Describe the bug
searchForWorkspaceRoot walks up the directory tree and stops at the first directory containing a pnpm-workspace.yaml. It then uses that directory as the server.fs.allow root. However, it only checks for the existence of pnpm-workspace.yaml — it doesn't parse its contents to discover that the workspace includes packages outside that directory.
This is a valid pnpm workspace layout where pnpm-workspace.yaml references parent-level packages:
repo-root/
packages/
my-lib/ # workspace package
package.json
asset.txt
workspace/
pnpm-workspace.yaml # packages: ['*', '../packages/*']
my-app/ # Vite project
vite.config.js
When running vite dev from my-app/, searchForWorkspaceRoot finds pnpm-workspace.yaml in workspace/ and sets server.fs.allow to workspace/. Since packages/my-lib/ is above workspace/, any files served from it are blocked with a 403:
The request id ".../packages/my-lib/asset.txt" is outside of Vite serving allow list.
- .../workspace
Refer to docs https://vite.dev/config/server-options.html#server-fs-allow for configurations and more details.
Expected behavior
searchForWorkspaceRoot should parse pnpm-workspace.yaml (and package.json workspaces field) to resolve the actual package directories referenced by the workspace, and include them in the server.fs.allow list — or at minimum walk up to the common ancestor of all workspace packages.
Reproduction
https://github.com/IGassmann/vite-workspace-root-repro
Steps to reproduce
- Clone the reproduction repo
cd workspace && pnpm installcd my-app && pnpm dev- Open http://localhost:5173 in a browser
- Open the browser console / check the Vite terminal — you'll see a 403 error for the
asset.txt file from my-lib
System Info
System:
OS: macOS 15.6.1
CPU: (12) arm64 Apple M2 Pro
Memory: 120.34 MB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 24.12.0
pnpm: 10.28.0
Browsers:
Chrome: 145.0.7632.110
Safari: 18.6Used Package Manager
pnpm
Logs
The request id "/private/.../packages/my-lib/asset.txt" is outside of Vite serving allow list.
- /private/.../workspace
Refer to docs https://vite.dev/config/server-options.html#server-fs-allow for configurations and more details.
Validations
Describe the bug
searchForWorkspaceRootwalks up the directory tree and stops at the first directory containing apnpm-workspace.yaml. It then uses that directory as theserver.fs.allowroot. However, it only checks for the existence ofpnpm-workspace.yaml— it doesn't parse its contents to discover that the workspace includes packages outside that directory.This is a valid pnpm workspace layout where
pnpm-workspace.yamlreferences parent-level packages:When running
vite devfrommy-app/,searchForWorkspaceRootfindspnpm-workspace.yamlinworkspace/and setsserver.fs.allowtoworkspace/. Sincepackages/my-lib/is aboveworkspace/, any files served from it are blocked with a 403:Expected behavior
searchForWorkspaceRootshould parsepnpm-workspace.yaml(andpackage.jsonworkspacesfield) to resolve the actual package directories referenced by the workspace, and include them in theserver.fs.allowlist — or at minimum walk up to the common ancestor of all workspace packages.Reproduction
https://github.com/IGassmann/vite-workspace-root-repro
Steps to reproduce
cd workspace && pnpm installcd my-app && pnpm devasset.txtfile frommy-libSystem Info
System: OS: macOS 15.6.1 CPU: (12) arm64 Apple M2 Pro Memory: 120.34 MB / 32.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 24.12.0 pnpm: 10.28.0 Browsers: Chrome: 145.0.7632.110 Safari: 18.6Used Package Manager
pnpm
Logs
Validations