valued exports in expandGlobIds glob resolution ([#22611](vitejs/vite#22611)) ([8b9f5cd](vitejs/vite@8b9f5cd))
- resolved build options should be kept as a getter ([#22691](vitejs/vite#22691)) ([3527191](vitejs/vite@3527191))
- **server:** handle malformed URI in memory files middleware ([#22714](vitejs/vite#22714)) ([df9e0a5](vitejs/vite@df9e0a5))
- use literal envPrefix queries for Vite Task ([#22706](vitejs/vite#22706)) ([da72733](vitejs/vite@da72733))
- warn on deprecated envFile ([#22555](vitejs/vite#22555)) ([ed7b283](vitejs/vite@ed7b283))

##### Code Refactoring

- **client:** inline dev-id value in CSS selector ([#22736](vitejs/vite#22736)) ([57f59bc](vitejs/vite@57f59bc))
- remove unused removeRawQuery util ([#22724](vitejs/vite#22724)) ([403cc60](vitejs/vite@403cc60))
- use `rolldownOptions` property for chunkImportMap ([#22692](vitejs/vite#22692)) ([8e8816c](vitejs/vite@8e8816c))


## [v8.0.16](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small)

##### Bug Fixes

- **deps:** reject UNC paths for launch-editor-middleware ([#22571](vitejs/vite#22571)) ([50b9512](vitejs/vite@50b9512))
- reject windows alternate paths ([#22572](vitejs/vite#22572)) ([dc245c7](vitejs/vite@dc245c7))


## [v8.0.15](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small)

##### Features

- send 408 on request timeout ([#22476](vitejs/vite#22476)) ([c85c9ee](vitejs/vite@c85c9ee))
- update rolldown to 1.0.3 ([#22538](vitejs/vite#22538)) ([646dbed](vitejs/vite@646dbed))

##### Bug Fixes

- capitalize error messages and remove spurious space in parse error ([#22488](vitejs/vite#22488)) ([85a0eff](vitejs/vite@85a0eff))
- **deps:** update all non-major dependencies ([#22511](vitejs/vite#22511)) ([2686d7d](vitejs/vite@2686d7d))
- **dev:** fix html-proxy cache key mismatch for /@fs/ HTML paths ([#21762](vitejs/vite#21762)) ([47c4213](vitejs/vite@47c4213))
- **glob:** error on relative glob in virtual module when no files match ([#22497](vitejs/vite#22497)) ([5c8e98f](vitejs/vite@5c8e98f))
- **optimizer:** close the rolldown bundle when write() rejects ([#22528](vitejs/vite#22528)) ([e3cfb9d](vitejs/vite@e3cfb9d))
- **resolve:** provide onWarn for viteResolvePlugin in JS plugin containers ([#22509](vitejs/vite#22509)) ([40985f1](vitejs/vite@40985f1))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#22566](vitejs/vite#22566)) ([3052a67](vitejs/vite@3052a67))

##### Code Refactoring

- correct logic in `collectAllModules` function ([#22562](vitejs/vite#22562)) ([6978a9c](vitejs/vite@6978a9c))
renovate Bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Jun 24, 2026
| datasource | package | from   | to    |
| ---------- | ------- | ------ | ----- |
| npm        | vite    | 8.0.14 | 8.1.0 |


## [v8.1.0](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#810-2026-06-23)

##### Features

- extend `server.fs.deny` list with common files ([#22707](vitejs/vite#22707)) ([61ba8fd](vitejs/vite@61ba8fd))
- update rolldown to 1.1.2 ([#22695](vitejs/vite#22695)) ([4f008a6](vitejs/vite@4f008a6))
- use `~` for Rolldown ([#22693](vitejs/vite#22693)) ([9928722](vitejs/vite@9928722))

##### Bug Fixes

- **bundled-dev:** errors should be kept when incremental build fails ([#22617](vitejs/vite#22617)) ([9a0dd48](vitejs/vite@9a0dd48))
- cache falsy values in perEnvironmentState ([#22715](vitejs/vite#22715)) ([0e91e79](vitejs/vite@0e91e79))
- **glob:** respect caseSensitive option in hmr matcher ([#22711](vitejs/vite#22711)) ([65f525e](vitejs/vite@65f525e))
- **html:** omit nonce on import map when cspNonce is unset ([#22713](vitejs/vite#22713)) ([8340bb5](vitejs/vite@8340bb5))
- **optimizer:** skip null-valued exports in expandGlobIds glob resolution ([#22611](vitejs/vite#22611)) ([8b9f5cd](vitejs/vite@8b9f5cd))
- resolved build options should be kept as a getter ([#22691](vitejs/vite#22691)) ([3527191](vitejs/vite@3527191))
- **server:** handle malformed URI in memory files middleware ([#22714](vitejs/vite#22714)) ([df9e0a5](vitejs/vite@df9e0a5))
- use literal envPrefix queries for Vite Task ([#22706](vitejs/vite#22706)) ([da72733](vitejs/vite@da72733))
- warn on deprecated envFile ([#22555](vitejs/vite#22555)) ([ed7b283](vitejs/vite@ed7b283))

##### Code Refactoring

- **client:** inline dev-id value in CSS selector ([#22736](vitejs/vite#22736)) ([57f59bc](vitejs/vite@57f59bc))
- remove unused removeRawQuery util ([#22724](vitejs/vite#22724)) ([403cc60](vitejs/vite@403cc60))
- use `rolldownOptions` property for chunkImportMap ([#22692](vitejs/vite#22692)) ([8e8816c](vitejs/vite@8e8816c))


## [v8.0.16](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8016-2026-06-01-small)

##### Bug Fixes

- **deps:** reject UNC paths for launch-editor-middleware ([#22571](vitejs/vite#22571)) ([50b9512](vitejs/vite@50b9512))
- reject windows alternate paths ([#22572](vitejs/vite#22572)) ([dc245c7](vitejs/vite@dc245c7))


## [v8.0.15](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-8015-2026-06-01-small)

##### Features

- send 408 on request timeout ([#22476](vitejs/vite#22476)) ([c85c9ee](vitejs/vite@c85c9ee))
- update rolldown to 1.0.3 ([#22538](vitejs/vite#22538)) ([646dbed](vitejs/vite@646dbed))

##### Bug Fixes

- capitalize error messages and remove spurious space in parse error ([#22488](vitejs/vite#22488)) ([85a0eff](vitejs/vite@85a0eff))
- **deps:** update all non-major dependencies ([#22511](vitejs/vite#22511)) ([2686d7d](vitejs/vite@2686d7d))
- **dev:** fix html-proxy cache key mismatch for /@fs/ HTML paths ([#21762](vitejs/vite#21762)) ([47c4213](vitejs/vite@47c4213))
- **glob:** error on relative glob in virtual module when no files match ([#22497](vitejs/vite#22497)) ([5c8e98f](vitejs/vite@5c8e98f))
- **optimizer:** close the rolldown bundle when write() rejects ([#22528](vitejs/vite#22528)) ([e3cfb9d](vitejs/vite@e3cfb9d))
- **resolve:** provide onWarn for viteResolvePlugin in JS plugin containers ([#22509](vitejs/vite#22509)) ([40985f1](vitejs/vite@40985f1))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#22566](vitejs/vite#22566)) ([3052a67](vitejs/vite@3052a67))

##### Code Refactoring

- correct logic in `collectAllModules` function ([#22562](vitejs/vite#22562)) ([6978a9c](vitejs/vite@6978a9c))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants