@sveltejs/kit 1.30.2 → 2.0.0

package/src/runtime/server/page/load_data.js

@@ -1,6 +1,5 @@
-import { disable_search, make_trackable } from '../../../utils/url.js';
-import { unwrap_promises } from '../../../utils/promises.js';
 import { DEV } from 'esm-env';
+import { disable_search, make_trackable } from '../../../utils/url.js';
 import { validate_depends } from '../../shared.js';
 
 /**
@@ -10,39 +9,49 @@ import { validate_depends } from '../../shared.js';
  *   state: import('types').SSRState;
  *   node: import('types').SSRNode | undefined;
  *   parent: () => Promise<Record<string, any>>;
- *   track_server_fetches: boolean;
  * }} opts
  * @returns {Promise<import('types').ServerDataNode | null>}
  */
-export async function load_server_data({
-	event,
-	state,
-	node,
-	parent,
-	// TODO 2.0: Remove this
-	track_server_fetches
-}) {
+export async function load_server_data({ event, state, node, parent }) {
 	if (!node?.server) return null;
 
 	let done = false;
+	let is_tracking = true;
 
 	const uses = {
 		dependencies: new Set(),
 		params: new Set(),
 		parent: false,
 		route: false,
-		url: false
+		url: false,
+		search_params: new Set()
 	};
 
-	const url = make_trackable(event.url, () => {
-		if (DEV && done && !uses.url) {
-			console.warn(
-				`${node.server_id}: Accessing URL properties in a promise handler after \`load(...)\` has returned will not cause the function to re-run when the URL changes`
-			);
-		}
+	const url = make_trackable(
+		event.url,
+		() => {
+			if (DEV && done && !uses.url) {
+				console.warn(
+					`${node.server_id}: Accessing URL properties in a promise handler after \`load(...)\` has returned will not cause the function to re-run when the URL changes`
+				);
+			}
 
-		uses.url = true;
-	});
+			if (is_tracking) {
+				uses.url = true;
+			}
+		},
+		(param) => {
+			if (DEV && done && !uses.search_params.has(param)) {
+				console.warn(
+					`${node.server_id}: Accessing URL properties in a promise handler after \`load(...)\` has returned will not cause the function to re-run when the URL changes`
+				);
+			}
+
+			if (is_tracking) {
+				uses.search_params.add(param);
+			}
+		}
+	);
 
 	if (state.prerendering) {
 		disable_search(url);
@@ -59,11 +68,7 @@ export async function load_server_data({
 				);
 			}
 
-			// TODO 2.0: Remove this
-			if (track_server_fetches) {
-				uses.dependencies.add(url.href);
-			}
-
+			// Note: server fetches are not added to uses.depends due to security concerns
 			return event.fetch(info, init);
 		},
 		/** @param {string[]} deps */
@@ -94,7 +99,9 @@ export async function load_server_data({
 					);
 				}
 
-				uses.params.add(key);
+				if (is_tracking) {
+					uses.params.add(key);
+				}
 				return target[/** @type {string} */ (key)];
 			}
 		}),
@@ -105,7 +112,9 @@ export async function load_server_data({
 				);
 			}
 
-			uses.parent = true;
+			if (is_tracking) {
+				uses.parent = true;
+			}
 			return parent();
 		},
 		route: new Proxy(event.route, {
@@ -118,23 +127,32 @@ export async function load_server_data({
 					);
 				}
 
-				uses.route = true;
+				if (is_tracking) {
+					uses.route = true;
+				}
 				return target[/** @type {'id'} */ (key)];
 			}
 		}),
-		url
+		url,
+		untrack(fn) {
+			is_tracking = false;
+			try {
+				return fn();
+			} finally {
+				is_tracking = true;
+			}
+		}
 	});
 
-	const data = result ? await unwrap_promises(result, node.server_id) : null;
 	if (__SVELTEKIT_DEV__) {
-		validate_load_response(data, node.server_id);
+		validate_load_response(result, node.server_id);
 	}
 
 	done = true;
 
 	return {
 		type: 'data',
-		data,
+		data: result ?? null,
 		uses,
 		slash: node.server.trailingSlash
 	};
@@ -178,15 +196,15 @@ export async function load_data({
 		fetch: create_universal_fetch(event, state, fetched, csr, resolve_opts),
 		setHeaders: event.setHeaders,
 		depends: () => {},
-		parent
+		parent,
+		untrack: (fn) => fn()
 	});
 
-	const data = result ? await unwrap_promises(result, node.universal_id) : null;
 	if (__SVELTEKIT_DEV__) {
-		validate_load_response(data, node.universal_id);
+		validate_load_response(result, node.universal_id);
 	}
 
-	return data;
+	return result ?? null;
 }
 
 /**
@@ -398,10 +416,10 @@ function validate_load_response(data, id) {
 				typeof data !== 'object'
 					? `a ${typeof data}`
 					: data instanceof Response
-					  ? 'a Response object'
-					  : Array.isArray(data)
-					    ? 'an array'
-					    : 'a non-plain object'
+						? 'a Response object'
+						: Array.isArray(data)
+							? 'an array'
+							: 'a non-plain object'
 			}, but must return a plain object at the top level (i.e. \`return {...}\`)`
 		);
 	}

package/src/runtime/server/page/render.js

@@ -8,7 +8,7 @@ import { s } from '../../../utils/misc.js';
 import { Csp } from './csp.js';
 import { uneval_action_response } from './actions.js';
 import { clarify_devalue_error, stringify_uses, handle_error_and_jsonify } from '../utils.js';
-import { public_env } from '../../shared-server.js';
+import { public_env, safe_public_env } from '../../shared-server.js';
 import { text } from '../../../exports/index.js';
 import { create_async_iterator } from '../../../utils/streaming.js';
 import { SVELTE_KIT_ASSETS } from '../../../constants.js';
@@ -95,7 +95,7 @@ export async function render_response({
 	let base_expression = s(paths.base);
 
 	// if appropriate, use relative paths for greater portability
-	if (paths.relative !== false && !state.prerendering?.fallback) {
+	if (paths.relative && !state.prerendering?.fallback) {
 		const segments = event.url.pathname.slice(paths.base.length).split('/').slice(2);
 
 		base = segments.map(() => '..').join('/') || '.';
@@ -141,7 +141,8 @@ export async function render_response({
 			status,
 			url: event.url,
 			data,
-			form: form_value
+			form: form_value,
+			state: {}
 		};
 
 		// use relative paths during rendering, so that the resulting HTML is as
@@ -276,6 +277,10 @@ export async function render_response({
 	}
 
 	if (page_config.csr) {
+		if (client.uses_env_dynamic_public && state.prerendering) {
+			modulepreloads.add(`${options.app_dir}/env.js`);
+		}
+
 		const included_modulepreloads = Array.from(modulepreloads, (dep) => prefixed(dep)).filter(
 			(path) => resolve_opts.preload({ type: 'js', path })
 		);
@@ -295,7 +300,7 @@ export async function render_response({
 		const properties = [
 			paths.assets && `assets: ${s(paths.assets)}`,
 			`base: ${base_expression}`,
-			`env: ${s(public_env)}`
+			`env: ${!client.uses_env_dynamic_public || state.prerendering ? null : s(public_env)}`
 		].filter(Boolean);
 
 		if (chunks) {
@@ -431,7 +436,7 @@ export async function render_response({
 		body,
 		assets,
 		nonce: /** @type {string} */ (csp.nonce),
-		env: public_env
+		env: safe_public_env
 	});
 
 	// TODO flush chunks as early as we can
@@ -467,7 +472,7 @@ export async function render_response({
 		? text(transformed, {
 				status,
 				headers
-		  })
+			})
 		: new Response(
 				new ReadableStream({
 					async start(controller) {
@@ -485,7 +490,7 @@ export async function render_response({
 						'content-type': 'text/html'
 					}
 				}
-		  );
+			);
 }
 
 /**

package/src/runtime/server/page/respond_with_error.js

@@ -2,7 +2,8 @@ import { render_response } from './render.js';
 import { load_data, load_server_data } from './load_data.js';
 import { handle_error_and_jsonify, static_error_page, redirect_response } from '../utils.js';
 import { get_option } from '../../../utils/options.js';
-import { HttpError, Redirect } from '../../control.js';
+import { Redirect } from '../../control.js';
+import { get_status } from '../../../utils/error.js';
 
 /**
  * @typedef {import('./types.js').Loaded} Loaded
@@ -49,8 +50,7 @@ export async function respond_with_error({
 				event,
 				state,
 				node: default_layout,
-				parent: async () => ({}),
-				track_server_fetches: options.track_server_fetches
+				parent: async () => ({})
 			});
 
 			const server_data = await server_data_promise;
@@ -104,7 +104,7 @@ export async function respond_with_error({
 
 		return static_error_page(
 			options,
-			e instanceof HttpError ? e.status : 500,
+			get_status(e),
 			(await handle_error_and_jsonify(event, options, e)).message
 		);
 	}

package/src/runtime/server/page/types.d.ts

@@ -32,5 +32,5 @@ export interface CspOpts {
 export interface Cookie {
 	name: string;
 	value: string;
-	options: CookieSerializeOptions;
+	options: CookieSerializeOptions & { path: string };
 }

package/src/runtime/server/respond.js

@@ -18,7 +18,7 @@ import { exec } from '../../utils/routing.js';
 import { redirect_json_response, render_data } from './data/index.js';
 import { add_cookies_to_headers, get_cookies } from './cookie.js';
 import { create_fetch } from './fetch.js';
-import { Redirect, NotFound } from '../control.js';
+import { HttpError, Redirect, SvelteKitError } from '../control.js';
 import {
 	validate_layout_exports,
 	validate_layout_server_exports,
@@ -27,9 +27,10 @@ import {
 	validate_server_exports
 } from '../../utils/exports.js';
 import { get_option } from '../../utils/options.js';
-import { error, json, text } from '../../exports/index.js';
+import { json, text } from '../../exports/index.js';
 import { action_json_redirect, is_action_json_request } from './page/actions.js';
 import { INVALIDATED_PARAM, TRAILING_SLASH_PARAM } from '../shared.js';
+import { get_public_env } from './env_module.js';
 
 /* global __SVELTEKIT_ADAPTER_NAME__ */
 
@@ -67,7 +68,10 @@ export async function respond(request, options, manifest, state) {
 			request.headers.get('origin') !== url.origin;
 
 		if (forbidden) {
-			const csrf_error = error(403, `Cross-site ${request.method} form submissions are forbidden`);
+			const csrf_error = new HttpError(
+				403,
+				`Cross-site ${request.method} form submissions are forbidden`
+			);
 			if (request.headers.get('accept') === 'application/json') {
 				return json(csrf_error.body, { status: csrf_error.status });
 			}
@@ -95,6 +99,10 @@ export async function respond(request, options, manifest, state) {
 		decoded = decoded.slice(base.length) || '/';
 	}
 
+	if (decoded === `/${options.app_dir}/env.js`) {
+		return get_public_env(request);
+	}
+
 	const is_data_request = has_data_suffix(decoded);
 	/** @type {boolean[] | undefined} */
 	let invalidated_data_nodes;
@@ -341,8 +349,8 @@ export async function respond(request, options, manifest, state) {
 			const response = is_data_request
 				? redirect_json_response(e)
 				: route?.page && is_action_json_request(event)
-				  ? action_json_redirect(e)
-				  : redirect_response(e.status, e.location);
+					? action_json_redirect(e)
+					: redirect_response(e.status, e.location);
 			add_cookies_to_headers(response.headers, Object.values(cookies_to_add));
 			return response;
 		}
@@ -356,12 +364,6 @@ export async function respond(request, options, manifest, state) {
 	async function resolve(event, opts) {
 		try {
 			if (opts) {
-				if ('ssr' in opts) {
-					throw new Error(
-						'ssr has been removed, set it in the appropriate +layout.js instead. See the PR for more information: https://github.com/sveltejs/kit/pull/6197'
-					);
-				}
-
 				resolve_opts = {
 					transformPageChunk: opts.transformPageChunk || default_transform,
 					filterSerializedResponseHeaders: opts.filterSerializedResponseHeaders || default_filter,
@@ -480,7 +482,7 @@ export async function respond(request, options, manifest, state) {
 					manifest,
 					state,
 					status: 404,
-					error: new NotFound(event.url.pathname),
+					error: new SvelteKitError(404, 'Not Found', `Not found: ${event.url.pathname}`),
 					resolve_opts
 				});
 			}

package/src/runtime/server/utils.js

@@ -1,8 +1,8 @@
 import { DEV } from 'esm-env';
 import { json, text } from '../../exports/index.js';
-import { coalesce_to_error } from '../../utils/error.js';
+import { coalesce_to_error, get_message, get_status } from '../../utils/error.js';
 import { negotiate } from '../../utils/http.js';
-import { HttpError, NotFound } from '../control.js';
+import { HttpError } from '../control.js';
 import { fix_stack_trace } from '../shared-server.js';
 import { ENDPOINT_METHODS } from '../../constants.js';
 
@@ -70,7 +70,7 @@ export function static_error_page(options, status, message) {
  */
 export async function handle_fatal_error(event, options, error) {
 	error = error instanceof HttpError ? error : coalesce_to_error(error);
-	const status = error instanceof HttpError ? error.status : 500;
+	const status = get_status(error);
 	const body = await handle_error_and_jsonify(event, options, error);
 
 	// ideally we'd use sec-fetch-dest instead, but Safari — quelle surprise — doesn't support it
@@ -103,11 +103,10 @@ export async function handle_error_and_jsonify(event, options, error) {
 		fix_stack_trace(error);
 	}
 
-	return (
-		(await options.hooks.handleError({ error, event })) ?? {
-			message: event.route.id === null && error instanceof NotFound ? 'Not Found' : 'Internal Error'
-		}
-	);
+	const status = get_status(error);
+	const message = get_message(error);
+
+	return (await options.hooks.handleError({ error, event, status, message })) ?? { message };
 }
 
 /**
@@ -149,6 +148,10 @@ export function stringify_uses(node) {
 		uses.push(`"dependencies":${JSON.stringify(Array.from(node.uses.dependencies))}`);
 	}
 
+	if (node.uses && node.uses.search_params.size > 0) {
+		uses.push(`"search_params":${JSON.stringify(Array.from(node.uses.search_params))}`);
+	}
+
 	if (node.uses && node.uses.params.size > 0) {
 		uses.push(`"params":${JSON.stringify(Array.from(node.uses.params))}`);
 	}

package/src/runtime/shared-server.js

@@ -1,9 +1,21 @@
-/** @type {Record<string, string>} */
+/**
+ * `$env/dynamic/private`
+ * @type {Record<string, string>}
+ */
 export let private_env = {};
 
-/** @type {Record<string, string>} */
+/**
+ * `$env/dynamic/public`. When prerendering, this will be a proxy that forbids reads
+ * @type {Record<string, string>}
+ */
 export let public_env = {};
 
+/**
+ * The same as `public_env`, but without the proxy. Use for `%sveltekit.env.PUBLIC_FOO%`
+ * @type {Record<string, string>}
+ */
+export let safe_public_env = {};
+
 /** @param {any} error */
 export let fix_stack_trace = (error) => error?.stack;
 
@@ -17,6 +29,11 @@ export function set_public_env(environment) {
 	public_env = environment;
 }
 
+/** @type {(environment: Record<string, string>) => void} */
+export function set_safe_public_env(environment) {
+	safe_public_env = environment;
+}
+
 /** @param {(error: Error) => string} value */
 export function set_fix_stack_trace(value) {
 	fix_stack_trace = value;

package/src/types/ambient.d.ts

@@ -7,6 +7,7 @@
  * 		// interface Error {}
  * 		// interface Locals {}
  * 		// interface PageData {}
+ * 		// interface PageState {}
  * 		// interface Platform {}
  * 	}
  * }
@@ -39,6 +40,11 @@ declare namespace App {
 	 */
 	export interface PageData {}
 
+	/**
+	 * The shape of the `$page.state` object, which can be manipulated using the [`pushState`](https://kit.svelte.dev/docs/modules#$app-navigation-pushstate) and [`replaceState`](https://kit.svelte.dev/docs/modules#$app-navigation-replacestate) functions from `$app/navigation`.
+	 */
+	export interface PageState {}
+
 	/**
 	 * If your adapter provides [platform-specific context](https://kit.svelte.dev/docs/adapters#platform-specific-context) via `event.platform`, you can specify it here.
 	 */
@@ -101,7 +107,7 @@ declare module '__sveltekit/paths' {
 	 * > If a value for `config.kit.paths.assets` is specified, it will be replaced with `'/_svelte_kit_assets'` during `vite dev` or `vite preview`, since the assets don't yet live at their eventual URL.
 	 */
 	export let assets: '' | `https://${string}` | `http://${string}` | '/_svelte_kit_assets';
-	export let relative: boolean | undefined; // TODO in 2.0, make this a `boolean` that defaults to `true`
+	export let relative: boolean;
 	export function reset(): void;
 	export function override(paths: { base: string; assets: string }): void;
 	export function set_assets(path: string): void;

package/src/types/internal.d.ts

@@ -31,6 +31,7 @@ export interface ServerInternalModule {
 	set_assets(path: string): void;
 	set_private_env(environment: Record<string, string>): void;
 	set_public_env(environment: Record<string, string>): void;
+	set_safe_public_env(environment: Record<string, string>): void;
 	set_version(version: string): void;
 	set_fix_stack_trace(fix_stack_trace: (error: unknown) => string): void;
 }
@@ -59,6 +60,7 @@ export interface BuildData {
 		imports: string[];
 		stylesheets: string[];
 		fonts: string[];
+		uses_env_dynamic_public: boolean;
 	} | null;
 	server_manifest: import('vite').Manifest;
 }
@@ -330,10 +332,10 @@ export interface SSRNode {
 export type SSRNodeLoader = () => Promise<SSRNode>;
 
 export interface SSROptions {
+	app_dir: string;
 	app_template_contains_nonce: boolean;
 	csp: ValidatedConfig['kit']['csp'];
 	csrf_check_origin: boolean;
-	track_server_fetches: boolean;
 	embedded: boolean;
 	env_public_prefix: string;
 	env_private_prefix: string;
@@ -408,6 +410,7 @@ export interface Uses {
 	parent: boolean;
 	route: boolean;
 	url: boolean;
+	search_params: Set<string>;
 }
 
 export type ValidatedConfig = RecursiveRequired<Config>;

package/src/types/synthetic/$env+dynamic+private.md

@@ -2,6 +2,8 @@ This module provides access to runtime environment variables, as defined by the
 
 This module cannot be imported into client-side code.
 
+Dynamic environment variables cannot be used during prerendering.
+
 ```ts
 import { env } from '$env/dynamic/private';
 console.log(env.DEPLOYMENT_SPECIFIC_VARIABLE);

package/src/types/synthetic/$env+dynamic+public.md

@@ -2,6 +2,8 @@ Similar to [`$env/dynamic/private`](https://kit.svelte.dev/docs/modules#$env-dyn
 
 Note that public dynamic environment variables must all be sent from the server to the client, causing larger network requests — when possible, use `$env/static/public` instead.
 
+Dynamic environment variables cannot be used during prerendering.
+
 ```ts
 import { env } from '$env/dynamic/public';
 console.log(env.PUBLIC_DEPLOYMENT_SPECIFIC_VARIABLE);

package/src/utils/error.js

@@ -1,3 +1,5 @@
+import { HttpError, SvelteKitError } from '../runtime/control.js';
+
 /**
  * @param {unknown} err
  * @return {Error}
@@ -16,7 +18,21 @@ export function coalesce_to_error(err) {
  * @param {unknown} error
  */
 export function normalize_error(error) {
-	return /** @type {import('../runtime/control.js').Redirect | import('../runtime/control.js').HttpError | Error} */ (
+	return /** @type {import('../runtime/control.js').Redirect | HttpError | SvelteKitError | Error} */ (
 		error
 	);
 }
+
+/**
+ * @param {unknown} error
+ */
+export function get_status(error) {
+	return error instanceof HttpError || error instanceof SvelteKitError ? error.status : 500;
+}
+
+/**
+ * @param {unknown} error
+ */
+export function get_message(error) {
+	return error instanceof SvelteKitError ? error.text : 'Internal Error';
+}

package/src/utils/routing.js

@@ -91,7 +91,7 @@ export function parse_route_id(id) {
 							return '/' + result;
 						})
 						.join('')}/?$`
-			  );
+				);
 
 	return { pattern, params };
 }
@@ -214,3 +214,49 @@ function escape(str) {
 			.replace(/[.*+?^${}()|\\]/g, '\\$&')
 	);
 }
+
+const basic_param_pattern = /\[(\[)?(\.\.\.)?(\w+?)(?:=(\w+))?\]\]?/g;
+
+/**
+ * Populate a route ID with params to resolve a pathname.
+ * @example
+ * ```js
+ * resolveRoute(
+ *   `/blog/[slug]/[...somethingElse]`,
+ *   {
+ *     slug: 'hello-world',
+ *     somethingElse: 'something/else'
+ *   }
+ * ); // `/blog/hello-world/something/else`
+ * ```
+ * @param {string} id
+ * @param {Record<string, string | undefined>} params
+ * @returns {string}
+ */
+export function resolve_route(id, params) {
+	const segments = get_route_segments(id);
+	return (
+		'/' +
+		segments
+			.map((segment) =>
+				segment.replace(basic_param_pattern, (_, optional, rest, name) => {
+					const param_value = params[name];
+
+					// This is nested so TS correctly narrows the type
+					if (!param_value) {
+						if (optional) return '';
+						if (rest && param_value !== undefined) return '';
+						throw new Error(`Missing parameter '${name}' in route ${id}`);
+					}
+
+					if (param_value.startsWith('/') || param_value.endsWith('/'))
+						throw new Error(
+							`Parameter '${name}' in route ${id} cannot start or end with a slash -- this would cause an invalid route like foo//bar`
+						);
+					return param_value;
+				})
+			)
+			.filter(Boolean)
+			.join('/')
+	);
+}