Skip to content

fix(@angular/build): support Vite allowedHosts option for development server #29466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 23, 2025
Merged

fix(@angular/build): support Vite allowedHosts option for development server #29466

merged 1 commit into from
Jan 23, 2025

Conversation

clydin
Copy link
Member

@clydin clydin commented Jan 23, 2025

Vite version 6.0.9+, which is now used by the Angular CLI, contains a potentially breaking change for some development setups. Examples of such setups include those that use reverse proxies or custom host names during development. The change within a patch release was made by Vite to address a security vulnerability. For projects that directly access the development server via localhost, no changes should be needed. However, some development setups may now need to adjust the newly introduced allowedHosts development server option. This option can include an array of host names that are allowed to communicate with the development server. The option sets the corresponding Vite option within the Angular CLI. For more information on the option and its specific behavior, please see the Vite documentation located here:
https://vite.dev/config/server-options.html#server-allowedhosts

The following is an example of the configuration option allowing example.com:

"serve": {
      "builder": "@angular/build:dev-server",
      "options": {
        "allowedHosts": ["example.com"]
      },

Additional details on the vulnerability can be found here: GHSA-vg6x-rcgg-rjx6

@clydin clydin added the target: minor This PR is targeted for the next minor release label Jan 23, 2025
@clydin clydin force-pushed the vite-allowed-hosts branch from 7e3c147 to 7db8e28 Compare January 23, 2025 21:57
dgp1130
dgp1130 approved these changes Jan 23, 2025
View reviewed changes
packages/angular/build/src/builders/dev-server/tests/execute-fetch.ts
* @param options An options object.
* @returns
*/
export async function executeOnceAndGet<T>(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider: Would it be worth sharing the "executeOnce" part of these two functions and refactoring that into a shared utility so the major difference is the fetch vs. http part? This way future changes don't risk diverging the two.

@clydin
fix(@angular/build): support Vite allowedHosts option for developme…
c2f1d35 
…nt server

Vite version 6.0.9+, which is now used by the Angular CLI, contains a potentially
breaking change for some development setups. Examples of such setups include those
that use reverse proxies or custom host names during development. The change within
a patch release was made by Vite to address a security vulnerability. For
projects that directly access the development server via `localhost`, no changes should
be needed. However, some development setups may now need to adjust the newly
introduced `allowedHosts` development server option. This option can include an array
of host names that are allowed to communicate with the development server. The option
sets the corresponding Vite option within the Angular CLI.
For more information on the option and its specific behavior, please see the Vite
documentation located here:
https://vite.dev/config/server-options.html#server-allowedhosts

The following is an example of the configuration option allowing `example.com`:
```
"serve": {
      "builder": "@angular/build:dev-server",
      "options": {
        "allowedHosts": ["example.com"]
      },
```

Additional details on the vulnerability can be found here:
GHSA-vg6x-rcgg-rjx6
@clydin clydin force-pushed the vite-allowed-hosts branch from 7db8e28 to c2f1d35 Compare January 23, 2025 22:08
@clydin clydin added the action: merge The PR is ready for merge by the caretaker label Jan 23, 2025
@clydin clydin merged commit f836be9 into angular:main Jan 23, 2025
31 checks passed
@clydin clydin deleted the vite-allowed-hosts branch January 23, 2025 23:48
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Feb 23, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dgp1130 dgp1130 dgp1130 approved these changes

Assignees
No one assigned
Labels
action: merge The PR is ready for merge by the caretaker area: @angular/build target: minor This PR is targeted for the next minor release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@clydin @dgp1130