@sveltejs/kit 1.0.0-next.371 → 1.0.0-next.374

package/assets/client/start.js

@@ -17,10 +17,14 @@ function coalesce_to_error(err) {
 }
 
 /**
- * @param {import('types').LoadOutput} loaded
+ * @param {import('types').LoadOutput | void} loaded
  * @returns {import('types').NormalizedLoadOutput}
  */
 function normalize(loaded) {
+	if (!loaded) {
+		return {};
+	}
+
 	// TODO remove for 1.0
 	// @ts-expect-error
 	if (loaded.fallthrough) {
@@ -1030,24 +1034,17 @@ function create_client({ target, session, base, trailing_slash }) {
 				});
 			}
 
-			let loaded;
-
 			if (import.meta.env.DEV) {
 				try {
 					lock_fetch();
-					loaded = await module.load.call(null, load_input);
+					node.loaded = normalize(await module.load.call(null, load_input));
 				} finally {
 					unlock_fetch();
 				}
 			} else {
-				loaded = await module.load.call(null, load_input);
-			}
-
-			if (!loaded) {
-				throw new Error('load function must return a value');
+				node.loaded = normalize(await module.load.call(null, load_input));
 			}
 
-			node.loaded = normalize(loaded);
 			if (node.loaded.stuff) node.stuff = node.loaded.stuff;
 			if (node.loaded.dependencies) {
 				node.loaded.dependencies.forEach(add_dependency);
@@ -1088,7 +1085,7 @@ function create_client({ target, session, base, trailing_slash }) {
 		let stuff = root_stuff;
 		let stuff_changed = false;
 
-		/** @type {number | undefined} */
+		/** @type {number} */
 		let status = 200;
 
 		/** @type {Error | null} */
@@ -1174,7 +1171,7 @@ function create_client({ target, session, base, trailing_slash }) {
 
 						if (node.loaded) {
 							if (node.loaded.error) {
-								status = node.loaded.status;
+								status = node.loaded.status ?? 500;
 								error = node.loaded.error;
 							}
 
@@ -1703,7 +1700,7 @@ function create_client({ target, session, base, trailing_slash }) {
 						if (node.loaded.error) {
 							if (error) throw node.loaded.error;
 							error_args = {
-								status: node.loaded.status,
+								status: node.loaded.status ?? 500,
 								error: node.loaded.error,
 								url,
 								routeId

package/assets/server/index.js

@@ -27,32 +27,34 @@ function to_headers(object) {
  * @param {string[]} types
  */
 function negotiate(accept, types) {
-	const parts = accept
-		.split(',')
-		.map((str, i) => {
-			const match = /([^/]+)\/([^;]+)(?:;q=([0-9.]+))?/.exec(str);
-			if (match) {
-				const [, type, subtype, q = '1'] = match;
-				return { type, subtype, q: +q, i };
-			}
+	/** @type {Array<{ type: string, subtype: string, q: number, i: number }>} */
+	const parts = [];
 
-			throw new Error(`Invalid Accept header: ${accept}`);
-		})
-		.sort((a, b) => {
-			if (a.q !== b.q) {
-				return b.q - a.q;
-			}
+	accept.split(',').forEach((str, i) => {
+		const match = /([^/]+)\/([^;]+)(?:;q=([0-9.]+))?/.exec(str);
 
-			if ((a.subtype === '*') !== (b.subtype === '*')) {
-				return a.subtype === '*' ? 1 : -1;
-			}
+		// no match equals invalid header — ignore
+		if (match) {
+			const [, type, subtype, q = '1'] = match;
+			parts.push({ type, subtype, q: +q, i });
+		}
+	});
 
-			if ((a.type === '*') !== (b.type === '*')) {
-				return a.type === '*' ? 1 : -1;
-			}
+	parts.sort((a, b) => {
+		if (a.q !== b.q) {
+			return b.q - a.q;
+		}
 
-			return a.i - b.i;
-		});
+		if ((a.subtype === '*') !== (b.subtype === '*')) {
+			return a.subtype === '*' ? 1 : -1;
+		}
+
+		if ((a.type === '*') !== (b.type === '*')) {
+			return a.type === '*' ? 1 : -1;
+		}
+
+		return a.i - b.i;
+	});
 
 	let accepted;
 	let min_priority = Infinity;
@@ -975,9 +977,6 @@ function base64(bytes) {
 	return result;
 }
 
-/** @type {Promise<void>} */
-let csp_ready;
-
 const array = new Uint8Array(16);
 
 function generate_nonce() {
@@ -997,13 +996,12 @@ const quoted = new Set([
 
 const crypto_pattern = /^(nonce|sha\d\d\d)-/;
 
-class Csp {
+// CSP and CSP Report Only are extremely similar with a few caveats
+// the easiest/DRYest way to express this is with some private encapsulation
+class BaseProvider {
 	/** @type {boolean} */
 	#use_hashes;
 
-	/** @type {boolean} */
-	#dev;
-
 	/** @type {boolean} */
 	#script_needs_csp;
 
@@ -1019,21 +1017,18 @@ class Csp {
 	/** @type {import('types').Csp.Source[]} */
 	#style_src;
 
+	/** @type {string} */
+	#nonce;
+
 	/**
-	 * @param {{
-	 *   mode: string,
-	 *   directives: import('types').CspDirectives
-	 * }} config
-	 * @param {{
-	 *   dev: boolean;
-	 *   prerender: boolean;
-	 *   needs_nonce: boolean;
-	 * }} opts
+	 * @param {boolean} use_hashes
+	 * @param {import('types').CspDirectives} directives
+	 * @param {string} nonce
+	 * @param {boolean} dev
 	 */
-	constructor({ mode, directives }, { dev, prerender, needs_nonce }) {
-		this.#use_hashes = mode === 'hash' || (mode === 'auto' && prerender);
+	constructor(use_hashes, directives, nonce, dev) {
+		this.#use_hashes = use_hashes;
 		this.#directives = dev ? { ...directives } : directives; // clone in dev so we can safely mutate
-		this.#dev = dev;
 
 		const d = this.#directives;
 
@@ -1075,10 +1070,7 @@ class Csp {
 
 		this.script_needs_nonce = this.#script_needs_csp && !this.#use_hashes;
 		this.style_needs_nonce = this.#style_needs_csp && !this.#use_hashes;
-
-		if (this.script_needs_nonce || this.style_needs_nonce || needs_nonce) {
-			this.nonce = generate_nonce();
-		}
+		this.#nonce = nonce;
 	}
 
 	/** @param {string} content */
@@ -1087,7 +1079,7 @@ class Csp {
 			if (this.#use_hashes) {
 				this.#script_src.push(`sha256-${sha256(content)}`);
 			} else if (this.#script_src.length === 0) {
-				this.#script_src.push(`nonce-${this.nonce}`);
+				this.#script_src.push(`nonce-${this.#nonce}`);
 			}
 		}
 	}
@@ -1098,12 +1090,14 @@ class Csp {
 			if (this.#use_hashes) {
 				this.#style_src.push(`sha256-${sha256(content)}`);
 			} else if (this.#style_src.length === 0) {
-				this.#style_src.push(`nonce-${this.nonce}`);
+				this.#style_src.push(`nonce-${this.#nonce}`);
 			}
 		}
 	}
 
-	/** @param {boolean} [is_meta] */
+	/**
+	 * @param {boolean} [is_meta]
+	 */
 	get_header(is_meta = false) {
 		const header = [];
 
@@ -1134,7 +1128,7 @@ class Csp {
 				continue;
 			}
 
-			// @ts-expect-error gimme a break typescript, `key` is obviously a member of directives
+			// @ts-expect-error gimme a break typescript, `key` is obviously a member of internal_directives
 			const value = /** @type {string[] | true} */ (directives[key]);
 
 			if (!value) continue;
@@ -1155,13 +1149,81 @@ class Csp {
 
 		return header.join('; ');
 	}
+}
 
+class CspProvider extends BaseProvider {
 	get_meta() {
 		const content = escape_html_attr(this.get_header(true));
 		return `<meta http-equiv="content-security-policy" content=${content}>`;
 	}
 }
 
+class CspReportOnlyProvider extends BaseProvider {
+	/**
+	 * @param {boolean} use_hashes
+	 * @param {import('types').CspDirectives} directives
+	 * @param {string} nonce
+	 * @param {boolean} dev
+	 */
+	constructor(use_hashes, directives, nonce, dev) {
+		super(use_hashes, directives, nonce, dev);
+
+		if (Object.values(directives).filter((v) => !!v).length > 0) {
+			// If we're generating content-security-policy-report-only,
+			// if there are any directives, we need a report-uri or report-to (or both)
+			// else it's just an expensive noop.
+			const has_report_to = directives['report-to']?.length ?? 0 > 0;
+			const has_report_uri = directives['report-uri']?.length ?? 0 > 0;
+			if (!has_report_to && !has_report_uri) {
+				throw Error(
+					'`content-security-policy-report-only` must be specified with either the `report-to` or `report-uri` directives, or both'
+				);
+			}
+		}
+	}
+}
+
+class Csp {
+	/** @readonly */
+	nonce = generate_nonce();
+
+	/** @type {CspProvider} */
+	csp_provider;
+
+	/** @type {CspReportOnlyProvider} */
+	report_only_provider;
+
+	/**
+	 * @param {import('./types').CspConfig} config
+	 * @param {import('./types').CspOpts} opts
+	 */
+	constructor({ mode, directives, reportOnly }, { prerender, dev }) {
+		const use_hashes = mode === 'hash' || (mode === 'auto' && prerender);
+		this.csp_provider = new CspProvider(use_hashes, directives, this.nonce, dev);
+		this.report_only_provider = new CspReportOnlyProvider(use_hashes, reportOnly, this.nonce, dev);
+	}
+
+	get script_needs_nonce() {
+		return this.csp_provider.script_needs_nonce || this.report_only_provider.script_needs_nonce;
+	}
+
+	get style_needs_nonce() {
+		return this.csp_provider.style_needs_nonce || this.report_only_provider.style_needs_nonce;
+	}
+
+	/** @param {string} content */
+	add_script(content) {
+		this.csp_provider.add_script(content);
+		this.report_only_provider.add_script(content);
+	}
+
+	/** @param {string} content */
+	add_style(content) {
+		this.csp_provider.add_style(content);
+		this.report_only_provider.add_style(content);
+	}
+}
+
 const absolute = /^([a-z]+:)?\/?\//;
 const scheme = /^[a-z]+:/;
 
@@ -1307,6 +1369,14 @@ async function render_response({
 	}
 
 	if (resolve_opts.ssr) {
+		const leaf = /** @type {import('./types.js').Loaded} */ (branch.at(-1));
+
+		if (leaf.loaded.status) {
+			// explicit status returned from `load` or a page endpoint trumps
+			// initial status
+			status = leaf.loaded.status;
+		}
+
 		for (const { node, props, loaded, fetched, uses_credentials } of branch) {
 			if (node.imports) {
 				node.imports.forEach((url) => modulepreloads.add(url));
@@ -1387,11 +1457,9 @@ async function render_response({
 
 	let { head, html: body } = rendered;
 
-	await csp_ready;
 	const csp = new Csp(options.csp, {
 		dev: options.dev,
-		prerender: !!state.prerendering,
-		needs_nonce: options.template_contains_nonce
+		prerender: !!state.prerendering
 	});
 
 	const target = hash(body);
@@ -1502,7 +1570,7 @@ async function render_response({
 	if (state.prerendering) {
 		const http_equiv = [];
 
-		const csp_headers = csp.get_meta();
+		const csp_headers = csp.csp_provider.get_meta();
 		if (csp_headers) {
 			http_equiv.push(csp_headers);
 		}
@@ -1534,10 +1602,14 @@ async function render_response({
 	}
 
 	if (!state.prerendering) {
-		const csp_header = csp.get_header();
+		const csp_header = csp.csp_provider.get_header();
 		if (csp_header) {
 			headers.set('content-security-policy', csp_header);
 		}
+		const report_only_header = csp.report_only_provider.get_header();
+		if (report_only_header) {
+			headers.set('content-security-policy-report-only', report_only_header);
+		}
 	}
 
 	return new Response(html, {
@@ -2032,10 +2104,14 @@ var parseString_1 = setCookie.exports.parseString = parseString;
 var splitCookiesString_1 = setCookie.exports.splitCookiesString = splitCookiesString;
 
 /**
- * @param {import('types').LoadOutput} loaded
+ * @param {import('types').LoadOutput | void} loaded
  * @returns {import('types').NormalizedLoadOutput}
  */
 function normalize(loaded) {
+	if (!loaded) {
+		return {};
+	}
+
 	// TODO remove for 1.0
 	// @ts-expect-error
 	if (loaded.fallthrough) {
@@ -2177,7 +2253,7 @@ async function load_node({
 	/** @type {import('set-cookie-parser').Cookie[]} */
 	const new_cookies = [];
 
-	/** @type {import('types').LoadOutput} */
+	/** @type {import('types').NormalizedLoadOutput} */
 	let loaded;
 
 	const should_prerender = node.module.prerender ?? options.prerender.default;
@@ -2200,12 +2276,10 @@ async function load_node({
 
 	if (shadow.error) {
 		loaded = {
-			status: shadow.status,
 			error: shadow.error
 		};
 	} else if (shadow.redirect) {
 		loaded = {
-			status: shadow.status,
 			redirect: shadow.redirect
 		};
 	} else if (module.load) {
@@ -2473,7 +2547,7 @@ async function load_node({
 				return proxy;
 			},
 			stuff: { ...stuff },
-			status: is_error ? status ?? null : null,
+			status: (is_error ? status : shadow.status) ?? null,
 			error: is_error ? error ?? null : null
 		};
 
@@ -2486,12 +2560,7 @@ async function load_node({
 			});
 		}
 
-		loaded = await module.load.call(null, load_input);
-
-		if (!loaded) {
-			// TODO do we still want to enforce this now that there's no fallthrough?
-			throw new Error(`load function must return a value${options.dev ? ` (${node.file})` : ''}`);
-		}
+		loaded = normalize(await module.load.call(null, load_input));
 	} else if (shadow.body) {
 		loaded = {
 			props: shadow.body
@@ -2500,6 +2569,8 @@ async function load_node({
 		loaded = {};
 	}
 
+	loaded.status = loaded.status ?? shadow.status;
+
 	// generate __data.json files when prerendering
 	if (shadow.body && state.prerendering) {
 		const pathname = `${event.url.pathname.replace(/\/$/, '')}/__data.json`;
@@ -2515,7 +2586,7 @@ async function load_node({
 	return {
 		node,
 		props: shadow.body,
-		loaded: normalize(loaded),
+		loaded,
 		stuff: loaded.stuff || stuff,
 		fetched,
 		set_cookie_headers: new_cookies.map((new_cookie) => {
@@ -2558,7 +2629,7 @@ async function load_shadow_data(route, event, options, prerender) {
 
 		/** @type {import('types').ShadowData} */
 		const data = {
-			status: 200,
+			status: undefined,
 			cookies: [],
 			body: {}
 		};
@@ -2598,13 +2669,13 @@ async function load_shadow_data(route, event, options, prerender) {
 		if (get) {
 			const { status, headers, body } = validate_shadow_output(await get(event));
 			add_cookies(/** @type {string[]} */ (data.cookies), headers);
-			data.status = status;
 
 			if (body instanceof Error) {
 				if (status < 400) {
 					data.status = 500;
 					data.error = new Error('A non-error status code was returned with an error body');
 				} else {
+					data.status = status;
 					data.error = body;
 				}
 
@@ -2612,11 +2683,13 @@ async function load_shadow_data(route, event, options, prerender) {
 			}
 
 			if (status >= 400) {
+				data.status = status;
 				data.error = new Error('Failed to load data');
 				return data;
 			}
 
 			if (status >= 300) {
+				data.status = status;
 				data.redirect = /** @type {string} */ (
 					headers instanceof Headers ? headers.get('location') : headers.location
 				);
@@ -2905,7 +2978,8 @@ async function respond$1(opts) {
 					}
 
 					if (loaded.loaded.error) {
-						({ status, error } = loaded.loaded);
+						error = loaded.loaded.error;
+						status = loaded.loaded.status ?? 500;
 					}
 				} catch (err) {
 					const e = coalesce_to_error(err);

package/dist/chunks/error.js

@@ -111,6 +111,40 @@ function init(open, close) {
 
 /** @typedef {import('./types').Validator} Validator */
 
+const directives = object({
+	'child-src': string_array(),
+	'default-src': string_array(),
+	'frame-src': string_array(),
+	'worker-src': string_array(),
+	'connect-src': string_array(),
+	'font-src': string_array(),
+	'img-src': string_array(),
+	'manifest-src': string_array(),
+	'media-src': string_array(),
+	'object-src': string_array(),
+	'prefetch-src': string_array(),
+	'script-src': string_array(),
+	'script-src-elem': string_array(),
+	'script-src-attr': string_array(),
+	'style-src': string_array(),
+	'style-src-elem': string_array(),
+	'style-src-attr': string_array(),
+	'base-uri': string_array(),
+	sandbox: string_array(),
+	'form-action': string_array(),
+	'frame-ancestors': string_array(),
+	'navigate-to': string_array(),
+	'report-uri': string_array(),
+	'report-to': string_array(),
+	'require-trusted-types-for': string_array(),
+	'trusted-types': string_array(),
+	'upgrade-insecure-requests': boolean(false),
+	'require-sri-for': string_array(),
+	'block-all-mixed-content': boolean(false),
+	'plugin-types': string_array(),
+	referrer: string_array()
+});
+
 /** @type {Validator} */
 const options = object(
 	{
@@ -189,39 +223,8 @@ const options = object(
 
 			csp: object({
 				mode: list(['auto', 'hash', 'nonce']),
-				directives: object({
-					'child-src': string_array(),
-					'default-src': string_array(),
-					'frame-src': string_array(),
-					'worker-src': string_array(),
-					'connect-src': string_array(),
-					'font-src': string_array(),
-					'img-src': string_array(),
-					'manifest-src': string_array(),
-					'media-src': string_array(),
-					'object-src': string_array(),
-					'prefetch-src': string_array(),
-					'script-src': string_array(),
-					'script-src-elem': string_array(),
-					'script-src-attr': string_array(),
-					'style-src': string_array(),
-					'style-src-elem': string_array(),
-					'style-src-attr': string_array(),
-					'base-uri': string_array(),
-					sandbox: string_array(),
-					'form-action': string_array(),
-					'frame-ancestors': string_array(),
-					'navigate-to': string_array(),
-					'report-uri': string_array(),
-					'report-to': string_array(),
-					'require-trusted-types-for': string_array(),
-					'trusted-types': string_array(),
-					'upgrade-insecure-requests': boolean(false),
-					'require-sri-for': string_array(),
-					'block-all-mixed-content': boolean(false),
-					'plugin-types': string_array(),
-					referrer: string_array()
-				})
+				directives,
+				reportOnly: directives
 			}),
 
 			// TODO: remove this for the 1.0 release
@@ -410,7 +413,7 @@ const options = object(
  * @param {boolean} [allow_unknown]
  * @returns {Validator}
  */
-function object(children, allow_unknown) {
+function object(children, allow_unknown = false) {
 	return (input, keypath) => {
 		/** @type {Record<string, any>} */
 		const output = {};
@@ -620,7 +623,7 @@ async function load_config({ cwd = process.cwd() } = {}) {
  * @param {import('types').Config} config
  * @returns {import('types').ValidatedConfig}
  */
-function process_config(config, { cwd = process.cwd() }) {
+function process_config(config, { cwd = process.cwd() } = {}) {
 	const validated = validate_config(config);
 
 	validated.kit.outDir = path__default.resolve(cwd, validated.kit.outDir);

package/dist/chunks/sync.js

@@ -107,9 +107,25 @@ var other = {"application/prs.cww":["cww"],"application/vnd.1000minds.decision-m
 let Mime = Mime_1;
 var mime = new Mime(standard, other);
 
-const get_runtime_path = /** @param {import('types').ValidatedKitConfig} config */ (config) =>
-			posixify_path(path__default.join(config.outDir, 'runtime'))
-	;
+/**
+ * Get the prefix for the `runtime` directory, for use with import declarations
+ * @param {import('types').ValidatedKitConfig} config
+ */
+function get_runtime_prefix(config) {
+	{
+		return posixify_path(path__default.join(config.outDir, 'runtime'));
+	}
+}
+
+/**
+ * Get the resolved path of the `runtime` directory
+ * @param {import('types').ValidatedKitConfig} config
+ */
+function get_runtime_directory(config) {
+	{
+		return path__default.join(config.outDir, 'runtime');
+	}
+}
 
 /** @param {string} str */
 function posixify_path(str) {
@@ -285,7 +301,7 @@ const DEFAULT = 'default';
  */
 function create_manifest_data({
 	config,
-	fallback = `${get_runtime_path(config.kit)}/components`,
+	fallback = `${get_runtime_directory(config.kit)}/components`,
 	cwd = process.cwd()
 }) {
 	/** @type {import('types').RouteData[]} */
@@ -989,4 +1005,4 @@ var sync = /*#__PURE__*/Object.freeze({
   all: all
 });
 
-export { get_mime_lookup as a, all as b, sync as c, get_runtime_path as g, init as i, logger as l, parse_route_id as p, s, update as u };
+export { get_runtime_prefix as a, get_mime_lookup as b, all as c, sync as d, get_runtime_directory as g, init as i, logger as l, parse_route_id as p, s, update as u };

package/dist/cli.js

@@ -18,7 +18,7 @@ function handle_error(e) {
 	process.exit(1);
 }
 
-const prog = sade('svelte-kit').version('1.0.0-next.371');
+const prog = sade('svelte-kit').version('1.0.0-next.374');
 
 prog
 	.command('package')
@@ -46,7 +46,7 @@ prog
 
 		try {
 			const config = await load_config();
-			const sync = await import('./chunks/sync.js').then(function (n) { return n.c; });
+			const sync = await import('./chunks/sync.js').then(function (n) { return n.d; });
 			sync.all(config);
 		} catch (error) {
 			handle_error(error);

package/dist/node/polyfills.js

@@ -10389,7 +10389,7 @@ function requireFetch () {
 	}
 
 	// https://fetch.spec.whatwg.org/#finalize-and-report-timing
-	function finalizeAndReportTiming (response, initiatorType) {
+	function finalizeAndReportTiming (response, initiatorType = 'other') {
 	  // 1. If response is an aborted network error, then return.
 	  if (response.type === 'error' && response.aborted) {
 	    return
@@ -11553,7 +11553,10 @@ function requireFetch () {
 	    // 2. Let forwardResponse be the result of running HTTP-network fetch
 	    // given httpFetchParams, includeCredentials, and isNewConnectionFetch.
 	    const forwardResponse = await httpNetworkFetch(
-	      httpFetchParams);
+	      httpFetchParams,
+	      includeCredentials,
+	      isNewConnectionFetch
+	    );
 
 	    // 3. If httpRequest’s method is unsafe and forwardResponse’s status is
 	    // in the range 200 to 399, inclusive, invalidate appropriate stored
@@ -11655,8 +11658,8 @@ function requireFetch () {
 	// https://fetch.spec.whatwg.org/#http-network-fetch
 	async function httpNetworkFetch (
 	  fetchParams,
-	  includeCredentials,
-	  forceNewConnection
+	  includeCredentials = false,
+	  forceNewConnection = false
 	) {
 	  assert(!fetchParams.controller.connection || fetchParams.controller.connection.destroyed);
 

package/dist/node.js

@@ -4495,7 +4495,7 @@ try {
 const POOL_SIZE = 65536;
 
 /** @param {(Blob | Uint8Array)[]} parts */
-async function * toIterator (parts, clone) {
+async function * toIterator (parts, clone = true) {
   for (const part of parts) {
     if ('stream' in part) {
       yield * (/** @type {AsyncIterableIterator<Uint8Array>} */ (part.stream()));

package/dist/vite.js

@@ -6,7 +6,7 @@ import { svelte } from '@sveltejs/vite-plugin-svelte';
 import * as vite from 'vite';
 import { loadConfigFromFile, searchForWorkspaceRoot } from 'vite';
 import { p as posixify, m as mkdirp, r as rimraf } from './chunks/write_tsconfig.js';
-import { g as get_runtime_path, s, i as init, u as update, a as get_mime_lookup, p as parse_route_id, b as all, l as logger } from './chunks/sync.js';
+import { g as get_runtime_directory, s, i as init, a as get_runtime_prefix, u as update, b as get_mime_lookup, p as parse_route_id, c as all, l as logger } from './chunks/sync.js';
 import { pathToFileURL, URL as URL$1 } from 'url';
 import { installPolyfills } from './node/polyfills.js';
 import * as qs from 'querystring';
@@ -127,7 +127,7 @@ function get_aliases(config) {
 	/** @type {Record<string, string>} */
 	const alias = {
 		__GENERATED__: path__default.posix.join(config.outDir, 'generated'),
-		$app: `${get_runtime_path(config)}/app`,
+		$app: `${get_runtime_directory(config)}/app`,
 
 		// For now, we handle `$lib` specially here rather than make it a default value for
 		// `config.kit.alias` since it has special meaning for packaging, etc.
@@ -253,12 +253,13 @@ function find_deps$1(manifest, entry, add_dynamic_css) {
  */
 const get_default_config = function ({ config, input, ssr, outDir }) {
 	return {
+		appType: 'custom',
 		base: assets_base(config.kit),
 		build: {
 			cssCodeSplit: true,
 			manifest: true,
 			outDir,
-			polyfillDynamicImport: false,
+			polyfillModulePreload: false,
 			rollupOptions: {
 				input,
 				output: {
@@ -278,7 +279,6 @@ const get_default_config = function ({ config, input, ssr, outDir }) {
 		resolve: {
 			alias: get_aliases(config.kit)
 		},
-		// @ts-expect-error
 		ssr: {
 			// when developing against the Kit src code, we want to ensure that
 			// our dependencies are bundled so that apps don't need to install
@@ -302,6 +302,9 @@ function assets_base(config) {
 }
 
 /**
+ * vite.config.js will contain vite-plugin-svelte-kit, which kicks off the server and service
+ * worker builds in a hook. When running the server and service worker builds we must remove
+ * the SvelteKit plugin so that we do not kick off additional instances of these builds.
  * @param {import('vite').UserConfig} config
  */
 function remove_svelte_kit(config) {
@@ -482,7 +485,7 @@ async function build_server(options, client) {
 			config,
 			hooks: app_relative(hooks_file),
 			has_service_worker: config.kit.serviceWorker.register && !!service_worker_entry_file,
-			runtime: get_runtime_path(config.kit),
+			runtime: posixify(path__default.relative(build_dir, get_runtime_directory(config.kit))),
 			template: load_template(cwd, config)
 		})
 	);
@@ -1950,7 +1953,7 @@ function toHeaders(name, stats, isEtag) {
 	return headers;
 }
 
-function sirv (dir, opts) {
+function sirv (dir, opts={}) {
 	dir = resolve$1(dir || '.');
 
 	let isNotFound = opts.onNoMatch || is404;
@@ -2049,7 +2052,7 @@ async function dev(vite, vite_config, svelte_config) {
 
 	init(svelte_config);
 
-	const runtime = get_runtime_path(svelte_config.kit);
+	const runtime = get_runtime_prefix(svelte_config.kit);
 
 	process.env.VITE_SVELTEKIT_APP_VERSION_POLL_INTERVAL = '0';
 
@@ -2077,7 +2080,7 @@ async function dev(vite, vite_config, svelte_config) {
 						const url = id.startsWith('..') ? `/@fs${path__default.posix.resolve(id)}` : `/${id}`;
 
 						const module = /** @type {import('types').SSRComponent} */ (
-							await vite.ssrLoadModule(url, { fixStacktrace: false })
+							await vite.ssrLoadModule(url)
 						);
 
 						return {
@@ -2107,7 +2110,7 @@ async function dev(vite, vite_config, svelte_config) {
 										(query.has('svelte') && query.get('type') === 'style')
 									) {
 										try {
-											const mod = await vite.ssrLoadModule(dep.url, { fixStacktrace: false });
+											const mod = await vite.ssrLoadModule(dep.url);
 											styles[dep.url] = mod.default;
 										} catch {
 											// this can happen with dynamically imported modules, I think
@@ -2135,7 +2138,7 @@ async function dev(vite, vite_config, svelte_config) {
 							shadow: route.shadow
 								? async () => {
 										const url = path__default.resolve(cwd$1, /** @type {string} */ (route.shadow));
-										return await vite.ssrLoadModule(url, { fixStacktrace: false });
+										return await vite.ssrLoadModule(url);
 								  }
 								: null,
 							a: route.a.map((id) => (id ? manifest_data.components.indexOf(id) : undefined)),
@@ -2151,7 +2154,7 @@ async function dev(vite, vite_config, svelte_config) {
 						types,
 						load: async () => {
 							const url = path__default.resolve(cwd$1, route.file);
-							return await vite.ssrLoadModule(url, { fixStacktrace: false });
+							return await vite.ssrLoadModule(url);
 						}
 					};
 				}),
@@ -2162,7 +2165,7 @@ async function dev(vite, vite_config, svelte_config) {
 					for (const key in manifest_data.matchers) {
 						const file = manifest_data.matchers[key];
 						const url = path__default.resolve(cwd$1, file);
-						const module = await vite.ssrLoadModule(url, { fixStacktrace: false });
+						const module = await vite.ssrLoadModule(url);
 
 						if (module.match) {
 							matchers[key] = module.match;
@@ -2252,9 +2255,7 @@ async function dev(vite, vite_config, svelte_config) {
 
 				/** @type {Partial<import('types').Hooks>} */
 				const user_hooks = resolve_entry(svelte_config.kit.files.hooks)
-					? await vite.ssrLoadModule(`/${svelte_config.kit.files.hooks}`, {
-							fixStacktrace: false
-					  })
+					? await vite.ssrLoadModule(`/${svelte_config.kit.files.hooks}`)
 					: {};
 
 				const handle = user_hooks.handle || (({ event, resolve }) => resolve(event));
@@ -2294,15 +2295,13 @@ async function dev(vite, vite_config, svelte_config) {
 				// can get loaded twice via different URLs, which causes failures. Might
 				// require changes to Vite to fix
 				const { default: root } = await vite.ssrLoadModule(
-					`/${posixify(path__default.relative(cwd$1, `${svelte_config.kit.outDir}/generated/root.svelte`))}`,
-					{ fixStacktrace: false }
+					`/${posixify(path__default.relative(cwd$1, `${svelte_config.kit.outDir}/generated/root.svelte`))}`
 				);
 
 				const paths = await vite.ssrLoadModule(
 					true
 						? `/${posixify(path__default.relative(cwd$1, `${svelte_config.kit.outDir}/runtime/paths.js`))}`
-						: `/@fs${runtime}/paths.js`,
-					{ fixStacktrace: false }
+						: `/@fs${runtime}/paths.js`
 				);
 
 				paths.set_paths({
@@ -2408,7 +2407,7 @@ async function dev(vite, vite_config, svelte_config) {
 }
 
 /** @param {import('http').ServerResponse} res */
-function not_found(res, message) {
+function not_found(res, message = 'Not found') {
 	res.statusCode = 404;
 	res.end(message);
 }
@@ -2417,12 +2416,7 @@ function not_found(res, message) {
  * @param {import('connect').Server} server
  */
 function remove_html_middlewares(server) {
-	const html_middlewares = [
-		'viteIndexHtmlMiddleware',
-		'vite404Middleware',
-		'viteSpaFallbackMiddleware',
-		'viteServeStaticMiddleware'
-	];
+	const html_middlewares = ['viteServeStaticMiddleware'];
 	for (let i = server.stack.length - 1; i > 0; i--) {
 		// @ts-expect-error using internals until https://github.com/vitejs/vite/pull/4640 is merged
 		if (html_middlewares.includes(server.stack[i].handle.name)) {
@@ -2789,8 +2783,9 @@ function scoped(scope, handler) {
 
 const cwd = process.cwd();
 
-/** @type {Record<string, any>} */
+/** @type {import('./types').EnforcedConfig} */
 const enforced_config = {
+	appType: true,
 	base: true,
 	build: {
 		cssCodeSplit: true,
@@ -2802,7 +2797,7 @@ const enforced_config = {
 		},
 		manifest: true,
 		outDir: true,
-		polyfillDynamicImport: true,
+		polyfillModulePreload: true,
 		rollupOptions: {
 			input: true,
 			output: {
@@ -2834,6 +2829,15 @@ function sveltekit() {
 }
 
 /**
+ * Returns the SvelteKit Vite plugin. Vite executes Rollup hooks as well as some of its own.
+ * Background reading is available at:
+ * - https://vitejs.dev/guide/api-plugin.html
+ * - https://rollupjs.org/guide/en/#plugin-development
+ *
+ * You can get an idea of the lifecycle by looking at the flow charts here:
+ * - https://rollupjs.org/guide/en/#build-hooks
+ * - https://rollupjs.org/guide/en/#output-generation-hooks
+ *
  * @return {import('vite').Plugin}
  */
 function kit() {
@@ -2870,12 +2874,12 @@ function kit() {
 	 */
 	let paths;
 
-	function create_client_config() {
+	function vite_client_config() {
 		/** @type {Record<string, string>} */
 		const input = {
 			// Put unchanging assets in immutable directory. We don't set that in the
 			// outDir so that other plugins can add mutable assets to the bundle
-			start: `${get_runtime_path(svelte_config.kit)}/client/start.js`
+			start: `${get_runtime_directory(svelte_config.kit)}/client/start.js`
 		};
 
 		// This step is optional — Vite/Rollup will create the necessary chunks
@@ -2899,9 +2903,38 @@ function kit() {
 		});
 	}
 
+	/**
+	 * @param {import('rollup').OutputAsset[]} assets
+	 * @param {import('rollup').OutputChunk[]} chunks
+	 */
+	function client_build_info(assets, chunks) {
+		/** @type {import('vite').Manifest} */
+		const vite_manifest = JSON.parse(
+			fs__default.readFileSync(`${paths.client_out_dir}/manifest.json`, 'utf-8')
+		);
+
+		const entry_id = posixify(
+			path__default.relative(cwd, `${get_runtime_directory(svelte_config.kit)}/client/start.js`)
+		);
+
+		return {
+			assets,
+			chunks,
+			entry: find_deps$1(vite_manifest, entry_id, false),
+			vite_manifest
+		};
+	}
+
+	// TODO remove this for 1.0
+	check_vite_version();
+
 	return {
 		name: 'vite-plugin-svelte-kit',
 
+		/**
+		 * Build the SvelteKit-provided Vite config to be merged with the user's vite.config.js file.
+		 * @see https://vitejs.dev/guide/api-plugin.html#config
+		 */
 		async config(config, config_env) {
 			vite_config_env = config_env;
 			svelte_config = await load_config();
@@ -2920,7 +2953,7 @@ function kit() {
 
 				manifest_data = all(svelte_config).manifest_data;
 
-				const new_config = create_client_config();
+				const new_config = vite_client_config();
 
 				warn_overridden_config(config, new_config);
 
@@ -2928,13 +2961,15 @@ function kit() {
 			}
 
 			// dev and preview config can be shared
+			/** @type {import('vite').UserConfig} */
 			const result = {
+				appType: 'custom',
 				base: '/',
 				build: {
 					rollupOptions: {
 						// Vite dependency crawler needs an explicit JS entry point
 						// eventhough server otherwise works without it
-						input: `${get_runtime_path(svelte_config.kit)}/client/start.js`
+						input: `${get_runtime_directory(svelte_config.kit)}/client/start.js`
 					}
 				},
 				resolve: {
@@ -2966,10 +3001,16 @@ function kit() {
 			return result;
 		},
 
+		/**
+		 * Stores the final config.
+		 */
 		configResolved(config) {
 			vite_config = config;
 		},
 
+		/**
+		 * Clears the output directories.
+		 */
 		buildStart() {
 			if (is_build) {
 				rimraf(paths.build_dir);
@@ -2980,6 +3021,11 @@ function kit() {
 			}
 		},
 
+		/**
+		 * Vite builds a single bundle. We need three bundles: client, server, and service worker.
+		 * The user's package.json scripts will invoke the Vite CLI to execute the client build. We
+		 * then use this hook to kick off builds for the server and service worker.
+		 */
 		async writeBundle(_options, bundle) {
 			log = logger({
 				verbose: vite_config.logLevel === 'info'
@@ -2990,36 +3036,10 @@ function kit() {
 				JSON.stringify({ version: process.env.VITE_SVELTEKIT_APP_VERSION })
 			);
 
-			/** @type {import('rollup').OutputChunk[]} */
-			const chunks = [];
-			/** @type {import('rollup').OutputAsset[]} */
-			const assets = [];
-			for (const key of Object.keys(bundle)) {
-				// collect asset and output chunks
-				if (bundle[key].type === 'asset') {
-					assets.push(/** @type {import('rollup').OutputAsset} */ (bundle[key]));
-				} else {
-					chunks.push(/** @type {import('rollup').OutputChunk} */ (bundle[key]));
-				}
-			}
-
-			/** @type {import('vite').Manifest} */
-			const vite_manifest = JSON.parse(
-				fs__default.readFileSync(`${paths.client_out_dir}/manifest.json`, 'utf-8')
-			);
-
-			const entry_id = posixify(
-				path__default.relative(cwd, `${get_runtime_path(svelte_config.kit)}/client/start.js`)
-			);
-
-			const client = {
-				assets,
-				chunks,
-				entry: find_deps$1(vite_manifest, entry_id, false),
-				vite_manifest
-			};
+			const { assets, chunks } = collect_output(bundle);
 			log.info(`Client build completed. Wrote ${chunks.length} chunks and ${assets.length} assets`);
 
+			log.info('Building server');
 			const options = {
 				cwd,
 				config: svelte_config,
@@ -3029,13 +3049,9 @@ function kit() {
 				output_dir: paths.output_dir,
 				service_worker_entry_file: resolve_entry(svelte_config.kit.files.serviceWorker)
 			};
-
-			log.info('Building server');
-
+			const client = client_build_info(assets, chunks);
 			const server = await build_server(options, client);
 
-			process.env.SVELTEKIT_SERVER_BUILD_COMPLETED = 'true';
-
 			/** @type {import('types').BuildData} */
 			build_data = {
 				app_dir: svelte_config.kit.appDir,
@@ -3054,6 +3070,9 @@ function kit() {
 				})};\n`
 			);
 
+			process.env.SVELTEKIT_SERVER_BUILD_COMPLETED = 'true';
+			log.info('Prerendering');
+
 			const static_files = manifest_data.assets.map((asset) => posixify(asset.file));
 
 			const files = new Set([
@@ -3069,8 +3088,6 @@ function kit() {
 				}
 			});
 
-			log.info('Prerendering');
-
 			prerendered = await prerender({
 				config: svelte_config.kit,
 				entries: manifest_data.routes
@@ -3095,6 +3112,9 @@ function kit() {
 			);
 		},
 
+		/**
+		 * Runs the adapter.
+		 */
 		async closeBundle() {
 			if (!is_build) {
 				return; // vite calls closeBundle when dev-server restarts, ignore that
@@ -3112,30 +3132,70 @@ function kit() {
 
 			if (svelte_config.kit.prerender.enabled) {
 				// this is necessary to close any open db connections, etc.
-				// TODO: prerender in a subprocess so we can exit in isolation
+				// TODO: prerender in a subprocess so we can exit in isolation and then remove this
 				// https://github.com/sveltejs/kit/issues/5306
 				process.exit(0);
 			}
 		},
 
+		/**
+		 * Adds the SvelteKit middleware to do SSR in dev mode.
+		 * @see https://vitejs.dev/guide/api-plugin.html#configureserver
+		 */
 		async configureServer(vite) {
 			return await dev(vite, vite_config, svelte_config);
 		},
 
+		/**
+		 * Adds the SvelteKit middleware to do SSR in preview mode.
+		 * @see https://vitejs.dev/guide/api-plugin.html#configurepreviewserver
+		 */
 		configurePreviewServer(vite) {
 			return preview(vite, svelte_config, vite_config.preview.https ? 'https' : 'http');
 		}
 	};
 }
 
+function check_vite_version() {
+	let vite_major = 3;
+
+	try {
+		const pkg = JSON.parse(fs__default.readFileSync('package.json', 'utf-8'));
+		vite_major = +pkg.devDependencies['vite'].replace(/^[~^]/, '')[0];
+	} catch {
+		// do nothing
+	}
+
+	if (vite_major < 3) {
+		throw new Error(
+			`Vite version ${vite_major} is no longer supported. Please upgrade to version 3`
+		);
+	}
+}
+
+/** @param {import('rollup').OutputBundle} bundle */
+function collect_output(bundle) {
+	/** @type {import('rollup').OutputChunk[]} */
+	const chunks = [];
+	/** @type {import('rollup').OutputAsset[]} */
+	const assets = [];
+	for (const value of Object.values(bundle)) {
+		// collect asset and output chunks
+		if (value.type === 'asset') {
+			assets.push(value);
+		} else {
+			chunks.push(value);
+		}
+	}
+	return { assets, chunks };
+}
+
 /**
  * @param {Record<string, any>} config
  * @param {Record<string, any>} resolved_config
- * @param {string} [path]
- * @param {string[]} [out] used locally to compute the return value
  */
-function warn_overridden_config(config, resolved_config, path = '', out = []) {
-	const overridden = find_overridden_config(config, resolved_config, path, out);
+function warn_overridden_config(config, resolved_config) {
+	const overridden = find_overridden_config(config, resolved_config, enforced_config, '', []);
 	if (overridden.length > 0) {
 		console.log(
 			$.bold().red('The following Vite config options will be overridden by SvelteKit:')
@@ -3147,16 +3207,21 @@ function warn_overridden_config(config, resolved_config, path = '', out = []) {
 /**
  * @param {Record<string, any>} config
  * @param {Record<string, any>} resolved_config
+ * @param {import('./types').EnforcedConfig} enforced_config
  * @param {string} path
  * @param {string[]} out used locally to compute the return value
  */
-function find_overridden_config(config, resolved_config, path, out) {
+function find_overridden_config(config, resolved_config, enforced_config, path, out) {
 	for (const key in enforced_config) {
 		if (typeof config === 'object' && config !== null && key in config) {
-			if (enforced_config[key] === true && config[key] !== resolved_config[key]) {
-				out.push(path + key);
+			const enforced = enforced_config[key];
+
+			if (enforced === true) {
+				if (config[key] !== resolved_config[key]) {
+					out.push(path + key);
+				}
 			} else {
-				find_overridden_config(config[key], resolved_config[key], path + key + '.', out);
+				find_overridden_config(config[key], resolved_config[key], enforced, path + key + '.', out);
 			}
 		}
 	}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "1.0.0-next.371",
+  "version": "1.0.0-next.374",
   "repository": {
     "type": "git",
     "url": "https://github.com/sveltejs/kit",
@@ -10,12 +10,12 @@
   "homepage": "https://kit.svelte.dev",
   "type": "module",
   "dependencies": {
-    "@sveltejs/vite-plugin-svelte": "1.0.0-next.49",
+    "@sveltejs/vite-plugin-svelte": "^1.0.1",
     "chokidar": "^3.5.3",
     "sade": "^1.8.1"
   },
   "devDependencies": {
-    "@playwright/test": "^1.22.2",
+    "@playwright/test": "^1.23.3",
     "@rollup/plugin-replace": "^4.0.0",
     "@types/connect": "^3.4.35",
     "@types/cookie": "^0.5.1",
@@ -33,7 +33,7 @@
     "marked": "^4.0.16",
     "mime": "^3.0.0",
     "node-fetch": "^3.2.4",
-    "rollup": "^2.75.3",
+    "rollup": "^2.75.7",
     "selfsigned": "^2.0.1",
     "set-cookie-parser": "^2.4.8",
     "sirv": "^2.0.2",
@@ -45,11 +45,11 @@
     "typescript": "^4.7.4",
     "undici": "^5.6.1",
     "uvu": "^0.5.3",
-    "vite": "^2.9.13"
+    "vite": "^3.0.0"
   },
   "peerDependencies": {
     "svelte": "^3.44.0",
-    "vite": "^2.9.10"
+    "vite": "^3.0.0"
   },
   "bin": {
     "svelte-kit": "svelte-kit.js"

package/types/ambient.d.ts

@@ -80,7 +80,7 @@ declare module '$app/env' {
 	export const dev: boolean;
 
 	/**
-	 * The Vite.js mode the app is running in. Configure in `config.kit.vite.mode`.
+	 * The Vite.js mode the app is running in. Configure in [`vite.config.js`](https://vitejs.dev/config/shared-options.html#mode).
 	 * Vite.js loads the dotenv file associated with the provided mode, `.env.[mode]` or `.env.[mode].local`.
 	 * By default, `vite dev` runs with `mode=development` and `vite build` runs with `mode=production`.
 	 */

package/types/index.d.ts

@@ -105,6 +105,7 @@ export interface KitConfig {
 	csp?: {
 		mode?: 'hash' | 'nonce' | 'auto';
 		directives?: CspDirectives;
+		reportOnly?: CspDirectives;
 	};
 	moduleExtensions?: string[];
 	files?: {
@@ -150,7 +151,6 @@ export interface KitConfig {
 		name?: string;
 		pollInterval?: number;
 	};
-	vite?: import('vite').UserConfig | (() => MaybePromise<import('vite').UserConfig>);
 }
 
 export interface ExternalFetch {
@@ -182,7 +182,7 @@ export interface Load<
 	InputProps extends Record<string, any> = Record<string, any>,
 	OutputProps extends Record<string, any> = InputProps
 > {
-	(event: LoadEvent<Params, InputProps>): MaybePromise<LoadOutput<OutputProps>>;
+	(event: LoadEvent<Params, InputProps>): MaybePromise<LoadOutput<OutputProps> | void>;
 }
 
 export interface LoadEvent<

package/types/internal.d.ts

@@ -113,7 +113,7 @@ export interface MethodOverride {
 }
 
 export type NormalizedLoadOutput = {
-	status: number;
+	status?: number;
 	error?: Error;
 	redirect?: string;
 	props?: Record<string, any> | Promise<Record<string, any>>;
@@ -153,12 +153,9 @@ export interface PrerenderOptions {
 
 export type RecursiveRequired<T> = {
 	// Recursive implementation of TypeScript's Required utility type.
-	// Will recursively continue until it reaches primitive or union
-	// with a Function in it, except those commented below
+	// Will recursively continue until it reaches a primitive or Function
 	[K in keyof T]-?: Extract<T[K], Function> extends never // If it does not have a Function type
 		? RecursiveRequired<T[K]> // recursively continue through.
-		: K extends 'vite' // If it reaches the 'vite' key
-		? Extract<T[K], Function> // only take the Function type.
 		: T[K]; // Use the exact type for everything else
 };