From 3b77863ea2dfaa7e8ad871f91639bddb3b0691ff Mon Sep 17 00:00:00 2001
From: Romuald Brillout <git@brillout.com>
Date: Thu, 1 Dec 2022 20:58:51 +0100
Subject: [PATCH 1/2] fix: stop considering parent URLs as public file

---
 packages/vite/src/node/plugins/asset.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/vite/src/node/plugins/asset.ts b/packages/vite/src/node/plugins/asset.ts
index 2a16487a26bbc4..dbf3c376560a93 100644
--- a/packages/vite/src/node/plugins/asset.ts
+++ b/packages/vite/src/node/plugins/asset.ts
@@ -210,6 +210,10 @@ export function checkPublicFile(
     return
   }
   const publicFile = path.join(publicDir, cleanUrl(url))
+  if (!publicFile.startsWith(publicDir)) {
+    // can happen if e.g. url starts with '/../node_modules/', see #11145
+    return
+  }
   if (fs.existsSync(publicFile)) {
     return publicFile
   } else {

From db23d155085f41d63e3b5211cd72c89206d5b1d3 Mon Sep 17 00:00:00 2001
From: Rom <github.com@brillout.com>
Date: Fri, 2 Dec 2022 09:15:36 +0100
Subject: [PATCH 2/2] Update packages/vite/src/node/plugins/asset.ts

Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
---
 packages/vite/src/node/plugins/asset.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/vite/src/node/plugins/asset.ts b/packages/vite/src/node/plugins/asset.ts
index dbf3c376560a93..8330aa0c53d9b4 100644
--- a/packages/vite/src/node/plugins/asset.ts
+++ b/packages/vite/src/node/plugins/asset.ts
@@ -211,7 +211,7 @@ export function checkPublicFile(
   }
   const publicFile = path.join(publicDir, cleanUrl(url))
   if (!publicFile.startsWith(publicDir)) {
-    // can happen if e.g. url starts with '/../node_modules/', see #11145
+    // can happen if URL starts with '../'
     return
   }
   if (fs.existsSync(publicFile)) {