Potential fix for code scanning alert no. 9: Missing rate limiting

[Tanker187]

Potential fix for https://github.com/Tanker187/vite/security/code-scanning/9

In general, the fix is to introduce a rate-limiting middleware (e.g., express-rate-limit) and apply it to the route (or the app) before performing expensive operations. This controls how many requests a given client can make within a time window, mitigating denial-of-service via request flooding.

For this specific file, the least intrusive fix is:

• Import express-rate-limit.
• Configure a limiter (e.g., a reasonable per-IP limit).
• Apply the limiter to the app.use('*all', ...) route, leaving existing behavior unchanged for legitimate traffic within the limit.

We should only touch playground/ssr-deps/server.js. Concretely:

1. Add an import line near the existing imports:

   import rateLimit from 'express-rate-limit'

2. Inside createServer, after const app = express(), define a limiter:

   const ssrLimiter = rateLimit({
     windowMs: 15 * 60 * 1000, // 15 minutes
     max: 100, // limit each IP to 100 SSR requests per windowMs
   })

   Values can be tuned later; these are safe defaults.

3. Change the app.use('*all', async (req, res) => { ... }) registration to apply the limiter to that route:

   app.use('*all', ssrLimiter, async (req, res) => { ... })

No other logic or response content needs modification.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.