Added server.allowed hosts to vite config. Fixes #6175#6176
Open
technicallynick wants to merge 1 commit intoTanStack:mainfrom
Open
Added server.allowed hosts to vite config. Fixes #6175#6176technicallynick wants to merge 1 commit intoTanStack:mainfrom
technicallynick wants to merge 1 commit intoTanStack:mainfrom
Conversation
|
📝 WalkthroughWalkthroughAdds Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
2 tasks
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (3)
examples/vue/virtualized-rows/vite.config.ts (1)
6-8:allowedHosts: truedisables all host-header security checks and enables DNS rebinding attacks.Setting it to
trueallows the dev server to respond to anyHostheader, which can be exploited via DNS rebinding to pivot a malicious website into the local dev server and access source code. This is the most permissive option and Vite's documentation explicitly warns against it for security reasons.For example projects running inside CodeSandbox this is pragmatic, but users who copy this config into real projects inherit unnecessary DNS rebinding exposure.
Consider allowlisting only the sandbox domains instead (e.g.,
allowedHosts: ['.csb.app']), or add a code comment explaining why this is set so future readers don't copy it blindly into production contexts.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@examples/vue/virtualized-rows/vite.config.ts` around lines 6 - 8, The server config currently sets allowedHosts: true which disables host-header checks and enables DNS-rebinding risks; update the Vite server configuration (the server.allowedHosts setting in vite.config.ts) to restrict hosts instead of true — e.g., replace true with an explicit allowlist like ['.csb.app'] or other sandbox domains, or at minimum add a clear inline comment next to server.allowedHosts explaining this is intentionally permissive for the example sandbox and must not be copied to production.examples/svelte/sorting/vite.config.js (1)
7-9: Use an array of allowed hostnames instead oftruefor host header verification.Setting
allowedHosts: truedisables Vite's host header verification, which can enable DNS rebinding attacks. While acceptable for example projects, a narrower allowlist (e.g.,['.localhost']) is more restrictive without sacrificing usability. If this example needs to run on CodeSandbox, use['.csb.app', '.codesandbox.io']instead.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@examples/svelte/sorting/vite.config.js` around lines 7 - 9, The vite.config.js currently sets server.allowedHosts to true which disables host header verification; update the server.allowedHosts setting in the exported config object (symbol: server.allowedHosts) to an explicit array whitelist instead of true — e.g., ['.localhost'] for local examples or ['.csb.app', '.codesandbox.io'] when targeting CodeSandbox — to restore host verification while allowing required hostnames.examples/react/row-selection/vite.config.js (1)
7-9: Acceptable for example projects; consider a shared Vite config to reduce duplication.
allowedHosts: truedisables host header validation entirely, which is fine for these sandboxed example projects (CodeSandbox, StackBlitz, etc.) but worth noting it should never be carried into production configs.With 59 example configs receiving this identical change, a shared base config (e.g., a root-level
vite.config.shared.jsthat each example spreads/merges) would make future maintenance of cross-cutting dev-server settings easier.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@examples/react/row-selection/vite.config.js` around lines 7 - 9, The example's vite.config.js currently sets server.allowedHosts = true (disables host header validation) per-file; extract common dev-server settings into a shared config (e.g., create vite.config.shared.js exporting an object or a defineConfig call with server.allowedHosts and other repeated options) and have each example's vite.config.js import and merge/spread that shared config before adding example-specific settings; update the example's vite.config.js to remove the inline server.allowedHosts setting and merge with the shared config so changes are made in one place and production-safe configs are not accidentally propagated.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@examples/lit/sorting-dynamic-data/vite.config.js`:
- Around line 6-8: The Vite server config uses server.allowedHosts in
vite.config.js but the package.json Vite version constraint "^5.3.2" is too low
and permits vulnerable releases; update the Vite dependency in package.json to
"^5.4.12" (or newer) to include the DNS-rebinding fix (GHSA-vg6x-rcgg-rjx6),
then run npm/yarn install and verify the resolved version; check for references
to "vite" and the "server.allowedHosts" config when validating the change.
In `@examples/react/column-groups/vite.config.js`:
- Around line 7-9: The Vite config uses server.allowedHosts which requires Vite
>= 5.4.12, so update the Vite version constraint in package.json (change the
dependency currently pinned to ^5.3.2) to ^5.4.12 or a newer compatible release,
then reinstall/update the lockfile (npm/yarn/pnpm) so the installed Vite matches
the config; ensure the change corresponds to the server.allowedHosts usage in
vite.config.js.
In `@examples/react/grouping/vite.config.js`:
- Around line 7-9: The Vite config uses server.allowedHosts
(server.allowedHosts) which isn’t available in Vite 5.3.2; update the project's
Vite dependency in package.json from the current constraint to a version that
includes this option (e.g., change the "vite" semver to ^5.4.12 or a later
compatible release such as ^6.0.9) so the config parses correctly; after
updating, run npm/yarn install and verify the example builds with the existing
vite.config.js containing server.allowedHosts.
In `@examples/react/query-router-search-params/vite.config.js`:
- Around line 8-10: The server.allowedHosts setting currently uses allowedHosts:
true which is valid but insecure; update the vite.config.js to add a clarifying
comment next to server.allowedHosts explaining the DNS rebinding risk and that
true is used for CodeSandbox compatibility, and replace it with an explicit host
allowlist (string[] of allowed hosts) where possible; also add a note about
testing against Vite versions (e.g., v6.0.9) because that version had reports of
allowedHosts:true not behaving as expected so verify behavior in your target
Vite release.
In `@examples/solid/filters/vite.config.ts`:
- Around line 5-7: The Vite config currently sets server.allowedHosts which
isn’t supported by the project’s Vite version; either remove the
server.allowedHosts entry from vite.config.ts (delete the allowedHosts line
under the server config) or upgrade Vite to a compatible release (>=5.4.12,
6.0.9, or 4.5.6+) and then keep server.allowedHosts; update package.json and
lockfile if you choose to upgrade and run a fresh install to apply the new Vite
version.
---
Duplicate comments:
In `@examples/qwik/sorting/vite.config.ts`:
- Around line 6-8: The duplicate review comment indicates no additional code
change is needed—ensure the server.allowedHosts property remains set to true
(the server config object and allowedHosts symbol) and remove any accidental
duplicate edits or repeated blocks of the same server:{ allowedHosts: true }
change elsewhere in the diff so only a single authoritative assignment remains.
In `@examples/react/column-ordering/vite.config.js`:
- Around line 7-9: The server.allowedHosts value is set to true which is not the
intended Vite option; change server.allowedHosts to "all" to match the rest of
the examples and Vite's expected value. Locate the vite.config.js where
server.allowedHosts is set (search for allowedHosts in this file or the similar
example column-resizing-performant vite.config.js) and replace true with "all"
so the dev server accepts all hosts consistently across examples.
In `@examples/react/column-pinning-sticky/vite.config.js`:
- Around line 7-9: This change duplicates setting server.allowedHosts: true;
keep a single authoritative instance of the server config in vite.config.js by
ensuring the object contains allowedHosts: true (refer to server and
allowedHosts in the file) and remove or revert the duplicate change elsewhere so
the project only sets this value once and avoids conflicting/duplicate diffs.
In `@examples/react/column-sizing/vite.config.js`:
- Around line 7-9: The server config currently sets allowedHosts: true; ensure
this is intentionally permissive or change to the explicit allowedHosts array or
'all' string as needed—update the server configuration where allowedHosts is set
(the server.allowedHosts entry in vite config) to a more explicit policy (e.g.,
allowedHosts: ['your-domain.com'] or allowedHosts: 'all') if you don't want to
allow all hosts, and add a short comment clarifying the intended behavior.
In `@examples/react/column-visibility/vite.config.js`:
- Around line 7-9: There is a duplicate change adding server.allowedHosts: true;
consolidate/remove the duplicate so only one definition exists: locate the
server config object in vite.config.js (the server object and its allowedHosts
property) and remove the redundant block or merge the entries to keep a single
server.allowedHosts setting.
In `@examples/react/virtualized-rows/vite.config.js`:
- Around line 7-9: The review notes this is a duplicate comment for the same
change; remove the redundant instance so the change to the server config (the
server: { allowedHosts: true } block) appears only once in the PR, or
consolidate any duplicate edits to a single update to the server.allowedHosts
setting to avoid duplicated review comments.
In `@examples/svelte/column-visibility/vite.config.js`:
- Around line 7-9: Reviewer posted a duplicate comment — no code changes
required; keep the server configuration as-is (the server.allowedHosts property
set to true) and dismiss/resolve the duplicate review thread so only the
original comment remains.
---
Nitpick comments:
In `@examples/react/row-selection/vite.config.js`:
- Around line 7-9: The example's vite.config.js currently sets
server.allowedHosts = true (disables host header validation) per-file; extract
common dev-server settings into a shared config (e.g., create
vite.config.shared.js exporting an object or a defineConfig call with
server.allowedHosts and other repeated options) and have each example's
vite.config.js import and merge/spread that shared config before adding
example-specific settings; update the example's vite.config.js to remove the
inline server.allowedHosts setting and merge with the shared config so changes
are made in one place and production-safe configs are not accidentally
propagated.
In `@examples/svelte/sorting/vite.config.js`:
- Around line 7-9: The vite.config.js currently sets server.allowedHosts to true
which disables host header verification; update the server.allowedHosts setting
in the exported config object (symbol: server.allowedHosts) to an explicit array
whitelist instead of true — e.g., ['.localhost'] for local examples or
['.csb.app', '.codesandbox.io'] when targeting CodeSandbox — to restore host
verification while allowing required hostnames.
In `@examples/vue/virtualized-rows/vite.config.ts`:
- Around line 6-8: The server config currently sets allowedHosts: true which
disables host-header checks and enables DNS-rebinding risks; update the Vite
server configuration (the server.allowedHosts setting in vite.config.ts) to
restrict hosts instead of true — e.g., replace true with an explicit allowlist
like ['.csb.app'] or other sandbox domains, or at minimum add a clear inline
comment next to server.allowedHosts explaining this is intentionally permissive
for the example sandbox and must not be copied to production.
Comment on lines
+8
to
+10
| server: { | ||
| allowedHosts: true, | ||
| }, |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Vite server.allowedHosts configuration true boolean
💡 Result:
In Vite, server.allowedHosts supports a boolean true value.
- Type:
string[] | true(default:[]) (main.vitejs.dev) - Meaning of
true: the dev server will respond to requests for anyHostheader (i.e., no host allowlist enforcement). (main.vitejs.dev) - Security warning: setting it to
trueis not recommended because it can enable DNS rebinding attacks (leaking your dev server content/source). Prefer an explicit list. (main.vitejs.dev)
Example:
// vite.config.js
import { defineConfig } from 'vite'
export default defineConfig({
server: {
allowedHosts: true,
},
})Note: there’s at least one report that allowedHosts: true didn’t behave as expected in Vite 6.0.9 (issue closed “not planned”). (github.com)
Citations:
- 1: https://main.vitejs.dev/config/server-options?utm_source=openai
- 2: https://main.vitejs.dev/config/server-options?utm_source=openai
- 3: https://main.vitejs.dev/config/server-options?utm_source=openai
- 4: [vite 6.0.9] option server.allowedHosts doesn't take into account "true" vitejs/vite#19242
Add a clarifying comment and consider version compatibility.
allowedHosts: true is valid Vite syntax (type: string[] | true), but Vite's documentation explicitly warns against this setting because it enables DNS rebinding attacks. For CodeSandbox compatibility, consider adding a code comment explaining this security tradeoff, or use an explicit host allowlist instead. Also note that Vite 6.0.9 had a reported issue where allowedHosts: true didn't behave as expected (may want to test in your target Vite version).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@examples/react/query-router-search-params/vite.config.js` around lines 8 -
10, The server.allowedHosts setting currently uses allowedHosts: true which is
valid but insecure; update the vite.config.js to add a clarifying comment next
to server.allowedHosts explaining the DNS rebinding risk and that true is used
for CodeSandbox compatibility, and replace it with an explicit host allowlist
(string[] of allowed hosts) where possible; also add a note about testing
against Vite versions (e.g., v6.0.9) because that version had reports of
allowedHosts:true not behaving as expected so verify behavior in your target
Vite release.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
Release Notes