fix: apply correct fs restrictions for Yarn PnP when serving files from node_modules

[smeng9]

Description

fixes #15945

Additional context

---

What is the purpose of this pull request?

• Bug fix
• New Feature
• Documentation update
• Other

Before submitting the PR, please make sure you do the following

• Read the Contributing Guidelines, especially the Pull Request Guidelines.
• Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
• Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
• Update the corresponding documentation if needed.
• Ideally, include relevant tests that fail without this PR but pass with it.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[patak-dev]

I don't think we should allow every path from node_modules. The current function will also allow users to access any node_modules folder in your system. We should check what is different in PnP here that makes the current checks fail. As a workaround, you can probably add the folder where this font is to server.fs.allow.

[bluwy]

Yeah I agree with patak here. Maybe we can check if we're running in yarn pnp and allowlist the yarn directory to be served? I'm not sure if yarn exposes that via process.env.* or pnpapi.

[smeng9]

Hi @bluwy I have checked pnpapi and process.env.* however it seems it does not expose to us where the yarn cache directory is.

[smeng9]

Hi @patak-dev Even though the pnpapi does not give us the yarn cache directory, we can get it from the @yarnpkg/core API. Would you mind take another review? Thanks!

[sapphi-red]

@yarnpkg/core has 10.7MB so I don't think we should put it in the dependencies. I think we can call yarn config get <key> as it is supported by yarn v1,v2,v3,v4. Executing a command is a bit slow, but we apply many deopts for pnp so I think it's fine.

[smeng9]

The large @yarnpkg/core dependency is removed.

[smeng9]

Shall we consider add a searchForYarnCacheFolder function similar to searchForWorkspaceRoot to the index.ts and expose that to the user?

[bluwy]

I'm thinking we could always add the yarn cache folder to the allow list by default, that way we don't have to expose a new API for it. Similarly we have the resolvedClientDir handling that we always allow. Curious to hear what others think too 🤔

[sapphi-red]

I agree with @bluwy. If users want to disable it, deny can be used as it has higher priority (they'd need to get the path by themselves though).

[smeng9]

Sounds good, the yarnCacheDir is now always added to the allow list.

[bluwy]

LGTM. Thanks for fixing this up! I'll queue this up for the next minor (which we'll start merging tomorrow) as this feels like a substantial change for existing Yarn PnP users.