feat: add .git to deny list by default #18382
Conversation
patak-dev
added
p2-nice-to-have
|
|
| @@ -1035,7 +1035,12 @@ export function resolveServerOptions( | |||
| middlewareMode: raw?.middlewareMode || false, | |||
| } | |||
| let allowDirs = server.fs?.allow | |||
| const deny = server.fs?.deny || ['.env', '.env.*', '*.{crt,pem}'] | |||
| const deny = server.fs?.deny || [ | |||
There was a problem hiding this comment.
do we want to push the .git in any case even with user provided list, and do we need the glob at start and end or is .git by itself enough?
There was a problem hiding this comment.
I think it is better to have the glob at the start, it doesn't hurt and it could cover some edge cases (the repo being nested in the root).
About adding it always, I thought about that, but I think it is better to keep the current way. If deny: [], it should mean that the user wants to expose everything.
There was a problem hiding this comment.
we might want to export our default deny list so that the user can do [...viteDeny, 'my','own','stuff'] without resorting to a config plugin
There was a problem hiding this comment.
Yes, that is a good idea 👍🏼
Let's do it in a separate PR
Description
Even if credentials shouldn't be committed to git, we discussed with others in the team that it makes sense to add
.gitto the default server deny list.