Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: upgrade Vite and update tests #13011

Merged
merged 5 commits into from
Jan 20, 2025
Merged

fix: upgrade Vite and update tests #13011

merged 5 commits into from
Jan 20, 2025
+178 −158

Conversation

ascorbic
Copy link
Contributor

@ascorbic ascorbic commented Jan 20, 2025
edited
Loading

Changes

Upgrades Vite to fix GHSA-vg6x-rcgg-rjx6
This is a breaking change and lots of tests were failing. This PR contains the fix, which is to ensure the host header is set.

Testing

Updates tests

Docs

@ascorbic
fix: upgrade Vite and update tests
Loading
Loading status checks…
60b0c18
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jan 20, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: ec13663

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions github-actions bot added pkg: svelte Related to Svelte (scope) pkg: vue Related to Vue (scope) pkg: react Related to React (scope) pkg: preact Related to Preact (scope) pkg: solid Related to Solid (scope) pkg: integration Related to any renderer integration (scope) pkg: astro Related to the core `astro` package (scope) labels Jan 20, 2025
@ascorbic
chore: remove cors header snapshot
Loading
Loading status checks…
f8f0767
@github-actions github-actions bot added the pkg: example Related to an example package (scope) label Jan 20, 2025
@ascorbic
chore: upgrade Vitest
Loading
Loading status checks…
ec13663
@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Jan 20, 2025
edited
Loading

CodSpeed Performance Report

Merging #13011 will not alter performance

Comparing vite-upgrade (d41fd46) with main (9ce0038)

Summary

✅ 6 untouched benchmarks

@ascorbic ascorbic marked this pull request as ready for review January 20, 2025 14:20
florian-lefebvre
florian-lefebvre reviewed Jan 20, 2025
View reviewed changes
packages/astro/test/units/vite-plugin-astro-server/response.test.js
@@ -74,7 +74,6 @@ describe('endpoints', () => {
await done;
const headers = res.getHeaders();
assert.deepEqual(headers, {
'access-control-allow-origin': '*',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the fix right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main fix is https://github.com/withastro/astro/pull/13011/files#diff-bcbc23a62af95914bdc40a5d67195628cae5f3b4294ddf62592318323120d155R47

@ascorbic
chore: revert edit
3d43b40
@ascorbic
chore: changeset
Loading
Loading status checks…
d41fd46
@ascorbic ascorbic merged commit cf30880 into main Jan 20, 2025
6 checks passed
@ascorbic ascorbic deleted the vite-upgrade branch January 20, 2025 14:52
@astrobot-houston astrobot-houston mentioned this pull request Jan 20, 2025
Merged
@Antonytm
Copy link

@ascorbic It seems that this merge breaks my usecase.

I have Astro running as astro dev in the environment with the dynamic hostname. I don't control the hostname.
After upgrading from 5.1.6 to 5.1.8 I started to get the error message: "Blocked request. This host (".............") is not allowed. To allow this host, add "................" to server.allowedHosts in vite.config.js."

Is there any way to omit the hostname check?

@ascorbic
Copy link
Contributor Author

@Antonytm this is a change in Vite to fix a vulnerability, so not something we control directly. Take a look at the disclosure for some of the options you can use

@Antonytm
Copy link

@ascorbic
Thank you.
That is not a critical vulnerability for my use case. I will stay on 5.1.6 until a fix for astro preview. As I assume astro preview doesn't use Vite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@florian-lefebvre florian-lefebvre

Assignees
No one assigned
Labels
pkg: astro Related to the core `astro` package (scope) pkg: example Related to an example package (scope) pkg: integration Related to any renderer integration (scope) pkg: preact Related to Preact (scope) pkg: react Related to React (scope) pkg: solid Related to Solid (scope) pkg: svelte Related to Svelte (scope) pkg: vue Related to Vue (scope)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ascorbic @Antonytm @florian-lefebvre