fix(ssr): use browser platform for webworker SSR builds (fix #21969)#21963
Merged
sapphi-red merged 3 commits intovitejs:mainfrom Apr 2, 2026
Merged
fix(ssr): use browser platform for webworker SSR builds (fix #21969)#21963sapphi-red merged 3 commits intovitejs:mainfrom
sapphi-red merged 3 commits intovitejs:mainfrom
Conversation
jmalmo
force-pushed
the
fix/worker-ssr-platform-default
branch
from
5804f73 to
8ca76e0
Compare
jmalmo
changed the title
7 tasks
jmalmo
force-pushed
the
fix/worker-ssr-platform-default
branch
from
2b8c0bb to
04f98ee
Compare
jmalmo
changed the title
…1962) resolveBuildEnvironmentOptions() defaults all server builds to rolldownOptions.platform: 'node', which causes Rolldown to emit createRequire(import.meta.url) for CJS interop. On Cloudflare Workers, import.meta.url is undefined, so this crashes at module load time. Vite already computes isSsrTargetWebworkerEnvironment in resolveEnvironmentOptions() and uses it for resolve conditions and output defaults. This change: 1. Propagates isSsrTargetWebworkerEnvironment into the build platform default so webworker SSR uses 'browser' instead of 'node' 2. Adds esmExternalRequirePlugin for webworker SSR so external CJS require() calls are converted to ESM imports 3. Adds regression test with CJS fixture in playground/ssr-webworker
jmalmo
force-pushed
the
fix/worker-ssr-platform-default
branch
from
04f98ee to
83db1ea
Compare
7 tasks
sapphi-red
added
p3-downstream-blocker
sapphi-red
reviewed
Mar 26, 2026
Member
sapphi-red
left a comment
sapphi-red
left a comment
There was a problem hiding this comment.
The approach looks good to me. Do you have a reason to keep this as draft?
Co-authored-by: 翠 <green@sapphi.red>
Contributor
Author
|
Thanks for the review, @sapphi-red ! Removed the draft status now - I opened it that way to get initial feedback on the approach before polishing, and forgot to mark it ready. Committed your suggestions. |
MrNaif2018
pushed a commit
to bitcart/bitcart-frontend
that referenced
this pull request
Apr 6, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [vite](https://vite.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`8.0.3` → `8.0.5`](https://renovatebot.com/diffs/npm/vite/8.0.3/8.0.5) |  |  | --- ### Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling [GHSA-4w7w-66w2-5vf9](GHSA-4w7w-66w2-5vf9) <details> <summary>More information</summary> #### Details ##### Summary Any files ending with `.map` even out side the project can be returned to the browser. ##### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - have a sensitive content in files ending with `.map` and the path is predictable ##### Details In Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON. ##### PoC 1. Create a minimal PoC sourcemap outside the project root ```bash cat > /tmp/poc.map <<'EOF' {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""} EOF ``` 2. Start the Vite dev server (example) ```bash pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080 ``` 3. Confirm that direct `/@​fs` access is blocked by `strict` (returns 403) <img width="4004" height="1038" alt="image" src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab" /> 4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map` <img width="2790" height="846" alt="image" src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2" /> #### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9](https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9) - [https://github.com/vitejs/vite/pull/22161](https://github.com/vitejs/vite/pull/22161) - [https://github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694](https://github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694) - [https://github.com/vitejs/vite](https://github.com/vitejs/vite) - [https://github.com/vitejs/vite/releases/tag/v6.4.2](https://github.com/vitejs/vite/releases/tag/v6.4.2) - [https://github.com/vitejs/vite/releases/tag/v7.3.2](https://github.com/vitejs/vite/releases/tag/v7.3.2) - [https://github.com/vitejs/vite/releases/tag/v8.0.5](https://github.com/vitejs/vite/releases/tag/v8.0.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-4w7w-66w2-5vf9) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket [GHSA-p9ff-h696-f583](GHSA-p9ff-h696-f583) <details> <summary>More information</summary> #### Details ##### Summary [`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket. ##### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - WebSocket is not disabled by `server.ws: false` Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed. ##### Details If it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the custom WebSocket event `vite:invoke` and combine `file://...` with `?raw` (or `?inline`) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., `export default "..."`). The access control enforced in the HTTP request path (such as `server.fs.allow`) is not applied to this WebSocket-based execution path. ##### PoC 1. Start the dev server on the target Example (used during validation with this repository): ```bash pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173 ``` 2. Confirm that access is blocked via the HTTP path (example: arbitrary file) ```bash curl -i 'http://localhost:5173/@​fs/etc/passwd?raw' ``` Result: `403 Restricted` (outside the allow list) <img width="3898" height="1014" alt="image" src="https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af" /> 3. Confirm that the same file can be retrieved via the WebSocket path By connecting to the HMR WebSocket without an `Origin` header and sending a `vite:invoke` request that calls `fetchModule` with a `file://...` URL and `?raw`, the file contents are returned as a JavaScript module. <img width="1049" height="296" alt="image" src="https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972" /> <img width="1382" height="955" alt="image" src="https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7" /> #### Severity - CVSS Score: 8.2 / 10 (High) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583](https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583) - [https://github.com/vitejs/vite/pull/22159](https://github.com/vitejs/vite/pull/22159) - [https://github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0](https://github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0) - [https://github.com/vitejs/vite](https://github.com/vitejs/vite) - [https://github.com/vitejs/vite/releases/tag/v6.4.2](https://github.com/vitejs/vite/releases/tag/v6.4.2) - [https://github.com/vitejs/vite/releases/tag/v7.3.2](https://github.com/vitejs/vite/releases/tag/v7.3.2) - [https://github.com/vitejs/vite/releases/tag/v8.0.5](https://github.com/vitejs/vite/releases/tag/v8.0.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-p9ff-h696-f583) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Vite: `server.fs.deny` bypassed with queries [GHSA-v2wj-q39q-566r](GHSA-v2wj-q39q-566r) <details> <summary>More information</summary> #### Details ##### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser. ##### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow) - the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) ##### Details On the Vite dev server, files that should be blocked by `server.fs.deny` (e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` are appended. ##### PoC 1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort` 2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i http://127.0.0.1:5175/src/.env | head -n 20` <img width="3944" height="1092" alt="image" src="https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f" /> 3. Confirm that the same files can be retrieved with query parameters (expect 200): <img width="2014" height="373" alt="image" src="https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8" /> #### Severity - CVSS Score: 8.2 / 10 (High) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r](https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r) - [https://github.com/vitejs/vite/pull/22160](https://github.com/vitejs/vite/pull/22160) - [https://github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff](https://github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff) - [https://github.com/vitejs/vite](https://github.com/vitejs/vite) - [https://github.com/vitejs/vite/releases/tag/v7.3.2](https://github.com/vitejs/vite/releases/tag/v7.3.2) - [https://github.com/vitejs/vite/releases/tag/v8.0.5](https://github.com/vitejs/vite/releases/tag/v8.0.5) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-v2wj-q39q-566r) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v8.0.5`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-805-2026-04-06-small) [Compare Source](vitejs/vite@v8.0.4...v8.0.5) ##### Bug Fixes - apply server.fs check to env transport ([#​22159](vitejs/vite#22159)) ([f02d9fd](vitejs/vite@f02d9fd)) - avoid path traversal with optimize deps sourcemap handler ([#​22161](vitejs/vite#22161)) ([79f002f](vitejs/vite@79f002f)) - check `server.fs` after stripping query as well ([#​22160](vitejs/vite#22160)) ([a9a3df2](vitejs/vite@a9a3df2)) - disallow referencing files outside the package from sourcemap ([#​22158](vitejs/vite#22158)) ([f05f501](vitejs/vite@f05f501)) ### [`v8.0.4`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-804-2026-04-06-small) [Compare Source](vitejs/vite@v8.0.3...v8.0.4) ##### Features - allow esbuild 0.28 as peer deps ([#​22155](vitejs/vite#22155)) ([b0da973](vitejs/vite@b0da973)) - **hmr:** truncate list of files on hmr update ([#​21535](vitejs/vite#21535)) ([d00e806](vitejs/vite@d00e806)) - **optimizer:** log when dependency scanning or bundling takes over 1s ([#​21797](vitejs/vite#21797)) ([f61a1ab](vitejs/vite@f61a1ab)) ##### Bug Fixes - `hasBothRollupOptionsAndRolldownOptions` should return `false` for proxy case ([#​22043](vitejs/vite#22043)) ([99897d2](vitejs/vite@99897d2)) - add types for `vite/modulepreload-polyfill` ([#​22126](vitejs/vite#22126)) ([17330d2](vitejs/vite@17330d2)) - **deps:** update all non-major dependencies ([#​22073](vitejs/vite#22073)) ([6daa10f](vitejs/vite@6daa10f)) - **deps:** update all non-major dependencies ([#​22143](vitejs/vite#22143)) ([22b0166](vitejs/vite@22b0166)) - **resolve:** resolve tsconfig paths starting with `#` ([#​22038](vitejs/vite#22038)) ([3460fc5](vitejs/vite@3460fc5)) - **ssr:** use browser platform for webworker SSR builds (fix [#​21969](vitejs/vite#21969)) ([#​21963](vitejs/vite#21963)) ([364c227](vitejs/vite@364c227)) ##### Documentation - add `environment.fetchModule` documentation ([#​22035](vitejs/vite#22035)) ([54229e7](vitejs/vite@54229e7)) ##### Miscellaneous Chores - **deps:** update rolldown-related dependencies ([#​21989](vitejs/vite#21989)) ([0ded627](vitejs/vite@0ded627)) ##### Code Refactoring - upgrade to typescript 6 ([#​22110](vitejs/vite#22110)) ([cc41398](vitejs/vite@cc41398)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIwLjAuMC1zZW1hbnRpYy1yZWxlYXNlIiwidXBkYXRlZEluVmVyIjoiMC4wLjAtc2VtYW50aWMtcmVsZWFzZSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==--> Reviewed-on: https://git.bitcart.ai/bitcart/bitcart-frontend/pulls/183
renovate bot
added a commit
to andrei-picus-tink/auto-renovate
that referenced
this pull request
Apr 15, 2026
| datasource | package | from | to | | ---------- | ------- | ----- | ----- | | npm | vite | 7.3.1 | 8.0.8 | ## [v8.0.8](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-808-2026-04-09-small) ##### Features - update rolldown to 1.0.0-rc.15 ([#22201](vitejs/vite#22201)) ([6baf587](vitejs/vite@6baf587)) ##### Bug Fixes - avoid `dns.getDefaultResultOrder` temporary ([#22202](vitejs/vite#22202)) ([15f1c15](vitejs/vite@15f1c15)) - **ssr:** class property keys hoisting matching imports ([#22199](vitejs/vite#22199)) ([e137601](vitejs/vite@e137601)) ## [v8.0.7](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-807-2026-04-07-small) ##### Bug Fixes - use sync dns.getDefaultResultOrder instead of dns.promises ([#22185](vitejs/vite#22185)) ([5c05b04](vitejs/vite@5c05b04)) ## [v8.0.6](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-806-2026-04-07-small) ##### Features - update rolldown to 1.0.0-rc.13 ([#22097](vitejs/vite#22097)) ([51d3e48](vitejs/vite@51d3e48)) ##### Bug Fixes - **css:** avoid mutating sass error multiple times ([#22115](vitejs/vite#22115)) ([d5081c2](vitejs/vite@d5081c2)) - **optimize-deps:** hoist CJS interop assignment ([#22156](vitejs/vite#22156)) ([17a8f9e](vitejs/vite@17a8f9e)) ##### Performance Improvements - early return in `getLocalhostAddressIfDiffersFromDNS` when DNS order is `verbatim` ([#22151](vitejs/vite#22151)) ([56ec256](vitejs/vite@56ec256)) ##### Miscellaneous Chores - **create-vite:** remove unnecessary DOM.Iterable ([#22168](vitejs/vite#22168)) ([bdc53ab](vitejs/vite@bdc53ab)) - replace remaining prettier script ([#22179](vitejs/vite#22179)) ([af71fb2](vitejs/vite@af71fb2)) ## [v8.0.5](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-805-2026-04-06-small) ##### Bug Fixes - apply server.fs check to env transport ([#22159](vitejs/vite#22159)) ([f02d9fd](vitejs/vite@f02d9fd)) - avoid path traversal with optimize deps sourcemap handler ([#22161](vitejs/vite#22161)) ([79f002f](vitejs/vite@79f002f)) - check `server.fs` after stripping query as well ([#22160](vitejs/vite#22160)) ([a9a3df2](vitejs/vite@a9a3df2)) - disallow referencing files outside the package from sourcemap ([#22158](vitejs/vite#22158)) ([f05f501](vitejs/vite@f05f501)) ## [v8.0.4](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-804-2026-04-06-small) ##### Features - allow esbuild 0.28 as peer deps ([#22155](vitejs/vite#22155)) ([b0da973](vitejs/vite@b0da973)) - **hmr:** truncate list of files on hmr update ([#21535](vitejs/vite#21535)) ([d00e806](vitejs/vite@d00e806)) - **optimizer:** log when dependency scanning or bundling takes over 1s ([#21797](vitejs/vite#21797)) ([f61a1ab](vitejs/vite@f61a1ab)) ##### Bug Fixes - `hasBothRollupOptionsAndRolldownOptions` should return `false` for proxy case ([#22043](vitejs/vite#22043)) ([99897d2](vitejs/vite@99897d2)) - add types for `vite/modulepreload-polyfill` ([#22126](vitejs/vite#22126)) ([17330d2](vitejs/vite@17330d2)) - **deps:** update all non-major dependencies ([#22073](vitejs/vite#22073)) ([6daa10f](vitejs/vite@6daa10f)) - **deps:** update all non-major dependencies ([#22143](vitejs/vite#22143)) ([22b0166](vitejs/vite@22b0166)) - **resolve:** resolve tsconfig paths starting with `#` ([#22038](vitejs/vite#22038)) ([3460fc5](vitejs/vite@3460fc5)) - **ssr:** use browser platform for webworker SSR builds (fix [#21969](vitejs/vite#21969)) ([#21963](vitejs/vite#21963)) ([364c227](vitejs/vite@364c227)) ##### Documentation - add `environment.fetchModule` documentation ([#22035](vitejs/vite#22035)) ([54229e7](vitejs/vite@54229e7)) ##### Miscellaneous Chores - **deps:** update rolldown-related dependencies ([#21989](vitejs/vite#21989)) ([0ded627](vitejs/vite@0ded627)) ##### Code Refactoring - upgrade to typescript 6 ([#22110](vitejs/vite#22110)) ([cc41398](vitejs/vite@cc41398)) ## [v8.0.3](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-803-2026-03-26-small) ##### Features - update rolldown to 1.0.0-rc.12 ([#22024](vitejs/vite#22024)) ([84164ef](vitejs/vite@84164ef)) ##### Bug Fixes - **html:** cache unfiltered CSS list to prevent missing styles across entries ([#22017](vitejs/vite#22017)) ([5464190](vitejs/vite@5464190)) - **module-runner:** handle non-ascii characters in base64 sourcemaps ([#21985](vitejs/vite#21985)) ([77c95bf](vitejs/vite@77c95bf)) - **module-runner:** skip re-import if the runner is closed ([#22020](vitejs/vite#22020)) ([ee2c2cd](vitejs/vite@ee2c2cd)) - **optimizer:** scan is not resolving sub path import if used in a glob import ([#22018](vitejs/vite#22018)) ([ddfe20d](vitejs/vite@ddfe20d)) - **ssr:** ssrTransform incorrectly rewrites `meta` identifier inside `import.meta` when a binding named `meta` exists ([#22019](vitejs/vite#22019)) ([cff5f0c](vitejs/vite@cff5f0c)) ##### Miscellaneous Chores - **deps:** bump picomatch from 4.0.3 to 4.0.4 ([#22027](vitejs/vite#22027)) ([7e56003](vitejs/vite@7e56003)) ##### Tests - **html:** add tests for `getCssFilesForChunk` ([#22016](vitejs/vite#22016)) ([43fbbf9](vitejs/vite@43fbbf9)) ## [v8.0.2](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-802-2026-03-23-small) ##### Features - update rolldown to 1.0.0-rc.11 ([#21998](vitejs/vite#21998)) ([ff91c31](vitejs/vite@ff91c31)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#21988](vitejs/vite#21988)) ([9b7d150](vitejs/vite@9b7d150)) ##### Miscellaneous Chores - **deps:** update dependency [@vitejs/devtools](https://github.com/vitejs/devtools) to ^0.1.5 ([#21992](vitejs/vite#21992)) ([b2dd65b](vitejs/vite@b2dd65b)) ## [v8.0.1](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-801-2026-03-19-small) ##### Features - update rolldown to 1.0.0-rc.10 ([#21932](vitejs/vite#21932)) ([b3c067d](vitejs/vite@b3c067d)) ##### Bug Fixes - **bundled-dev:** properly disable `inlineConst` optimization ([#21865](vitejs/vite#21865)) ([6d97142](vitejs/vite@6d97142)) - **css:** lightningcss minify failed when `build.target: 'es6'` ([#21933](vitejs/vite#21933)) ([5fcce46](vitejs/vite@5fcce46)) - **deps:** update all non-major dependencies ([#21878](vitejs/vite#21878)) ([6dbbd7f](vitejs/vite@6dbbd7f)) - **dev:** always use ESM Oxc runtime ([#21829](vitejs/vite#21829)) ([d323ed7](vitejs/vite@d323ed7)) - **dev:** handle concurrent restarts in `_createServer` ([#21810](vitejs/vite#21810)) ([40bc729](vitejs/vite@40bc729)) - handle `+` symbol in package subpath exports during dep optimization ([#21886](vitejs/vite#21886)) ([86db93d](vitejs/vite@86db93d)) - improve `no-cors` request block error ([#21902](vitejs/vite#21902)) ([5ba688b](vitejs/vite@5ba688b)) - use precise regexes for transform filter to avoid backtracking ([#21800](vitejs/vite#21800)) ([dbe41bd](vitejs/vite@dbe41bd)) - **worker:** `require(json)` result should not be wrapped ([#21847](vitejs/vite#21847)) ([0672fd2](vitejs/vite@0672fd2)) - **worker:** make worker output consistent with client and SSR ([#21871](vitejs/vite#21871)) ([69454d7](vitejs/vite@69454d7)) ##### Miscellaneous Chores - add changelog rearrange script ([#21835](vitejs/vite#21835)) ([efef073](vitejs/vite@efef073)) - **deps:** bump required `@vitejs/devtools` version to 0.1+ ([#21925](vitejs/vite#21925)) ([12932f5](vitejs/vite@12932f5)) - **deps:** update rolldown-related dependencies ([#21787](vitejs/vite#21787)) ([1af1d3a](vitejs/vite@1af1d3a)) - rearrange 8.0 changelog ([8e05b61](vitejs/vite@8e05b61)) - rearrange 8.0 changelog ([#21834](vitejs/vite#21834)) ([86edeee](vitejs/vite@86edeee)) ## [v8.0.0](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#800-2026-03-12) ##### Features - update rolldown to 1.0.0-rc.9 ([#21813](vitejs/vite#21813)) ([f05be0e](vitejs/vite@f05be0e)) - warn when `vite-tsconfig-paths` plugin is detected ([#21781](vitejs/vite#21781)) ([ada493e](vitejs/vite@ada493e)) ##### Bug Fixes - **deps:** update all non-major dependencies ([#21786](vitejs/vite#21786)) ([eaa4352](vitejs/vite@eaa4352)) ## [v7.3.2](https://github.com/vitejs/vite/releases/tag/v7.3.2) Please refer to [CHANGELOG.md](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) for details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
resolveBuildEnvironmentOptions()defaults all server builds torolldownOptions.platform: 'node', including whenssr.targetis'webworker'. This causes Rolldown to emitcreateRequire(import.meta.url)for CJS interop, which crashes on Cloudflare Workers whereimport.meta.urlisundefined.Vite already computes
isSsrTargetWebworkerEnvironmentinresolveEnvironmentOptions()and uses it for resolve conditions,keepProcessEnv, and output defaults. This PR propagates it into the build platform default so webworker SSR uses'browser'instead of'node'.We use
'browser'rather than'neutral'because it aligns with Vite's existing resolve conditions for webworker targets (defaultClientConditions+worker).Additionally, this adds Rolldown's
esmExternalRequirePluginfor webworker SSR builds so that external CJSrequire()calls are converted to ESM imports — sincecreateRequireis not available underplatform: 'browser'.Changes
packages/vite/src/node/build.ts: AddisSsrTargetWebworkerEnvironmentparameter toresolveBuildEnvironmentOptions(). Use it to select'browser'platform for webworker SSR. AddesmExternalRequirePluginfor webworker SSR builds.packages/vite/src/node/config.ts: PassisSsrTargetWebworkerEnvironmentthrough toresolveBuildEnvironmentOptions().playground/ssr-webworker/__tests__/ssr-webworker.spec.ts: Add regression test asserting the build output does not containcreateRequire.Fixes #21969