You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/api/browser/commands.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ By default, Vitest uses `utf-8` encoding but you can override it with options.
18
18
::: tip
19
19
The built-in file commands follow Vite's [`server.fs`](https://vitejs.dev/config/server-options.html#server-fs-allow) restrictions for security reasons.
20
20
21
-
`writeFile` and `removeFile` also require write access through [`browser.api.allowWrite`](/config/browser/api) and [`api.allowWrite`](/config/api#api-allowwrite).
21
+
`writeFile` and `removeFile` also require write access through [`api.allowWrite`](/config/api#api-allowwrite).
22
22
:::
23
23
24
24
```ts
@@ -60,7 +60,7 @@ expect(input).toHaveValue('a')
60
60
::: warning
61
61
CDP session works only with `playwright` provider and only when using `chromium` browser. You can read more about it in playwright's [`CDPSession`](https://playwright.dev/docs/api/class-cdpsession) documentation.
62
62
63
-
CDP is a privileged debugging API. It is available only when browser API write and exec operations are enabled through [`browser.api.allowWrite`](/config/browser/api#api-allowwrite), [`browser.api.allowExec`](/config/browser/api#api-allowexec), [`api.allowWrite`](/config/api#api-allowwrite), and [`api.allowExec`](/config/api#api-allowexec).
63
+
CDP is a privileged debugging API. It is available only when browser API write and exec operations are enabled through [`api.allowWrite`](/config/api#api-allowwrite), and [`api.allowExec`](/config/api#api-allowexec).
64
64
:::
65
65
66
66
## Custom Commands
@@ -131,7 +131,7 @@ Custom commands run in the Vitest Node process and are callable from browser tes
131
131
132
132
Vitest's built-in file commands validate paths against Vite's [`server.fs`](https://vite.dev/config/server-options#server-fs-allow) restrictions and separately check whether writes are allowed. Custom commands do not automatically inherit these protections. If a custom command accepts browser-provided input and uses it to read, write, delete, execute, or expose local resources, validate that input before using it.
133
133
134
-
For file reads or fixture loading, use `isFileLoadingAllowed` from `vitest/node` or an explicit allowlist. For writes and deletes, also require an explicit mutation policy, such as [`browser.api.allowWrite`](/config/browser/api#api-allowwrite), [`api.allowWrite`](/config/api#api-allowwrite), and a command-specific allowed directory. For commands that execute code, shell commands, or project scripts, also check[`browser.api.allowExec`](/config/browser/api#api-allowexec) and[`api.allowExec`](/config/api#api-allowexec).
134
+
For file reads or fixture loading, use `isFileLoadingAllowed` from `vitest/node` or an explicit allowlist. For writes and deletes, also require an explicit mutation policy, such as [`api.allowWrite`](/config/api#api-allowwrite), and a command-specific allowed directory. For commands that execute code, shell commands, or project scripts, also check [`api.allowExec`](/config/api#api-allowexec).
135
135
136
136
For example, if you create your own file-writing command instead of using Vitest's built-in `writeFile`, apply the same checks:
CDPisaprivilegeddebuggingAPI. ItisavailableonlywhenbrowserAPIwriteandexecoperationsareenabledthrough [`browser.api.allowWrite`](/config/browser/api#api-allowwrite), [`browser.api.allowExec`](/config/browser/api#api-allowexec), [`api.allowWrite`](/config/api#api-allowwrite), and [`api.allowExec`](/config/api#api-allowexec).
215
+
CDPisaprivilegeddebuggingAPI. ItisavailableonlywhenbrowserAPIwriteandexecoperationsareenabledthrough [`api.allowWrite`](/config/api#api-allowwrite), and [`api.allowExec`](/config/api#api-allowexec).
Listen to port and serve API for [the UI](/guide/ui) or [browser server](/guide/browser/). When set to `true`, the default port is `51204`.
12
+
Listen to port and serve API for [the UI](/guide/ui) or [browser server](/guide/browser/). When set to `true`, the default port is `51204` or `63315` if running in Browser Mode.
@@ -18,6 +18,8 @@ Listen to port and serve API for [the UI](/guide/ui) or [browser server](/guide/
18
18
19
19
Vitest server can save test files or snapshot files via the API. This allows anyone who can connect to the API the ability to run any arbitrary code on your machine.
20
20
21
+
In Browser Mode Vitest saves [annotation attachments](/guide/test-annotations), [artifacts](/api/advanced/artifacts) and [snapshots](/guide/snapshot) by receiving a WebSocket connection from the browser. This allows anyone who can connect to the API write any arbitrary code on your machine within the root of your project (configured by [`fs.allow`](https://vite.dev/config/server-options#server-fs-allow)). This option also gates privileged browser APIs that can write files indirectly, such as raw Chrome DevTools Protocol access through [`cdp()`](/api/browser/context#cdp).
22
+
21
23
::: danger SECURITY ADVICE
22
24
Vitest does not expose the API to the internet by default and only listens on `localhost`. However if `host` is manually exposed to the network, anyone who connects to it can run arbitrary code on your machine, unless `api.allowWrite` and `api.allowExec` are set to `false`.
23
25
@@ -29,4 +31,5 @@ If the host is set to anything other than `localhost` or `127.0.0.1`, Vitest wil
29
31
-**Type:**`boolean`
30
32
-**Default:**`true` if not exposed to the network, `false` otherwise
31
33
32
-
Allows running any test file via the API. See the security advice in [`api.allowWrite`](#api-allowwrite).
34
+
Allows running any test file via the UI. This applies to the interactive elements (and the server code behind them) in the [UI](/guide/ui) that can run the code. This option also gates privileged browser APIs that can execute code indirectly, such as raw Chrome DevTools Protocol access through [`cdp()`](/api/browser/context#cdp).
DuetohowVite's `createServer` works, Vitest has to resolve the config during the plugin's`configResolve`hook. Therefore, thismethodisnotactuallyusedinternallyandisexposedexclusivelyasapublicAPI.
function createCLI(options?: CliParseOptions): CAC
150
+
```
151
+
152
+
CreatestheVitestcommand-lineinterface: a [`cac`](https://github.com/cacjs/cac) instance with all of Vitest's commands and options registered. [`parseCLI`](#parsecli) is built on top of it; use `createCLI` directly if you need the raw parser.
Vitest's terminal logger, exposed as [`vitest.logger`](/api/advanced/vitest). It handles formatted output, the error summary, the run banner and screen clearing. Construct one with custom `stdout`/`stderr` streams to capture or redirect Vitest'soutputwhenrunningitprogrammatically.
188
+
189
+
```ts
190
+
import { Logger } from 'vitest/node'
191
+
192
+
const logger = new Logger(process.stdout, process.stderr)
0 commit comments