@sveltejs/kit 1.14.0 → 1.15.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -2
- package/src/core/sync/write_types/index.js +17 -10
- package/src/exports/vite/build/utils.js +3 -1
- package/src/exports/vite/dev/index.js +10 -1
- package/src/exports/vite/index.js +2 -1
- package/src/runtime/server/page/actions.js +1 -1
- package/src/runtime/server/respond.js +6 -3
- package/src/utils/http.js +8 -1
- package/types/index.d.ts +8 -8
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sveltejs/kit",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.15.1",
|
|
4
4
|
"repository": {
|
|
5
5
|
"type": "git",
|
|
6
6
|
"url": "https://github.com/sveltejs/kit",
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
"set-cookie-parser": "^2.5.1",
|
|
23
23
|
"sirv": "^2.0.2",
|
|
24
24
|
"tiny-glob": "^0.2.9",
|
|
25
|
-
"undici": "5.
|
|
25
|
+
"undici": "5.20.0"
|
|
26
26
|
},
|
|
27
27
|
"devDependencies": {
|
|
28
28
|
"@playwright/test": "^1.29.2",
|
|
@@ -390,16 +390,23 @@ function process_node(node, outdir, is_page, proxies, all_pages_have_load = true
|
|
|
390
390
|
|
|
391
391
|
if (is_page) {
|
|
392
392
|
let type = 'unknown';
|
|
393
|
-
if (proxy) {
|
|
394
|
-
|
|
395
|
-
|
|
396
|
-
|
|
397
|
-
|
|
398
|
-
|
|
399
|
-
|
|
400
|
-
|
|
401
|
-
type =
|
|
402
|
-
|
|
393
|
+
if (proxy && proxy.exports.includes('actions')) {
|
|
394
|
+
// If the file wasn't tweaked, we can use the return type of the original file.
|
|
395
|
+
// The advantage is that type updates are reflected without saving.
|
|
396
|
+
const from = proxy.modified
|
|
397
|
+
? `./proxy${replace_ext_with_js(basename)}`
|
|
398
|
+
: path_to_original(outdir, node.server);
|
|
399
|
+
|
|
400
|
+
exports.push(
|
|
401
|
+
`type ExcludeActionFailure<T> = T extends Kit.ActionFailure<any> ? never : T extends void ? never : T;`,
|
|
402
|
+
`type ActionsSuccess<T extends Record<string, (...args: any) => any>> = { [Key in keyof T]: ExcludeActionFailure<Awaited<ReturnType<T[Key]>>>; }[keyof T];`,
|
|
403
|
+
`type ExtractActionFailure<T> = T extends Kit.ActionFailure<infer X> ? X extends void ? never : X : never;`,
|
|
404
|
+
`type ActionsFailure<T extends Record<string, (...args: any) => any>> = { [Key in keyof T]: Exclude<ExtractActionFailure<Awaited<ReturnType<T[Key]>>>, void>; }[keyof T];`,
|
|
405
|
+
`type ActionsExport = typeof import('${from}').actions`,
|
|
406
|
+
`export type SubmitFunction = Kit.SubmitFunction<Expand<ActionsSuccess<ActionsExport>>, Expand<ActionsFailure<ActionsExport>>>`
|
|
407
|
+
);
|
|
408
|
+
|
|
409
|
+
type = `Expand<Kit.AwaitedActions<ActionsExport>> | null`;
|
|
403
410
|
}
|
|
404
411
|
exports.push(`export type ActionData = ${type};`);
|
|
405
412
|
}
|
|
@@ -72,7 +72,9 @@ export function find_deps(manifest, entry, add_dynamic_css) {
|
|
|
72
72
|
*/
|
|
73
73
|
export function resolve_symlinks(manifest, file) {
|
|
74
74
|
while (!manifest[file]) {
|
|
75
|
-
|
|
75
|
+
const next = path.relative('.', fs.realpathSync(file));
|
|
76
|
+
if (next === file) throw new Error(`Could not find file "${file}" in Vite manifest`);
|
|
77
|
+
file = next;
|
|
76
78
|
}
|
|
77
79
|
|
|
78
80
|
const chunk = manifest[file];
|
|
@@ -58,7 +58,16 @@ export async function dev(vite, vite_config, svelte_config) {
|
|
|
58
58
|
const msg = buildErrorMessage(err, [colors.red(`Internal server error: ${err.message}`)]);
|
|
59
59
|
|
|
60
60
|
vite.config.logger.error(msg, { error: err });
|
|
61
|
-
vite.ws.send({
|
|
61
|
+
vite.ws.send({
|
|
62
|
+
type: 'error',
|
|
63
|
+
err: {
|
|
64
|
+
...err,
|
|
65
|
+
// these properties are non-enumerable and will
|
|
66
|
+
// not be serialized unless we explicitly include them
|
|
67
|
+
message: err.message,
|
|
68
|
+
stack: err.stack
|
|
69
|
+
}
|
|
70
|
+
});
|
|
62
71
|
|
|
63
72
|
throw err;
|
|
64
73
|
}
|
|
@@ -564,11 +564,12 @@ function kit({ svelte_config }) {
|
|
|
564
564
|
preserveEntrySignatures: 'strict'
|
|
565
565
|
},
|
|
566
566
|
ssrEmitAssets: true,
|
|
567
|
+
copyPublicDir: !ssr,
|
|
567
568
|
target: ssr ? 'node16.14' : undefined,
|
|
568
569
|
// don't use the default name to avoid collisions with 'static/manifest.json'
|
|
569
570
|
manifest: 'vite-manifest.json'
|
|
570
571
|
},
|
|
571
|
-
publicDir:
|
|
572
|
+
publicDir: kit.files.assets,
|
|
572
573
|
worker: {
|
|
573
574
|
rollupOptions: {
|
|
574
575
|
output: {
|
|
@@ -214,7 +214,7 @@ async function call_action(event, actions) {
|
|
|
214
214
|
|
|
215
215
|
if (!is_form_content_type(event.request)) {
|
|
216
216
|
throw new Error(
|
|
217
|
-
`Actions expect form-encoded data (received ${event.request.headers.get('content-type')}`
|
|
217
|
+
`Actions expect form-encoded data (received ${event.request.headers.get('content-type')})`
|
|
218
218
|
);
|
|
219
219
|
}
|
|
220
220
|
|
|
@@ -51,9 +51,12 @@ export async function respond(request, options, manifest, state) {
|
|
|
51
51
|
|
|
52
52
|
if (options.csrf_check_origin) {
|
|
53
53
|
const forbidden =
|
|
54
|
-
request
|
|
55
|
-
request.
|
|
56
|
-
|
|
54
|
+
is_form_content_type(request) &&
|
|
55
|
+
(request.method === 'POST' ||
|
|
56
|
+
request.method === 'PUT' ||
|
|
57
|
+
request.method === 'PATCH' ||
|
|
58
|
+
request.method === 'DELETE') &&
|
|
59
|
+
request.headers.get('origin') !== url.origin;
|
|
57
60
|
|
|
58
61
|
if (forbidden) {
|
|
59
62
|
const csrf_error = error(403, `Cross-site ${request.method} form submissions are forbidden`);
|
package/src/utils/http.js
CHANGED
|
@@ -68,5 +68,12 @@ export function is_content_type(request, ...types) {
|
|
|
68
68
|
* @param {Request} request
|
|
69
69
|
*/
|
|
70
70
|
export function is_form_content_type(request) {
|
|
71
|
-
|
|
71
|
+
// These content types must be protected against CSRF
|
|
72
|
+
// https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/enctype
|
|
73
|
+
return is_content_type(
|
|
74
|
+
request,
|
|
75
|
+
'application/x-www-form-urlencoded',
|
|
76
|
+
'multipart/form-data',
|
|
77
|
+
'text/plain'
|
|
78
|
+
);
|
|
72
79
|
}
|
package/types/index.d.ts
CHANGED
|
@@ -328,13 +328,13 @@ export interface KitConfig {
|
|
|
328
328
|
reportOnly?: CspDirectives;
|
|
329
329
|
};
|
|
330
330
|
/**
|
|
331
|
-
* Protection against [cross-site request forgery](https://owasp.org/www-community/attacks/csrf) attacks.
|
|
331
|
+
* Protection against [cross-site request forgery (CSRF)](https://owasp.org/www-community/attacks/csrf) attacks.
|
|
332
332
|
*/
|
|
333
333
|
csrf?: {
|
|
334
334
|
/**
|
|
335
|
-
* Whether to check the incoming `origin` header for `POST` form submissions and verify that it matches the server's origin.
|
|
335
|
+
* Whether to check the incoming `origin` header for `POST`, `PUT`, `PATCH`, or `DELETE` form submissions and verify that it matches the server's origin.
|
|
336
336
|
*
|
|
337
|
-
* To allow people to make `POST` form
|
|
337
|
+
* To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
|
|
338
338
|
* @default true
|
|
339
339
|
*/
|
|
340
340
|
checkOrigin?: boolean;
|
|
@@ -1167,10 +1167,10 @@ export type Actions<
|
|
|
1167
1167
|
*/
|
|
1168
1168
|
export type ActionResult<
|
|
1169
1169
|
Success extends Record<string, unknown> | undefined = Record<string, any>,
|
|
1170
|
-
|
|
1170
|
+
Failure extends Record<string, unknown> | undefined = Record<string, any>
|
|
1171
1171
|
> =
|
|
1172
1172
|
| { type: 'success'; status: number; data?: Success }
|
|
1173
|
-
| { type: 'failure'; status: number; data?:
|
|
1173
|
+
| { type: 'failure'; status: number; data?: Failure }
|
|
1174
1174
|
| { type: 'redirect'; status: number; location: string }
|
|
1175
1175
|
| { type: 'error'; status?: number; error: any };
|
|
1176
1176
|
|
|
@@ -1239,7 +1239,7 @@ export function text(body: string, init?: ResponseInit): Response;
|
|
|
1239
1239
|
* @param status The [HTTP status code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status#client_error_responses). Must be in the range 400-599.
|
|
1240
1240
|
* @param data Data associated with the failure (e.g. validation errors)
|
|
1241
1241
|
*/
|
|
1242
|
-
export function fail<T extends Record<string, unknown> | undefined>(
|
|
1242
|
+
export function fail<T extends Record<string, unknown> | undefined = undefined>(
|
|
1243
1243
|
status: number,
|
|
1244
1244
|
data?: T
|
|
1245
1245
|
): ActionFailure<T>;
|
|
@@ -1257,7 +1257,7 @@ export interface ActionFailure<T extends Record<string, unknown> | undefined = u
|
|
|
1257
1257
|
|
|
1258
1258
|
export interface SubmitFunction<
|
|
1259
1259
|
Success extends Record<string, unknown> | undefined = Record<string, any>,
|
|
1260
|
-
|
|
1260
|
+
Failure extends Record<string, unknown> | undefined = Record<string, any>
|
|
1261
1261
|
> {
|
|
1262
1262
|
(input: {
|
|
1263
1263
|
action: URL;
|
|
@@ -1271,7 +1271,7 @@ export interface SubmitFunction<
|
|
|
1271
1271
|
| ((opts: {
|
|
1272
1272
|
form: HTMLFormElement;
|
|
1273
1273
|
action: URL;
|
|
1274
|
-
result: ActionResult<Success,
|
|
1274
|
+
result: ActionResult<Success, Failure>;
|
|
1275
1275
|
/**
|
|
1276
1276
|
* Call this to get the default behavior of a form submission response.
|
|
1277
1277
|
* @param options Set `reset: false` if you don't want the `<form>` values to be reset after a successful submission.
|