Vite dev server file system restriction rules are inconsistent across package managers.

Describe the bug

I am following the https://mui.com/material-ui/getting-started/installation/#roboto-font to install roboto font through package manager because the CDN is blocked by a firewall.

After the installation is completed, the project still cannot serve the fonts correctly.

It appears relative url access for woff2 files from a css file in @fontsource/roboto is blocked by Vite dev server when using yarn PnP.

The woff2 file should be a safe file included in safeModulesPath https://github.com/vitejs/vite/blob/71dc6a6b7d41c27133f04b92256bead74b8f2127/packages/vite/src/node/server/middlewares/static.ts#L218 It has a workaround to change server.fs.strict to false but this will be less safe.

Reproduction

https://stackblitz.com/edit/github-tmpxuz-g4gr11?file=src%2FApp.jsx

Steps to reproduce

Clone the repo in reproduction url.

When the project is launched with $npm i && npm run dev no problem raised when the browser is opened When the project is launched with $yarn set version berry && yarn && yarn dev it will raise an issue about The request url "~/.yarn/berry/cache/@fontsource-roboto-npm-5.0.8-35f6bafae2-10c0.zip/node_modules/@fontsource/roboto/files/roboto-latin-500-normal.woff" is outside of Vite serving allow list when opened from browser. The fonts cannot be displayed correctly.

Vite dev server's file system access rules should be consistent across package managers.

System Info

System:
    OS: macOS 14.2
    CPU: (8) arm64 Apple M2
    Memory: 32.42 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.10.0 - /usr/local/bin/node
    Yarn: 4.1.0 - /usr/local/bin/yarn
    npm: 10.2.3 - /usr/local/bin/npm
  Browsers:
    Safari: 17.2
  npmPackages:
    @vitejs/plugin-react: ^4.2.1 => 4.2.1
    vite: ^5.1.1 => 5.1.3

Used Package Manager

yarn

Logs

No response

Validations

[X] Follow our Code of Conduct
[X] Read the Contributing Guidelines.
[X] Read the docs.
[X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
[X] Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
[X] Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
[X] The provided reproduction is a minimal reproducible example of the bug.

vitejs / vite