diff --git a/.eslintrc.cjs b/.eslintrc.cjs deleted file mode 100644 index 48a0bd7773b0d7..00000000000000 --- a/.eslintrc.cjs +++ /dev/null @@ -1,137 +0,0 @@ -// @ts-check -const { defineConfig } = require('eslint-define-config') - -module.exports = defineConfig({ - root: true, - extends: [ - 'eslint:recommended', - 'plugin:node/recommended', - 'plugin:@typescript-eslint/recommended' - ], - parser: '@typescript-eslint/parser', - parserOptions: { - sourceType: 'module', - ecmaVersion: 2021 - }, - rules: { - eqeqeq: ['warn', 'always', { null: 'never' }], - 'no-debugger': ['error'], - 'no-empty': ['warn', { allowEmptyCatch: true }], - 'no-process-exit': 'off', - 'no-useless-escape': 'off', - 'prefer-const': [ - 'warn', - { - destructuring: 'all' - } - ], - - 'node/no-missing-import': [ - 'error', - { - allowModules: [ - 'types', - 'estree', - 'testUtils', - 'less', - 'sass', - 'stylus' - ], - tryExtensions: ['.ts', '.js', '.jsx', '.tsx', '.d.ts'] - } - ], - 'node/no-missing-require': [ - 'error', - { - // for try-catching yarn pnp - allowModules: ['pnpapi', 'vite'], - tryExtensions: ['.ts', '.js', '.jsx', '.tsx', '.d.ts'] - } - ], - 'node/no-restricted-require': [ - 'error', - Object.keys(require('./packages/vite/package.json').devDependencies).map( - (d) => ({ - name: d, - message: - `devDependencies can only be imported using ESM syntax so ` + - `that they are included in the rollup bundle. If you are trying to ` + - `lazy load a dependency, use (await import('dependency')).default instead.` - }) - ) - ], - 'node/no-extraneous-import': [ - 'error', - { - allowModules: ['vite', 'less', 'sass'] - } - ], - 'node/no-extraneous-require': [ - 'error', - { - allowModules: ['vite'] - } - ], - 'node/no-deprecated-api': 'off', - 'node/no-unpublished-import': 'off', - 'node/no-unpublished-require': 'off', - 'node/no-unsupported-features/es-syntax': 'off', - - '@typescript-eslint/ban-ts-comment': 'off', // TODO: we should turn this on in a new PR - '@typescript-eslint/ban-types': 'off', // TODO: we should turn this on in a new PR - '@typescript-eslint/no-empty-function': [ - 'error', - { allow: ['arrowFunctions'] } - ], - '@typescript-eslint/no-empty-interface': 'off', - '@typescript-eslint/no-explicit-any': 'off', // maybe we should turn this on in a new PR - '@typescript-eslint/no-extra-semi': 'off', // conflicts with prettier - '@typescript-eslint/no-inferrable-types': 'off', - '@typescript-eslint/no-non-null-assertion': 'off', // maybe we should turn this on in a new PR - '@typescript-eslint/no-unused-vars': 'off', // maybe we should turn this on in a new PR - '@typescript-eslint/no-var-requires': 'off', - '@typescript-eslint/consistent-type-imports': [ - 'error', - { prefer: 'type-imports' } - ] - }, - overrides: [ - { - files: ['packages/vite/src/node/**'], - rules: { - 'no-console': ['error'] - } - }, - { - files: ['packages/vite/types/**'], - rules: { - 'node/no-extraneous-import': 'off' - } - }, - { - files: ['packages/playground/**'], - rules: { - 'node/no-extraneous-import': 'off', - 'node/no-extraneous-require': 'off' - } - }, - { - files: ['packages/create-vite/template-*/**'], - rules: { - 'node/no-missing-import': 'off' - } - }, - { - files: ['*.js'], - rules: { - '@typescript-eslint/explicit-module-boundary-types': 'off' - } - }, - { - files: ['*.d.ts'], - rules: { - '@typescript-eslint/triple-slash-reference': 'off' - } - } - ] -}) diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs new file mode 100644 index 00000000000000..a4c31afed65932 --- /dev/null +++ b/.git-blame-ignore-revs @@ -0,0 +1,4 @@ +# chore: enable prettier trailing commas (#11167) +134ce6817984bad0f5fb043481502531fee9b1db +# chore: rename test packages (#11172) +5170e44920458090b8b43ee9cfe5010c25dfe22b diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 301b795e15fb5e..ada4f1989d1920 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -1,6 +1,7 @@ name: "\U0001F41E Bug report" description: Report an issue with Vite labels: [pending triage] +type: Bug body: - type: markdown attributes: @@ -11,22 +12,28 @@ body: attributes: label: Describe the bug description: A clear and concise description of what the bug is. If you intend to submit a PR for this issue, tell us in the description. Thanks! - placeholder: Bug description + placeholder: I am doing ... What I expect is ... What actually happening is ... validations: required: true - type: input id: reproduction attributes: label: Reproduction - description: Please provide a link via [vite.new](https://vite.new/) or a link to a repo that can reproduce the problem you ran into. A [minimal reproduction](https://stackoverflow.com/help/minimal-reproducible-example) is required. If a report is vague (e.g. just a generic error message) and has no reproduction, it will receive a "need reproduction" label. If no reproduction is provided after 3 days, it will be auto-closed. - placeholder: Reproduction + description: Please provide a link via [vite.new](https://vite.new/) or a link to a repo that can reproduce the problem you ran into. `npm create vite@latest` and `npm create vite-extra@latest` (for SSR or library repros) can be used as a starter template. A [minimal reproduction](https://stackoverflow.com/help/minimal-reproducible-example) is required ([Why?](https://antfu.me/posts/why-reproductions-are-required)). If a report is vague (e.g. just a generic error message) and has no reproduction, it will receive a "needs reproduction" label. If no reproduction is provided after 3 days, it will be auto-closed. + placeholder: Reproduction URL validations: required: true + - type: textarea + id: reproduction-steps + attributes: + label: Steps to reproduce + description: Please provide any reproduction steps that may need to be described. E.g. if it happens only when running the dev or build script make sure it's clear which one to use. + placeholder: Run `npm install` followed by `npm run dev` - type: textarea id: system-info attributes: label: System Info - description: Output of `npx envinfo --system --npmPackages '{vite,@vitejs/*}' --binaries --browsers` + description: Output of `npx envinfo --system --npmPackages '{vite,@vitejs/*,rollup,rolldown}' --binaries --browsers` render: shell placeholder: System, Binaries, Browsers validations: @@ -40,6 +47,7 @@ body: - npm - yarn - pnpm + - bun validations: required: true - type: textarea @@ -50,8 +58,17 @@ body: Optional if provided reproduction. Please try not to insert an image but copy paste the log text. 1. Run `vite` or `vite build` with the `--debug` flag. - 2. Provide the error log here. - render: shell + 2. Provide the error log here in the format below. + + ```` +
+ Click to expand! + + ```shell + // paste the log text here + ``` +
+ ```` - type: checkboxes id: checkboxes attributes: @@ -62,13 +79,13 @@ body: required: true - label: Read the [Contributing Guidelines](https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md). required: true - - label: Read the [docs](https://vitejs.dev/guide). + - label: Read the [docs](https://vite.dev/guide). required: true - label: Check that there isn't [already an issue](https://github.com/vitejs/vite/issues) that reports the same bug to avoid creating a duplicate. required: true - - label: Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to https://github.com/vuejs/core instead. + - label: Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to [vuejs/core](https://github.com/vuejs/core) instead. required: true - - label: Check that this is a concrete bug. For Q&A open a [GitHub Discussion](https://github.com/vitejs/vite/discussions) or join our [Discord Chat Server](https://chat.vitejs.dev/). + - label: Check that this is a concrete bug. For Q&A open a [GitHub Discussion](https://github.com/vitejs/vite/discussions) or join our [Discord Chat Server](https://chat.vite.dev/). required: true - label: The provided reproduction is a [minimal reproducible example](https://stackoverflow.com/help/minimal-reproducible-example) of the bug. required: true diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index c504c325f08040..e36d5d53edcd7f 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,7 +1,13 @@ blank_issues_enabled: false contact_links: + - name: Vite Plugin React Issues + url: https://github.com/vitejs/vite-plugin-react/issues/new/choose + about: React related issues should be reported on the vite-plugin-react repository. + - name: Vite Plugin Vue Issues + url: https://github.com/vitejs/vite-plugin-vue/issues/new/choose + about: Vue related issues should be reported on the vite-plugin-vue repository. - name: Discord Chat - url: https://chat.vitejs.dev + url: https://chat.vite.dev about: Ask questions and discuss with other Vite users in real time. - name: Questions & Discussions url: https://github.com/vitejs/vite/discussions diff --git a/.github/ISSUE_TEMPLATE/docs.yml b/.github/ISSUE_TEMPLATE/docs.yml new file mode 100644 index 00000000000000..ef629b96596663 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/docs.yml @@ -0,0 +1,43 @@ +name: "\U0001F4DA Documentation" +description: Suggest a change or new page to be added to vite.dev +labels: [documentation] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this issue! + - type: checkboxes + id: documentation_is + attributes: + label: Documentation is + options: + - label: Missing + - label: Outdated + - label: Confusing + - label: Not sure? + - type: textarea + id: description + attributes: + label: Explain in Detail + description: A clear and concise description of your suggestion. If you intend to submit a PR for this issue, tell us in the description. Thanks! + placeholder: The description of ... page is not clear. I thought it meant ... but it wasn't. + validations: + required: true + - type: textarea + id: suggestion + attributes: + label: Your Suggestion for Changes + validations: + required: true + - type: input + id: reproduction + attributes: + label: Reproduction + description: If you have a reproduction, please provide a link via [vite.new](https://vite.new/) or a link to a repo that can reproduce the problem you ran into. `npm create vite@latest` and `npm create vite-extra@latest` (for SSR or library repros) can be used as a starter template. + placeholder: Reproduction URL + - type: textarea + id: reproduction-steps + attributes: + label: Steps to reproduce + description: Please provide any reproduction steps that may need to be described. E.g. if it happens only when running the dev or build script make sure it's clear which one to use. + placeholder: Run `npm install` followed by `npm run dev` diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index f35a724afcd42b..0563374253b6f3 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -1,6 +1,7 @@ name: "\U0001F680 New feature proposal" description: Propose a new feature to be added to Vite -labels: ["enhancement: pending triage"] +labels: ["pending triage"] +type: Feature body: - type: markdown attributes: @@ -9,8 +10,9 @@ body: - type: textarea id: feature-description attributes: - label: Clear and concise description of the problem - description: "As a developer using Vite I want [goal / wish] so that [benefit]. If you intend to submit a PR for this issue, tell us in the description. Thanks!" + label: Description + description: "Clear and concise description of the problem. Please make the reason and usecases as detailed as possible. If you intend to submit a PR for this issue, tell us in the description. Thanks!" + placeholder: As a developer using Vite I want [goal / wish] so that [benefit]. validations: required: true - type: textarea @@ -40,7 +42,7 @@ body: required: true - label: Read the [Contributing Guidelines](https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md). required: true - - label: Read the [docs](https://vitejs.dev/guide). + - label: Read the [docs](https://vite.dev/guide). required: true - label: Check that there isn't already an issue that request the same feature to avoid creating a duplicate. required: true diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 946e6aa9bedb9f..6880a6df5e3c01 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,26 +1,15 @@ - + +- Read the Contributing Guidelines at https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md. +- Check that there isn't already a PR that solves the problem the same way. If you find a duplicate, please help us review it. +- Update the corresponding documentation if needed. +- Include relevant tests that fail without this PR but pass with it. If the tests are not included, explain why. -### Additional context - - - ---- - -### What is the purpose of this pull request? - -- [ ] Bug fix -- [ ] New Feature -- [ ] Documentation update -- [ ] Other - -### Before submitting the PR, please make sure you do the following - -- [ ] Read the [Contributing Guidelines](https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md). -- [ ] Read the [Pull Request Guidelines](https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md#pull-request-guidelines) and follow the [Commit Convention](https://github.com/vitejs/vite/blob/main/.github/commit-convention.md). -- [ ] Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate. -- [ ] Provide a description in this PR that addresses **what** the PR is solving, or reference the issue that it solves (e.g. `fixes #123`). -- [ ] Ideally, include relevant tests that fail without this PR but pass with it. +Thank you for contributing to Vite! +--> diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000000000..1407d037d96d50 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,67 @@ +# Security Policy + +## Supported Versions + +Refer to the [Releases](https://vite.dev/releases) page in the documentation for the supported Vite versions. + +## Threat Model + +This section describes what Vite treats as trusted and untrusted. A report is only considered a Vite vulnerability if it does not require compromising a trusted element first. + +> [!NOTE] +> Reports that fall outside the threat model will still be fixed if they represent a real issue, but they will not be treated as security vulnerabilities (e.g., no CVE or advisory will be issued). + +### What Vite Does Not Trust + +1. **Network data and untrusted clients** + The dev server and preview server must treat all inbound network requests as potentially hostile. This includes malformed requests. Clients may be outside the developer's intended environment because of port-forwarding, shared networks, or accidental exposure to the internet. + +### What Vite Trusts + +1. **Developers and their infrastructure** + The people who invoke Vite and the environments they use (local workstations, CI runners, containers, the operating system, and the Node.js runtime) are all assumed to be under the developer's control and properly secured. + +2. **Configuration and plugins** + Everything in `vite.config.*`, the code it imports, CLI flags, and all plugins together with their transitive dependencies are treated as developer-authored and therefore trusted. + +3. **Project files and dependencies** + All source files, assets, and installed packages (including everything in `node_modules`) that the project references are trusted. + +4. **Developer-configured network targets** + Outbound connections the developer sets up explicitly (e.g., proxy rules in `server.proxy`) are trusted because the developer chose them. + +### Dev Server & Preview Server + +- Availability issues are not considered vulnerabilities. +- Files within the configured `server.fs` boundary (dev server) or the `build.outDir` directory (preview server) are expected to be accessible to clients. +- The existence of files is not hidden and cannot be hidden due to the development tool nature. Exposing file existence is not considered a vulnerability. + +### Build Output + +- Availability issues that affect the build process are not considered vulnerabilities. +- Availability issues in the build output caused by the code that Vite itself injects into the build output are in scope. +- Vulnerabilities in user-written code or plugin-generated code in the build output are not in scope. + +### Examples of Vulnerabilities (in scope) + +- A crafted URL causes the dev server to return file contents outside the `server.fs` boundary. + - `server.fs.deny` bypassed with a crafted HTTP request ([GHSA-356w-63v5-8wf4](https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4)) +- An unauthenticated WebSocket client injects HMR messages that execute arbitrary JavaScript on the developer's machine. +- Missing or bypassable origin / host validation allows a cross-origin page to access dev-server endpoints that can cause confidentiality or integrity issues. +- A flaw in code that Vite injects into the production bundle, such as the module-preload polyfill, introduces XSS. + - DOM Clobbering Gadget in `module-preload-polyfill` leading to XSS ([GHSA-64vr-g452-qvp3](https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3)) + +### Examples of Non-Vulnerabilities (out of scope) + +- Malicious Plugins or Dependencies (CWE-1357): Plugins, config files, and their dependency trees run with full trust at build time. A compromised plugin that exfiltrates data or executes arbitrary code is a supply-chain concern for the project, not a Vite vulnerability. +- Security Issues in the Application's Own Output: Flaws such as XSS, CSRF, or CSP misconfigurations in the bundled application are the responsibility of the application author. Vite transforms and bundles code but does not guarantee the security properties of the output beyond the code it injects itself. +- Secrets Exposed Through Misconfiguration: If a developer accidentally ships secrets to the client, for example by prefixing sensitive variables with `VITE_` or misconfiguring `define`, that is a project-level configuration mistake, not a Vite vulnerability. +- Reading Files Within Configured Paths (CWE-427): Vite is expected to read any file the project's configuration makes reachable. Pointing Vite at a directory that contains sensitive material is a configuration choice, not a Vite vulnerability. +- Attacker With Control Over Configuration (CWE-15): An attacker who can modify environment variables, CLI flags, or `vite.config.*` already controls a trusted input. Any consequences of that control are out of scope. +- Bugs in the Runtime or Operating System: Vulnerabilities in Node.js, the OS kernel, or other platform-level components are not considered a vulnerability in Vite. + +## Reporting a Vulnerability + +To report a vulnerability, please open a private vulnerability report at https://github.com/vitejs/vite/security. Please do not report upstream vulnerabilities unless the code is bundled in Vite's package. + +While the discovery of new vulnerabilities is rare, we also recommend always using the latest versions of Vite and its official plugins to ensure your application remains as secure as possible. diff --git a/.github/commit-convention.md b/.github/commit-convention.md index baa447479e9c39..4971cff4547fce 100644 --- a/.github/commit-convention.md +++ b/.github/commit-convention.md @@ -8,64 +8,21 @@ Messages must be matched by the following regex: ```js -/^(revert: )?(feat|fix|docs|dx|refactor|perf|test|workflow|build|ci|chore|types|wip|release|deps)(\(.+\))?: .{1,50}/ +/^(revert: )?(feat|fix|docs|style|refactor|perf|test|build|ci|chore)(\(.+\))?!?: .{1,50}/ ``` #### Examples -Appears under "Features" header, `dev` subheader: - ``` feat(dev): add 'comments' option -``` - -Appears under "Bug Fixes" header, `dev` subheader, with a link to issue #28: - -``` fix(dev): fix dev error - -close #28 -``` - -Appears under "Performance Improvements" header, and under "Breaking Changes" with the breaking change explanation: - -``` -perf(build): remove 'foo' option - -BREAKING CHANGE: The 'foo' option has been removed. -``` - -The following commit and commit `667ecc1` do not appear in the changelog if they are under the same release. If not, the revert commit appears under the "Reverts" header. - -``` +perf(build)!: remove 'foo' option revert: feat(compiler): add 'comments' option - -This reverts commit 667ecc1654a317a13331b17617d973392f415f02. -``` - -### Full Message Format - -A commit message consists of a **header**, **body** and **footer**. The header has a **type**, **scope** and **subject**: - -``` -(): - - - -