@sveltejs/kit 2.60.1 → 2.61.0

package/src/runtime/client/remote-functions/shared.svelte.js

@@ -6,7 +6,6 @@ import { HttpError, Redirect } from '@sveltejs/kit/internal';
 import { untrack } from 'svelte';
 import { create_remote_key, split_remote_key } from '../../shared.js';
 import { navigating, page } from '../state.svelte.js';
-import { noop } from '../../../utils/functions.js';
 
 /** Indicates a query function, as opposed to a query instance */
 export const QUERY_FUNCTION_ID = Symbol('sveltekit.query_function_id');
@@ -16,17 +15,65 @@ export const QUERY_OVERRIDE_KEY = Symbol('sveltekit.query_override_key');
 export const QUERY_RESOURCE_KEY = Symbol('sveltekit.query_resource_key');
 
 /**
- * @returns {boolean} Returns `true` if we are in an effect
+ * If we're inside a reactive context, pin a cache entry for as long as the
+ * surrounding effect is alive. Without this, a transiently-referenced
+ * `QueryProxy`/`LiveQueryProxy` (e.g. one produced by `{await fn()}` in a
+ * template or by `$derived(await fn())`) would be eligible for GC as soon as
+ * the awaited value has been read, after which the FinalizationRegistry
+ * would evict the cache entry — even though the consuming effect is still
+ * alive and may rely on the entry being refreshed (e.g. via `refreshAll()`
+ * or a server-initiated single-flight refresh).
+ *
+ * @template TResource
+ * @param {Map<string, Map<string, { resource: TResource }>>} cache_map
+ * @param {{ manual_ref: (entry: any, id: string, payload: string) => () => void }} cache
+ * @param {string} id
+ * @param {string} payload
  */
-export function is_in_effect() {
+export function pin_in_effect(cache_map, cache, id, payload) {
 	try {
-		$effect.pre(noop);
-		return true;
+		$effect.pre(() => {
+			const entry = cache_map.get(id)?.get(payload);
+			if (!entry) return;
+			return cache.manual_ref(entry, id, payload);
+		});
 	} catch {
-		return false;
+		// not in an effect context — nothing to pin
 	}
 }
 
+/**
+ * Wrap a proxy's `then`/`catch`/`finally` function so that the underlying
+ * cache entry stays pinned for the lifetime of the awaited promise. Without
+ * this, a proxy awaited outside any effect (e.g. in an event handler) could
+ * be GC'd between the `.then` getter returning the thenable and the
+ * underlying promise settling, causing the FinalizationRegistry to evict the
+ * cache entry mid-flight and the awaited value to resolve to Svelte's
+ * `UNINITIALIZED` sentinel from a torn-down `$derived`.
+ *
+ * @template TResource
+ * @template {(...args: any[]) => Promise<any>} TThen
+ * @param {Map<string, Map<string, { resource: TResource }>>} cache_map
+ * @param {{ manual_ref: (entry: any, id: string, payload: string) => () => void }} cache
+ * @param {string} id
+ * @param {string} payload
+ * @param {TThen} then
+ * @returns {TThen}
+ */
+export function pin_while_resolving(cache_map, cache, id, payload, then) {
+	return /** @type {TThen} */ (
+		(...a) => {
+			const entry = cache_map.get(id)?.get(payload);
+			const release = entry ? cache.manual_ref(entry, id, payload) : undefined;
+			const promise = then(...a);
+			if (release) {
+				promise.then(release, release);
+			}
+			return promise;
+		}
+	);
+}
+
 /**
  * @returns {{ 'x-sveltekit-pathname': string, 'x-sveltekit-search': string }}
  */

package/src/runtime/client/utils.js

@@ -249,7 +249,7 @@ export const updated_listener = {
 export function create_updated_store() {
 	const { set, subscribe } = writable(false);
 
-	if (DEV || !BROWSER) {
+	if (__SVELTEKIT_DEV__ || !BROWSER) {
 		return {
 			subscribe,
 			// eslint-disable-next-line @typescript-eslint/require-await

package/src/runtime/form-utils.js

@@ -145,10 +145,6 @@ export async function deserialize_binary_form(request) {
 	if (!request.body) {
 		throw deserialize_error('no body');
 	}
-	const content_length = parseInt(request.headers.get('content-length') ?? '');
-	if (Number.isNaN(content_length)) {
-		throw deserialize_error('invalid Content-Length header');
-	}
 
 	const reader = request.body.getReader();
 
@@ -228,16 +224,11 @@ export async function deserialize_binary_form(request) {
 	}
 	const header_view = new DataView(header.buffer, header.byteOffset, header.byteLength);
 	const data_length = header_view.getUint32(1, true);
-
-	if (HEADER_BYTES + data_length > content_length) {
-		throw deserialize_error('data overflow');
-	}
-
 	const file_offsets_length = header_view.getUint16(5, true);
 
-	if (HEADER_BYTES + data_length + file_offsets_length > content_length) {
-		throw deserialize_error('file offset table overflow');
-	}
+	// Validation uses embedded binary header fields (data_length, file_offsets_length)
+	// rather than Content-Length, which proxies/middleboxes may strip or corrupt.
+	// See: https://github.com/sveltejs/kit/issues/15299
 
 	// Read the form data
 	const data_buffer = await get_buffer(HEADER_BYTES, data_length);
@@ -289,9 +280,6 @@ export async function deserialize_binary_form(request) {
 			file_offsets[index] = undefined;
 
 			offset += files_start_offset;
-			if (offset + size > content_length) {
-				throw deserialize_error('file data overflow');
-			}
 
 			file_spans.push({ offset, size });
 
@@ -716,8 +704,11 @@ export function create_field_proxy(target, get_input, set_input, get_issues, pat
 							}
 						}
 
+						const value =
+							typeof input_value === 'boolean' ? (input_value ? 'on' : 'off') : input_value;
+
 						return Object.defineProperties(base_props, {
-							value: { value: input_value, enumerable: true }
+							value: { value, enumerable: true }
 						});
 					}
 

package/src/runtime/server/index.js

@@ -5,7 +5,6 @@ import { IN_WEBCONTAINER } from './constants.js';
 import { respond } from './respond.js';
 import { set_private_env, set_public_env } from '../shared-server.js';
 import { options, get_hooks } from '__SERVER__/internal.js';
-import { DEV } from 'esm-env';
 import { filter_env } from '../../utils/env.js';
 import { format_server_error } from './utils.js';
 import { set_read_implementation, set_manifest } from '__sveltekit/server';
@@ -102,7 +101,7 @@ export class Server {
 			set_read_implementation(wrapped_read);
 		}
 
-		// During DEV and for some adapters this function might be called in quick succession,
+		// During dev and for some adapters this function might be called in quick succession,
 		// so we need to make sure we're not invoking this logic (most notably the init hook) multiple times
 		await (init_promise ??= (async () => {
 			try {
@@ -141,7 +140,7 @@ export class Server {
 					await module.init();
 				}
 			} catch (e) {
-				if (DEV) {
+				if (__SVELTEKIT_DEV__) {
 					this.#options.hooks = {
 						handle: () => {
 							throw e;

package/src/runtime/server/page/actions.js

@@ -7,7 +7,7 @@ import { HttpError, Redirect, ActionFailure, SvelteKitError } from '@sveltejs/ki
 import { with_request_store, merge_tracing } from '@sveltejs/kit/internal/server';
 import { get_status, normalize_error } from '../../../utils/error.js';
 import { is_form_content_type, negotiate } from '../../../utils/http.js';
-import { handle_error_and_jsonify } from '../utils.js';
+import { create_replacer, handle_error_and_jsonify } from '../utils.js';
 import { record_span } from '../../telemetry/record_span.js';
 
 /** @param {RequestEvent} event */
@@ -301,14 +301,7 @@ function validate_action_return(data) {
  * @param {ServerHooks['transport']} transport
  */
 export function uneval_action_response(data, route_id, transport) {
-	const replacer = (/** @type {any} */ thing) => {
-		for (const key in transport) {
-			const encoded = transport[key].encode(thing);
-			if (encoded) {
-				return `app.decode('${key}', ${devalue.uneval(encoded, replacer)})`;
-			}
-		}
-	};
+	const replacer = create_replacer(transport);
 
 	return try_serialize(data, (value) => devalue.uneval(value, replacer), route_id);
 }

package/src/runtime/server/page/csp.js

@@ -1,4 +1,3 @@
-import { DEV } from 'esm-env';
 import { escape_html } from '../../../utils/escape.js';
 import { sha256 } from './crypto.js';
 
@@ -87,7 +86,7 @@ class BaseProvider {
 	 */
 	constructor(use_hashes, directives, nonce) {
 		this.#use_hashes = use_hashes;
-		this.#directives = DEV ? { ...directives } : directives; // clone in dev so we can safely mutate
+		this.#directives = __SVELTEKIT_DEV__ ? { ...directives } : directives; // clone in dev so we can safely mutate
 
 		const d = this.#directives;
 
@@ -103,7 +102,7 @@ class BaseProvider {
 		const style_src_attr = d['style-src-attr'];
 		const style_src_elem = d['style-src-elem'];
 
-		if (DEV) {
+		if (__SVELTEKIT_DEV__) {
 			// remove strict-dynamic in dev...
 			// TODO reinstate this if we can figure out how to make strict-dynamic work
 			// if (d['default-src']) {
@@ -164,7 +163,7 @@ class BaseProvider {
 
 		this.#script_needs_csp = this.#script_src_needs_csp || this.#script_src_elem_needs_csp;
 		this.#style_needs_csp =
-			!DEV &&
+			!__SVELTEKIT_DEV__ &&
 			(this.#style_src_needs_csp ||
 				this.#style_src_attr_needs_csp ||
 				this.#style_src_elem_needs_csp);

package/src/runtime/server/page/render.js

@@ -15,7 +15,12 @@ import { create_server_routing_response, generate_route_object } from './server_
 import { add_resolution_suffix } from '../../pathname.js';
 import { try_get_request_store, with_request_store } from '@sveltejs/kit/internal/server';
 import { text_encoder } from '../../utils.js';
-import { count_non_ssi_comments, get_global_name, handle_error_and_jsonify } from '../utils.js';
+import {
+	count_non_ssi_comments,
+	create_replacer,
+	get_global_name,
+	handle_error_and_jsonify
+} from '../utils.js';
 import { create_remote_key } from '../../shared.js';
 import { get_status } from '../../../utils/error.js';
 
@@ -302,13 +307,15 @@ export async function render_response({
 		return `${assets}/${path}`;
 	};
 
-	// inline styles can come from `bundleStrategy: 'inline'` or `inlineStyleThreshold`
 	const style = client.inline
 		? client.inline?.style
 		: Array.from(inline_styles.values()).join('\n');
 
 	if (style) {
-		const attributes = DEV ? ['data-sveltekit'] : [];
+		// We always inline all styles to avoid FOUC during development.
+		// Once that's accomplished, we find and remove the style node using the
+		// `data-sveltekit` attribute once CSR kicks in
+		const attributes = __SVELTEKIT_DEV__ ? ['data-sveltekit'] : [];
 		if (csp.style_needs_nonce) attributes.push(`nonce="${csp.nonce}"`);
 		csp.add_style(style);
 		head.add_style(style, attributes);
@@ -557,15 +564,7 @@ export async function render_response({
 				}
 			}
 
-			// TODO this is repeated in a few places — dedupe it
-			const replacer = (/** @type {any} */ thing) => {
-				for (const key in options.hooks.transport) {
-					const encoded = options.hooks.transport[key].encode(thing);
-					if (encoded) {
-						return `app.decode('${key}', ${devalue.uneval(encoded, replacer)})`;
-					}
-				}
-			};
+			const replacer = create_replacer(options.hooks.transport);
 
 			if (Object.keys(query).length > 0) {
 				serialized_query_data = `${global}.query = ${devalue.uneval(query, replacer)};\n\n\t\t\t\t\t\t`;
@@ -605,10 +604,10 @@ export async function render_response({
 		}
 
 		if (options.service_worker) {
-			let opts = DEV ? ", { type: 'module' }" : '';
+			let opts = __SVELTEKIT_DEV__ ? ", { type: 'module' }" : '';
 			if (options.service_worker_options != null) {
 				const service_worker_options = { ...options.service_worker_options };
-				if (DEV) {
+				if (__SVELTEKIT_DEV__) {
 					service_worker_options.type = 'module';
 				}
 				opts = `, ${s(service_worker_options)}`;

package/src/runtime/server/respond.js

@@ -40,8 +40,6 @@ import { get_remote_id, handle_remote_call } from './remote.js';
 import { record_span } from '../telemetry/record_span.js';
 import { otel } from '../telemetry/otel.js';
 
-/* global __SVELTEKIT_ADAPTER_NAME__ */
-
 /** @type {import('types').RequiredResolveOptions['transformPageChunk']} */
 const default_transform = ({ html }) => html;
 
@@ -153,7 +151,8 @@ export async function internal_respond(request, options, manifest, state) {
 			refreshes: null,
 			requested: null,
 			reconnects: null,
-			batches: null
+			batches: null,
+			live_iterators: null
 		},
 		is_in_remote_function: false,
 		is_in_render: false,
@@ -228,6 +227,7 @@ export async function internal_respond(request, options, manifest, state) {
 		});
 	}
 
+	/** @type {string | null} */
 	let resolved_path = url.pathname;
 
 	if (!remote_id) {
@@ -249,10 +249,24 @@ export async function internal_respond(request, options, manifest, state) {
 		}
 	}
 
+	/** @type {import('types').RequiredResolveOptions} */
+	let resolve_opts = {
+		transformPageChunk: default_transform,
+		filterSerializedResponseHeaders: default_filter,
+		preload: default_preload
+	};
+
+	/** @type {import('types').TrailingSlash} */
+	let trailing_slash = 'never';
+
+	/** @type {PageNodes | undefined} */
+	let page_nodes;
+
 	try {
 		resolved_path = decode_pathname(resolved_path);
 	} catch {
-		return text('Malformed URI', { status: 400 });
+		resolved_path = null;
+		return await handle();
 	}
 
 	// try to serve the rerouted prerendered resource if it exists
@@ -326,19 +340,8 @@ export async function internal_respond(request, options, manifest, state) {
 		}
 	}
 
-	/** @type {import('types').RequiredResolveOptions} */
-	let resolve_opts = {
-		transformPageChunk: default_transform,
-		filterSerializedResponseHeaders: default_filter,
-		preload: default_preload
-	};
-
-	/** @type {import('types').TrailingSlash} */
-	let trailing_slash = 'never';
-
 	try {
-		/** @type {PageNodes | undefined} */
-		const page_nodes = route?.page
+		page_nodes = route?.page
 			? new PageNodes(await load_page_nodes(route.page, manifest))
 			: undefined;
 
@@ -393,16 +396,36 @@ export async function internal_respond(request, options, manifest, state) {
 					prerender = page_nodes.prerender();
 				}
 
-				if (state.before_handle) {
-					state.before_handle(event, config, prerender);
-				}
-
 				if (state.emulator?.platform) {
 					event.platform = await state.emulator.platform({ config, prerender });
 				}
+
+				if (state.before_handle) {
+					return await state.before_handle(event, config, prerender, handle);
+				}
+			}
+		}
+
+		return await handle();
+	} catch (e) {
+		if (e instanceof Redirect) {
+			try {
+				const response =
+					is_data_request || remote_id
+						? redirect_json_response(e)
+						: route?.page && is_action_json_request(event)
+							? action_json_redirect(e)
+							: redirect_response(e.status, e.location);
+				add_cookies_to_headers(response.headers, new_cookies.values());
+				return response;
+			} catch (err) {
+				return await handle_fatal_error(event, event_state, options, err);
 			}
 		}
+		return await handle_fatal_error(event, event_state, options, e);
+	}
 
+	async function handle() {
 		set_trailing_slash(trailing_slash);
 
 		if (state.prerendering && !state.prerendering.fallback && !state.prerendering.inside_reroute) {
@@ -518,22 +541,6 @@ export async function internal_respond(request, options, manifest, state) {
 		}
 
 		return response;
-	} catch (e) {
-		if (e instanceof Redirect) {
-			try {
-				const response =
-					is_data_request || remote_id
-						? redirect_json_response(e)
-						: route?.page && is_action_json_request(event)
-							? action_json_redirect(e)
-							: redirect_response(e.status, e.location);
-				add_cookies_to_headers(response.headers, new_cookies.values());
-				return response;
-			} catch (err) {
-				return await handle_fatal_error(event, event_state, options, err);
-			}
-		}
-		return await handle_fatal_error(event, event_state, options, e);
 	}
 
 	/**
@@ -551,6 +558,23 @@ export async function internal_respond(request, options, manifest, state) {
 				};
 			}
 
+			if (resolved_path === null) {
+				return await respond_with_error({
+					event,
+					event_state,
+					options,
+					manifest,
+					state,
+					status: 400,
+					error: new SvelteKitError(
+						400,
+						'Malformed URI',
+						`Failed to decode URI: ${event.url.pathname}`
+					),
+					resolve_opts
+				});
+			}
+
 			if (options.hash_routing || state.prerendering?.fallback) {
 				return await render_response({
 					event,

package/src/runtime/server/utils.js

@@ -1,3 +1,5 @@
+/** @import { ServerHooks } from 'types' */
+import * as devalue from 'devalue';
 import { DEV } from 'esm-env';
 import { json, text } from '@sveltejs/kit';
 import { HttpError } from '@sveltejs/kit/internal';
@@ -40,7 +42,7 @@ export function allowed_methods(mod) {
  * @param {import('types').SSROptions} options
  */
 export function get_global_name(options) {
-	return DEV ? '__sveltekit_dev' : `__sveltekit_${options.version_hash}`;
+	return __SVELTEKIT_DEV__ ? '__sveltekit_dev' : `__sveltekit_${options.version_hash}`;
 }
 
 /**
@@ -53,7 +55,7 @@ export function get_global_name(options) {
 export function static_error_page(options, status, message) {
 	let page = options.templates.error({ status, message: escape_html(message) });
 
-	if (DEV) {
+	if (__SVELTEKIT_DEV__) {
 		// inject Vite HMR client, for easier debugging
 		page = page.replace('</head>', '<script type="module" src="/@vite/client"></script></head>');
 	}
@@ -103,7 +105,7 @@ export async function handle_error_and_jsonify(event, state, options, error) {
 		return { message: 'Unknown Error', ...error.body };
 	}
 
-	if (DEV && typeof error == 'object') {
+	if (__SVELTEKIT_DEV__ && typeof error == 'object') {
 		fix_stack_trace(error);
 	}
 
@@ -261,3 +263,21 @@ export function get_node_type(node_id) {
 export function count_non_ssi_comments(str) {
 	return (str.match(/<!--(?!#)/g) ?? []).length;
 }
+
+/**
+ * Creates a serialiser for non-arbitrary POJOs using the app's transport hook
+ * @param {ServerHooks['transport']} transport
+ * @returns {(thing: unknown) => string | undefined}
+ */
+export function create_replacer(transport) {
+	/** @param {unknown} thing */
+	const replacer = (thing) => {
+		for (const key in transport) {
+			const encoded = transport[key].encode(thing);
+			if (encoded) {
+				return `app.decode('${key}', ${devalue.uneval(encoded, replacer)})`;
+			}
+		}
+	};
+	return replacer;
+}

package/src/types/global-private.d.ts

@@ -3,6 +3,11 @@ declare global {
 	const __SVELTEKIT_APP_DIR__: string;
 	const __SVELTEKIT_APP_VERSION_FILE__: string;
 	const __SVELTEKIT_APP_VERSION_POLL_INTERVAL__: number;
+	/**
+	 * True if the user ran `vite dev`. This is different from `esm-env` because
+	 * it is influenced by `NODE_ENV` which can still be true during `vite preview`
+	 */
+	const __SVELTEKIT_DEV__: boolean;
 	const __SVELTEKIT_EMBEDDED__: boolean;
 	const __SVELTEKIT_PATHS_ASSETS__: string;
 	const __SVELTEKIT_PATHS_BASE__: string;

package/src/types/internal.d.ts

@@ -35,6 +35,7 @@ import {
 } from './private.js';
 import { Span } from '@opentelemetry/api';
 import type { PageOptions } from '../exports/vite/static_analysis/index.js';
+import { SharedIterator } from '../utils/shared-iterator.js';
 
 export interface ServerModule {
 	Server: typeof InternalServer;
@@ -179,9 +180,15 @@ export class InternalServer extends Server {
 		request: Request,
 		options: RequestOptions & {
 			prerendering?: PrerenderOptions;
-			read: (file: string) => NonSharedBuffer;
-			/** A hook called before `handle` during dev, so that `AsyncLocalStorage` can be populated. */
-			before_handle?: (event: RequestEvent, config: any, prerender: PrerenderOption) => void;
+			/** @internal for saving dependencies during prerendering and generating fallback pages */
+			read: (file: string) => Buffer<ArrayBuffer>;
+			/** @internal used during development to check feature availability depending on the current route */
+			before_handle?: (
+				event: RequestEvent,
+				config: any,
+				prerender: PrerenderOption,
+				handle: () => Promise<Response>
+			) => Promise<Response>;
 			emulator?: Emulator;
 		}
 	): Promise<Response>;
@@ -469,7 +476,10 @@ export interface SSRNode {
 	universal_id?: string;
 	server_id?: string;
 
-	/** inlined styles */
+	/**
+	 * During development, all styles are inlined for the page to avoid FOUC.
+	 * But in production, this stores styles that are below the inline threshold
+	 */
 	inline_styles?(): MaybePromise<
 		Record<string, string | ((assets: string, base: string) => string)>
 	>;
@@ -565,12 +575,18 @@ export interface SSRState {
 	 * prerender option is inherited by the endpoint, unless overridden.
 	 */
 	prerender_default?: PrerenderOption;
-	read?: (file: string) => NonSharedBuffer;
+	/** @internal reads from the filesystem when user code tries to fetch a static asset */
+	read?: (file: string) => Buffer<ArrayBuffer>;
 	/**
 	 * Used to set up `__SVELTEKIT_TRACK__` which checks if a used feature is supported.
 	 * E.g. if `read` from `$app/server` is used, it checks whether the route's config is compatible.
 	 */
-	before_handle?: (event: RequestEvent, config: any, prerender: PrerenderOption) => void;
+	before_handle?: (
+		event: RequestEvent,
+		config: any,
+		prerender: PrerenderOption,
+		handle: () => Promise<Response>
+	) => Promise<Response>;
 	emulator?: Emulator;
 }
 
@@ -718,6 +734,13 @@ export interface RequestState {
 				}
 			>
 		>;
+		/**
+		 * A per-request cache of shared live-query iterators, keyed by remote id
+		 * and stringified argument payload. Used so that multiple `for await`
+		 * consumers of the same `query.live` call within one request multiplex a
+		 * single underlying user generator.
+		 */
+		live_iterators: null | Map<string, SharedIterator<any>>;
 	};
 	readonly is_in_remote_function: boolean;
 	readonly is_in_render: boolean;

package/src/utils/routing.js

@@ -3,6 +3,8 @@ import { decode_params } from './url.js';
 
 const param_pattern = /^(\[)?(\.\.\.)?(\w+)(?:=(\w+))?(\])?$/;
 
+const root_group_pattern = /^\/\((?:.+)\)$/;
+
 /**
  * Creates the regex pattern, extracts parameter names, and generates types for a route
  * @param {string} id
@@ -12,7 +14,7 @@ export function parse_route_id(id) {
 	const params = [];
 
 	const pattern =
-		id === '/'
+		id === '/' || root_group_pattern.test(id)
 			? /^\/$/
 			: new RegExp(
 					`^${get_route_segments(id)