Builder-Vite: Add logic to set allowedHosts

[JSMike]

Update yarn lock to use version of vite that has allowedHosts in ServerOptions.
Add logic to pass forward server.allowedHosts from user's vite config, otherwise check if server is bound to value that should default allowedHosts to true, otherwise use set allowedHosts to contain specified host.

Closes #30338

What I did

Add logic to define allowedHosts either by passing forward config from user's vite config, or setting default. This required updating some of the yarn lock to use a version that contained the type for allowedHosts, but remained in respected semver range. This change should have no impact on prior versions because the allowedHosts value will be ignored by vite.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

1. Run a sandbox for a vite based template, e.g. yarn task --task sandbox --start-from auto --template lit-vite/default-ts
2. Open Storybook in your browser, using your system's hostname instead of localhost, by default this should load as expected.
3. Update the sandbox vite.config.js to contain: { server: { allowedHosts: ['localhost'] } }
4. Restart the storybook yarn run storybook from your sandbox
5. Reload browser with your hostname as the URL and the preview should fail to load, as expected, since it is no longer an allowed hostname.
6. Reload browser with localhost as the URL and the preview should load.

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

name	before	after	diff	z	%
createSize	0 B	0 B	0 B	-	-
generateSize	78 MB	78 MB	0 B	1.96	0%
initSize	131 MB	131 MB	436 B	1.72	0%
diffSize	53 MB	53 MB	436 B	1.24	0%
buildSize	7.17 MB	7.17 MB	0 B	0.83	0%
buildSbAddonsSize	1.85 MB	1.85 MB	0 B	0.82	0%
buildSbCommonSize	195 kB	195 kB	0 B	-	0%
buildSbManagerSize	1.86 MB	1.86 MB	0 B	-1.22	0%
buildSbPreviewSize	0 B	0 B	0 B	-	-
buildStaticSize	0 B	0 B	0 B	-	-
buildPrebuildSize	3.91 MB	3.91 MB	0 B	0.79	0%
buildPreviewSize	3.26 MB	3.26 MB	0 B	0.78	0%
testBuildSize	0 B	0 B	0 B	-	-
testBuildSbAddonsSize	0 B	0 B	0 B	-	-
testBuildSbCommonSize	0 B	0 B	0 B	-	-
testBuildSbManagerSize	0 B	0 B	0 B	-	-
testBuildSbPreviewSize	0 B	0 B	0 B	-	-
testBuildStaticSize	0 B	0 B	0 B	-	-
testBuildPrebuildSize	0 B	0 B	0 B	-	-
testBuildPreviewSize	0 B	0 B	0 B	-	-

name	before	after	diff	z	%
createTime	20.5s	16.4s	-4s -49ms	-0.62	-24.6%
generateTime	17.7s	17.8s	60ms	-1.33	0.3%
initTime	10.9s	11.3s	362ms	-1.17	3.2%
buildTime	7.4s	7.8s	398ms	-0.91	5%
testBuildTime	0ms	0ms	0ms	-	-
devPreviewResponsive	4.9s	4.3s	-590ms	-0.68	-13.4%
devManagerResponsive	3.7s	3.4s	-368ms	-0.57	-10.8%
devManagerHeaderVisible	709ms	643ms	-66ms	-0.69	-10.3%
devManagerIndexVisible	736ms	740ms	4ms	-0.35	0.5%
devStoryVisibleUncached	3.7s	2.8s	-895ms	-0.32	-31.7%
devStoryVisible	737ms	740ms	3ms	-0.38	0.4%
devAutodocsVisible	671ms	602ms	-69ms	-0.55	-11.5%
devMDXVisible	628ms	620ms	-8ms	-0.36	-1.3%
buildManagerHeaderVisible	652ms	864ms	212ms	0.32	24.5%
buildManagerIndexVisible	743ms	883ms	140ms	0.04	15.9%
buildStoryVisible	642ms	857ms	215ms	0.39	25.1%
buildAutodocsVisible	547ms	1s	453ms	0.17	45.3%
buildMDXVisible	527ms	614ms	87ms	0.26	14.2%

Greptile Summary

Let me provide a clear and focused summary of this pull request:

Adds logic to handle allowedHosts configuration in Vite server setup to fix hostname accessibility issues in Storybook after Vite 6 upgrade.

• Added allowedHosts configuration in code/builders/builder-vite/src/vite-server.ts to preserve user-defined settings
• Added logic to automatically set allowedHosts: true for common local addresses (::/0.0.0.0/127.0.0.1)
• Added fallback to include specific host address in allowedHosts array when not using common local addresses
• Added proper type annotations for Vite's ServerOptions and AddressInfo interfaces

The changes fix issue #30338 where Storybook was inaccessible via local hostnames after upgrading to Vite 6.

_{💡 (1/5) You can manually trigger the bot by mentioning @greptileai in a comment!}

[greptile-apps]

_{1 file(s) reviewed, 1 comment(s)
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

LGTM

_{1 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings | Greptile}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 7d4b70c.

Command	Status	Duration	Result
nx run-many -t build --parallel=3	✅ Succeeded	1m 53s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-02-02 03:25:22 UTC

[JSMike]

Logic overview:

1. If the vite config sets server.allowedHosts then use that value.
2. If options.host was passed and is not an IP address then restrict to only allow the hostname options.host. This needs to be lowercase or it will fail to resolve, so cast to lowercase.
3. Otherwise default to allow any hostname.

[shilman]

@JSMike Thanks so much for putting this together!!

A few questions:

1. Have you tested with an older version of Vite? Will it just ignore the option in that case?
2. In the fallback case of allowedHosts = true, is that a security issue? Or it doesn't really apply because we're only running in dev?