fix(deps): update sirv to 2.0.3 (#13057)

package.json

@@ -128,8 +128,8 @@
     },
     "patchedDependencies": {
       "dotenv-expand@9.0.0": "patches/dotenv-expand@9.0.0.patch",
-      "sirv@2.0.2": "patches/sirv@2.0.2.patch",
-      "chokidar@3.5.3": "patches/chokidar@3.5.3.patch"
+      "chokidar@3.5.3": "patches/chokidar@3.5.3.patch",
+      "sirv@2.0.3": "patches/sirv@2.0.3.patch"
     }
   },
   "stackblitz": {

packages/vite/package.json

@@ -123,7 +123,7 @@
     "postcss-modules": "^6.0.0",
     "resolve.exports": "^2.0.2",
     "rollup-plugin-license": "^3.0.1",
-    "sirv": "^2.0.2",
+    "sirv": "^2.0.3",
     "source-map-support": "^0.5.21",
     "strip-ansi": "^7.0.1",
     "strip-literal": "^1.0.1",

packages/vite/src/node/server/middlewares/static.ts

@@ -102,7 +102,7 @@ export function serveStaticMiddleware(
     }
 
     const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
-    const pathname = decodeURIComponent(url.pathname)
+    const pathname = decodeURI(url.pathname)
 
     // apply aliases to static requests as well
     let redirectedPathname: string | undefined
@@ -136,7 +136,7 @@ export function serveStaticMiddleware(
     }
 
     if (redirectedPathname) {
-      url.pathname = encodeURIComponent(redirectedPathname)
+      url.pathname = encodeURI(redirectedPathname)
       req.url = url.href.slice(url.origin.length)
     }
 
@@ -160,7 +160,7 @@ export function serveRawFsMiddleware(
     // the paths are rewritten to `/@fs/` prefixed paths and must be served by
     // searching based from fs root.
     if (url.pathname.startsWith(FS_PREFIX)) {
-      const pathname = decodeURIComponent(url.pathname)
+      const pathname = decodeURI(url.pathname)
       // restrict files outside of `fs.allow`
       if (
         !ensureServingAccess(
@@ -176,7 +176,7 @@ export function serveRawFsMiddleware(
       let newPathname = pathname.slice(FS_PREFIX.length)
       if (isWindows) newPathname = newPathname.replace(/^[A-Z]:/i, '')
 
-      url.pathname = encodeURIComponent(newPathname)
+      url.pathname = encodeURI(newPathname)
       req.url = url.href.slice(url.origin.length)
       serveFromRoot(req, res, next)
     } else {

patches/sirv@2.0.2.patch → patches/sirv@2.0.3.patch

@@ -1,5 +1,5 @@
 diff --git a/build.js b/build.js
-index b046ee138b1f9047c70beaeea7279d3476d7e8cd..574ce1410a1344a4db292803d05c303f8c03767c 100644
+index 0884d9ffaa24d0ae3ec020a6faff12b3125b2071..85b82c90346e829bbf723e913f282c80096df061 100644
 --- a/build.js
 +++ b/build.js
 @@ -35,7 +35,7 @@ function viaCache(cache, uri, extns) {
@@ -19,7 +19,7 @@ index b046ee138b1f9047c70beaeea7279d3476d7e8cd..574ce1410a1344a4db292803d05c303f
  			headers = toHeaders(name, stats, isEtag);
  			headers['Cache-Control'] = isEtag ? 'no-cache' : 'no-store';
  			return { abs, stats, headers };
-@@ -172,7 +173,7 @@ module.exports = function (dir, opts={}) {
+@@ -176,7 +177,7 @@ module.exports = function (dir, opts={}) {
  			catch (err) { /* malform uri */ }
  		}
 
@@ -29,7 +29,7 @@ index b046ee138b1f9047c70beaeea7279d3476d7e8cd..574ce1410a1344a4db292803d05c303f
 
  		if (isEtag && req.headers['if-none-match'] === data.headers['ETag']) {
 diff --git a/build.mjs b/build.mjs
-index fe01068d0dd3f788a0978802db1747dd83c5825e..fb099c38cc2cbd59300471e7307625e2fc127f0c 100644
+index c93bbe6bdfb7ad13ee20f0c44d80d6aacdd64087..3dc3e22f09abcae51aef7b75c34dc08b1f6e6abd 100644
 --- a/build.mjs
 +++ b/build.mjs
 @@ -35,7 +35,7 @@ function viaCache(cache, uri, extns) {
@@ -49,7 +49,7 @@ index fe01068d0dd3f788a0978802db1747dd83c5825e..fb099c38cc2cbd59300471e7307625e2
  			headers = toHeaders(name, stats, isEtag);
  			headers['Cache-Control'] = isEtag ? 'no-cache' : 'no-store';
  			return { abs, stats, headers };
-@@ -172,7 +173,7 @@ export default function (dir, opts={}) {
+@@ -176,7 +177,7 @@ export default function (dir, opts={}) {
  			catch (err) { /* malform uri */ }
  		}
 

playground/fs-serve/__tests__/fs-serve.spec.ts

@@ -43,14 +43,12 @@ describe.runIf(isServe)('main', () => {
   })
 
   test('unsafe fetch with special characters (#8498)', async () => {
-    expect(await page.textContent('.unsafe-fetch-8498')).toMatch(
-      '403 Restricted',
-    )
-    expect(await page.textContent('.unsafe-fetch-8498-status')).toBe('403')
+    expect(await page.textContent('.unsafe-fetch-8498')).toBe('')
+    expect(await page.textContent('.unsafe-fetch-8498-status')).toBe('404')
   })
 
   test('unsafe fetch with special characters 2 (#8498)', async () => {
-    expect(await page.textContent('.unsafe-fetch-8498-2')).toMatch('')
+    expect(await page.textContent('.unsafe-fetch-8498-2')).toBe('')
     expect(await page.textContent('.unsafe-fetch-8498-2-status')).toBe('404')
   })
 
@@ -78,7 +76,7 @@ describe.runIf(isServe)('main', () => {
 
   test('unsafe fs fetch with special characters (#8498)', async () => {
     expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('')
-    expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403')
+    expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('404')
   })
 
   test('unsafe fs fetch with special characters 2 (#8498)', async () => {

playground/lib/package.json

@@ -8,5 +8,8 @@
     "build": "vite build",
     "debug": "node --inspect-brk ../../packages/vite/bin/vite",
     "preview": "vite preview"
+  },
+  "devDependencies": {
+    "sirv": "^2.0.3"
   }
 }

playground/package.json

@@ -10,7 +10,6 @@
     "convert-source-map": "^2.0.0",
     "css-color-names": "^1.0.1",
     "kill-port": "^1.6.1",
-    "node-fetch": "^3.3.1",
-    "sirv": "^2.0.2"
+    "node-fetch": "^3.3.1"
   }
 }