feat: show a warning if host is exposed

sheremet-va · sheremet-va · commit deb239d69c71 · 2026-01-27T15:14:01.000+01:00
diff --git a/packages/vitest/src/node/config/resolveConfig.ts b/packages/vitest/src/node/config/resolveConfig.ts
@@ -1,5 +1,6 @@
 import type { ResolvedConfig as ResolvedViteConfig } from 'vite'
 import type { Vitest } from '../core'
+import type { Logger } from '../logger'
 import type { BenchmarkBuiltinReporters } from '../reporters'
 import type { ResolvedBrowserOptions } from '../types/browser'
 import type {
@@ -55,10 +56,14 @@ function parseInspector(inspect: string | undefined | boolean | number) {
   return { host, port: Number(port) || defaultInspectPort }
 }
 
+/**
+ * @deprecated Internal function
+ */
 export function resolveApiServerConfig<Options extends ApiConfig & Omit<UserConfig, 'expect'>>(
   options: Options,
   defaultPort: number,
   parentApi?: ApiConfig,
+  logger?: Logger,
 ): ApiConfig | undefined {
   let api: ApiConfig | undefined
 
@@ -100,6 +105,16 @@ export function resolveApiServerConfig<Options extends ApiConfig & Omit<UserConf
 
   // if the API server is exposed to network, disable write operations by default
   if (!api.middlewareMode && api.host && api.host !== 'localhost' && api.host !== '127.0.0.1') {
+    // assigned to browser
+    if (parentApi) {
+      if (api.allowWrite == null && api.allowExec == null) {
+        logger?.error(
+          c.yellow(
+            `${c.yellowBright(' WARNING ')} API server is exposed to network, disabling write and exec operations by default for security reasons. This can case some APIs to not work as expected. Set \`browser.api.allowExec\` manually to hide this warning. See https://vitest.dev/config/browser/api for more details.`,
+          ),
+        )
+      }
+    }
     api.allowWrite ??= parentApi?.allowWrite ?? false
     api.allowExec ??= parentApi?.allowExec ?? false
   }
@@ -805,6 +820,7 @@ export function resolveConfig(
     resolved.browser,
     defaultBrowserPort,
     resolved.api,
+    logger,
   ) || {
     port: defaultBrowserPort,
   }
diff --git a/test/cli/fixtures/basic/basic.test.ts b/test/cli/fixtures/basic/basic.test.ts
@@ -0,0 +1,5 @@
+import { expect, test } from 'vitest';
+
+test('basic test', () => {
+  expect(1 + 1).toBe(2)
+})
diff --git a/test/cli/test/config/browser-configs.test.ts b/test/cli/test/config/browser-configs.test.ts
@@ -1016,3 +1016,25 @@ test('allows custom transformIndexHtml without custom html file', async () => {
   expect(stdout).toContain('✓ |chromium| browser-custom.test.ts')
   expect(exitCode).toBe(0)
 })
+
+test('show a warning if host is exposed', async () => {
+  const { stderr } = await runVitest({
+    config: false,
+    root: './fixtures/basic',
+    reporters: [
+      {
+        onInit() {
+          throw new Error('stop')
+        },
+      },
+    ],
+    browser: {
+      api: {
+        host: 'custom-host',
+      },
+    },
+  })
+  expect(stderr).toContain(
+    'API server is exposed to network, disabling write and exec operations by default for security reasons. This can case some APIs to not work as expected. Set `browser.api.allowExec` manually to hide this warning. See https://vitest.dev/config/browser/api for more details.',
+  )
+})
