@sveltejs/kit 3.0.0-next.3 → 3.0.0-next.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/package.json +17 -17
  2. package/src/core/adapt/builder.js +18 -4
  3. package/src/core/adapt/index.js +1 -4
  4. package/src/core/config/index.js +64 -5
  5. package/src/core/config/options.js +73 -21
  6. package/src/core/env.js +35 -4
  7. package/src/core/postbuild/analyse.js +8 -12
  8. package/src/core/postbuild/crawl.js +22 -6
  9. package/src/core/postbuild/prerender.js +40 -23
  10. package/src/core/sync/create_manifest_data/index.js +23 -5
  11. package/src/core/sync/write_client_manifest.js +7 -0
  12. package/src/core/sync/write_server.js +13 -10
  13. package/src/core/sync/write_tsconfig.js +2 -4
  14. package/src/exports/index.js +32 -10
  15. package/src/exports/internal/env.js +1 -1
  16. package/src/exports/internal/index.js +6 -5
  17. package/src/exports/node/index.js +57 -6
  18. package/src/exports/public.d.ts +218 -114
  19. package/src/exports/vite/build/build_server.js +6 -1
  20. package/src/exports/vite/dev/index.js +10 -20
  21. package/src/exports/vite/index.js +306 -222
  22. package/src/exports/vite/preview/index.js +15 -7
  23. package/src/exports/vite/utils.js +8 -10
  24. package/src/runtime/app/env/types.d.ts +1 -1
  25. package/src/runtime/app/forms.js +22 -5
  26. package/src/runtime/app/paths/client.js +1 -3
  27. package/src/runtime/app/paths/public.d.ts +0 -28
  28. package/src/runtime/app/paths/server.js +7 -3
  29. package/src/runtime/app/server/remote/form.js +10 -3
  30. package/src/runtime/app/server/remote/query.js +3 -6
  31. package/src/runtime/app/server/remote/requested.js +8 -4
  32. package/src/runtime/app/server/remote/shared.js +5 -7
  33. package/src/runtime/client/client.js +190 -95
  34. package/src/runtime/client/fetcher.js +3 -2
  35. package/src/runtime/client/remote-functions/form.svelte.js +134 -24
  36. package/src/runtime/client/remote-functions/prerender.svelte.js +8 -2
  37. package/src/runtime/client/remote-functions/query/index.js +3 -2
  38. package/src/runtime/client/remote-functions/query/instance.svelte.js +26 -10
  39. package/src/runtime/client/remote-functions/query-batch.svelte.js +4 -3
  40. package/src/runtime/client/remote-functions/query-live/instance.svelte.js +26 -9
  41. package/src/runtime/client/remote-functions/shared.svelte.js +17 -7
  42. package/src/runtime/client/types.d.ts +9 -1
  43. package/src/runtime/client/utils.js +1 -1
  44. package/src/runtime/form-utils.js +84 -16
  45. package/src/runtime/server/cookie.js +22 -33
  46. package/src/runtime/server/csrf.js +65 -0
  47. package/src/runtime/server/data/index.js +7 -7
  48. package/src/runtime/server/env_module.js +0 -5
  49. package/src/runtime/server/index.js +1 -1
  50. package/src/runtime/server/page/actions.js +41 -26
  51. package/src/runtime/server/page/index.js +2 -1
  52. package/src/runtime/server/page/render.js +21 -23
  53. package/src/runtime/server/page/respond_with_error.js +7 -8
  54. package/src/runtime/server/remote.js +64 -27
  55. package/src/runtime/server/respond.js +81 -50
  56. package/src/runtime/server/utils.js +7 -7
  57. package/src/runtime/telemetry/otel.js +1 -1
  58. package/src/types/ambient.d.ts +5 -4
  59. package/src/types/global-private.d.ts +4 -4
  60. package/src/types/internal.d.ts +8 -10
  61. package/src/types/private.d.ts +33 -1
  62. package/src/types/synthetic/$lib.md +1 -1
  63. package/src/utils/error.js +11 -3
  64. package/src/utils/shared-iterator.js +5 -0
  65. package/src/utils/url.js +99 -2
  66. package/src/version.js +1 -1
  67. package/types/index.d.ts +340 -186
  68. package/types/index.d.ts.map +10 -9
@@ -17,7 +17,6 @@ import {
17
17
  RequestEvent,
18
18
  SSRManifest,
19
19
  Emulator,
20
- Adapter,
21
20
  ServerInit,
22
21
  ClientInit,
23
22
  Transport,
@@ -44,7 +43,6 @@ export interface ServerModule {
44
43
  export interface ServerInternalModule {
45
44
  set_assets(path: string): void;
46
45
  set_building(): void;
47
- set_env(environment: Record<string, string>): void;
48
46
  set_manifest(manifest: SSRManifest): void;
49
47
  set_prerendering(): void;
50
48
  set_read_implementation(implementation: (path: string) => ReadableStream): void;
@@ -101,6 +99,9 @@ export interface BuildData {
101
99
  routes?: SSRClientRoute[];
102
100
  stylesheets: string[];
103
101
  fonts: string[];
102
+ /**
103
+ * Whether the client uses public dynamic env vars — `$env/dynamic/public` or `$app/env/public`.
104
+ */
104
105
  uses_env_dynamic_public: boolean;
105
106
  /** Only set in case of `bundleStrategy === 'inline'`. */
106
107
  inline?: {
@@ -194,7 +195,7 @@ export class InternalServer extends Server {
194
195
  }
195
196
 
196
197
  export interface ManifestData {
197
- /** Static files from `kit.config.files.assets`. */
198
+ /** Static files from `config.files.assets`. */
198
199
  assets: Asset[];
199
200
  hooks: {
200
201
  client: string | null;
@@ -293,6 +294,7 @@ export interface RouteData {
293
294
 
294
295
  export type ServerRedirectNode = {
295
296
  type: 'redirect';
297
+ status: number;
296
298
  location: string;
297
299
  };
298
300
 
@@ -308,7 +310,7 @@ export type RemoteFunctionDataNode = {
308
310
  /** value */
309
311
  v?: any;
310
312
  /** error */
311
- e?: [status: number, error: any];
313
+ e?: App.Error;
312
314
  };
313
315
 
314
316
  export type RemoteFunctionData = {
@@ -389,10 +391,6 @@ export interface ServerDataSkippedNode {
389
391
  export interface ServerErrorNode {
390
392
  type: 'error';
391
393
  error: App.Error;
392
- /**
393
- * Only set for HttpErrors.
394
- */
395
- status?: number;
396
394
  }
397
395
 
398
396
  export interface ServerMetadataRoute {
@@ -503,6 +501,7 @@ export interface SSROptions {
503
501
  hash_routing: boolean;
504
502
  hooks: ServerHooks;
505
503
  link_header_preload: ValidatedConfig['kit']['output']['linkHeaderPreload'];
504
+ paths_origin: string | undefined;
506
505
  root: SSRComponent['default'];
507
506
  service_worker: boolean;
508
507
  service_worker_options: RegistrationOptions;
@@ -604,8 +603,7 @@ export type ValidatedConfig = Config & {
604
603
  extensions: string[];
605
604
  };
606
605
 
607
- // TODO: remove the omit in 4.0
608
- export type ValidatedKitConfig = Omit<RecursiveRequired<KitConfig>, 'adapter'>;
606
+ export type ValidatedKitConfig = RecursiveRequired<KitConfig>;
609
607
 
610
608
  export type BinaryFormMeta = {
611
609
  remote_refreshes?: string[];
@@ -61,7 +61,10 @@ export namespace Csp {
61
61
  | 'unsafe-eval'
62
62
  | 'unsafe-hashes'
63
63
  | 'unsafe-inline'
64
+ | 'unsafe-allow-redirects'
65
+ | 'unsafe-webtransport-hashes'
64
66
  | 'wasm-unsafe-eval'
67
+ | 'trusted-types-eval'
65
68
  | 'none';
66
69
  type CryptoSource = `${'nonce' | 'sha256' | 'sha384' | 'sha512'}-${string}`;
67
70
  type FrameSource = HostSource | SchemeSource | 'self' | 'none';
@@ -70,7 +73,16 @@ export namespace Csp {
70
73
  type HostProtocolSchemes = `${string}://` | '';
71
74
  type HttpDelineator = '/' | '?' | '#' | '\\';
72
75
  type PortScheme = `:${number}` | '' | ':*';
73
- type SchemeSource = 'http:' | 'https:' | 'data:' | 'mediastream:' | 'blob:' | 'filesystem:';
76
+ type SchemeSource =
77
+ | 'http:'
78
+ | 'https:'
79
+ | 'ws:'
80
+ | 'wss:'
81
+ | 'data:'
82
+ | 'mediastream:'
83
+ | 'blob:'
84
+ | 'filesystem:'
85
+ | (`${string}:` & {});
74
86
  type Source = HostSource | SchemeSource | CryptoSource | BaseSource;
75
87
  type Sources = Source[];
76
88
  }
@@ -212,6 +224,10 @@ export interface PrerenderUnseenRoutesHandler {
212
224
  (details: { routes: string[]; message: string }): void;
213
225
  }
214
226
 
227
+ export interface PrerenderInvalidUrlHandler {
228
+ (details: { href: string; referrer: string | null; message: string }): void;
229
+ }
230
+
215
231
  export type PrerenderHttpErrorHandlerValue = 'fail' | 'warn' | 'ignore' | PrerenderHttpErrorHandler;
216
232
  export type PrerenderMissingIdHandlerValue = 'fail' | 'warn' | 'ignore' | PrerenderMissingIdHandler;
217
233
  export type PrerenderUnseenRoutesHandlerValue =
@@ -224,6 +240,11 @@ export type PrerenderEntryGeneratorMismatchHandlerValue =
224
240
  | 'warn'
225
241
  | 'ignore'
226
242
  | PrerenderEntryGeneratorMismatchHandler;
243
+ export type PrerenderInvalidUrlHandlerValue =
244
+ | 'fail'
245
+ | 'warn'
246
+ | 'ignore'
247
+ | PrerenderInvalidUrlHandler;
227
248
 
228
249
  export type PrerenderOption = boolean | 'auto';
229
250
 
@@ -252,3 +273,14 @@ export type DeepPartial<T> = T extends Record<PropertyKey, unknown> | unknown[]
252
273
  : T | undefined;
253
274
 
254
275
  export type IsAny<T> = 0 extends 1 & T ? true : false;
276
+
277
+ export type HasNonOptionalBoolean<T> =
278
+ IsAny<T> extends true
279
+ ? never
280
+ : [T] extends [boolean]
281
+ ? true
282
+ : T extends Array<infer U>
283
+ ? HasNonOptionalBoolean<U>
284
+ : T extends Record<string, any>
285
+ ? { [K in keyof T]: HasNonOptionalBoolean<T[K]> }[keyof T]
286
+ : never;
@@ -1,4 +1,4 @@
1
- This is a simple alias to `src/lib`, or whatever directory is specified as [`config.kit.files.lib`](https://svelte.dev/docs/kit/configuration#files). It allows you to access common components and utility modules without `../../../../` nonsense.
1
+ This is a simple alias to `src/lib`, or whatever directory is specified as [`config.files.lib`](https://svelte.dev/docs/kit/configuration#files). It allows you to access common components and utility modules without `../../../../` nonsense.
2
2
 
3
3
  ### `$lib/server`
4
4
 
@@ -36,10 +36,18 @@ export function normalize_error(error) {
36
36
  }
37
37
 
38
38
  /**
39
- * @param {unknown} error
39
+ * @param {any} transformed
40
+ * @param {any} [error]
40
41
  */
41
- export function get_status(error) {
42
- return error instanceof HttpError || error instanceof SvelteKitError ? error.status : 500;
42
+ export function get_status(transformed, error) {
43
+ const err = error ?? transformed;
44
+ const status = err instanceof HttpError || err instanceof SvelteKitError ? err.status : 500;
45
+
46
+ if (error == null || typeof transformed?.status !== 'number') {
47
+ return status;
48
+ } else {
49
+ return transformed.status;
50
+ }
43
51
  }
44
52
 
45
53
  /**
@@ -52,6 +52,11 @@ export class SharedIterator {
52
52
  /** @type {unknown} */
53
53
  #terminal_error = undefined;
54
54
 
55
+ /** Whether `done()` or `fail()` has been broadcast. */
56
+ get closed() {
57
+ return this.#closed;
58
+ }
59
+
55
60
  /**
56
61
  * @param {(instance: SharedIterator<T>) => (() => void)} [start]
57
62
  */
package/src/utils/url.js CHANGED
@@ -1,10 +1,13 @@
1
1
  import { BROWSER, DEV } from 'esm-env';
2
+ import { try_get_request_store } from '../exports/internal/event.js';
2
3
 
3
4
  /**
4
5
  * Matches a URI scheme. See https://www.rfc-editor.org/rfc/rfc3986#section-3.1
5
6
  * @type {RegExp}
6
7
  */
7
- export const SCHEME = /^[a-z][a-z\d+\-.]+:/i;
8
+ export const SCHEME = /^[a-z][a-z\d+\-.]*:/i;
9
+ // See https://datatracker.ietf.org/doc/html/rfc2606 - no domains under the .invalid TLD can be registered
10
+ const REDIRECT_BASE = 'https://sveltekit-redirect.invalid';
8
11
 
9
12
  const internal = new URL('a://');
10
13
 
@@ -27,6 +30,100 @@ export function is_root_relative(path) {
27
30
  return path[0] === '/' && path[1] !== '/';
28
31
  }
29
32
 
33
+ /**
34
+ * Whether a redirect location is absolute, i.e. not a root-relative or path-relative URL,
35
+ * and not pointing to the same origin as we're currently on (if determineable).
36
+ * @param {string} location
37
+ */
38
+ export function is_external_location(location) {
39
+ const origin = BROWSER ? window.location.origin : try_get_request_store()?.event.url.origin;
40
+
41
+ try {
42
+ return !matches_external_allowlist_entry(location, origin ?? REDIRECT_BASE);
43
+ } catch {
44
+ return true;
45
+ }
46
+ }
47
+
48
+ /**
49
+ * @param {string} location
50
+ */
51
+ function is_javascript_location(location) {
52
+ try {
53
+ return new URL(location, REDIRECT_BASE).protocol === 'javascript:';
54
+ } catch {
55
+ return false;
56
+ }
57
+ }
58
+
59
+ /**
60
+ * @param {string} location
61
+ * @param {string} allowed
62
+ */
63
+ export function matches_external_allowlist_entry(location, allowed) {
64
+ if (location === allowed) return true;
65
+
66
+ try {
67
+ const allow = new URL(allowed);
68
+ const loc = new URL(location, allow);
69
+
70
+ // this is stricter than `loc.origin === allow.origin`, which can fail in `blob:` cases
71
+ return loc.protocol === allow.protocol && loc.host === allow.host;
72
+ } catch {
73
+ return false;
74
+ }
75
+ }
76
+
77
+ /**
78
+ * @param {string} location
79
+ * @param {{ external?: boolean | string[] }} [options]
80
+ */
81
+ export function validate_redirect_location(location, options) {
82
+ if (!is_external_location(location)) return;
83
+
84
+ const external = options?.external;
85
+
86
+ if (!external) {
87
+ throw new Error(
88
+ DEV
89
+ ? `Cannot redirect to external URL ${JSON.stringify(location)}. ` +
90
+ 'To redirect to an external URL, pass `{ external: true }` or an allowlist of permitted origins as the third argument to `redirect`'
91
+ : 'Cannot redirect to external URL unless explicitly allowed'
92
+ );
93
+ }
94
+
95
+ if (external === true) {
96
+ if (is_javascript_location(location)) {
97
+ throw new Error(
98
+ DEV
99
+ ? `Cannot redirect to ${JSON.stringify(location)} with \`{ external: true }\`. ` +
100
+ 'The `:javascript` protocol must be explicitly listed in the `external` allowlist'
101
+ : 'Cannot redirect to external URL unless explicitly allowed'
102
+ );
103
+ }
104
+
105
+ return;
106
+ }
107
+
108
+ if (Array.isArray(external)) {
109
+ if (!external.some((allowed) => matches_external_allowlist_entry(location, allowed))) {
110
+ throw new Error(
111
+ DEV
112
+ ? `Cannot redirect to ${JSON.stringify(location)}: URL origin is not included in the \`external\` allowlist`
113
+ : 'Cannot redirect to external URL unless explicitly allowed'
114
+ );
115
+ }
116
+
117
+ return;
118
+ }
119
+
120
+ throw new Error(
121
+ DEV
122
+ ? '`redirect` options.external must be `true` or an array of allowed origins'
123
+ : 'Invalid redirect options.external value'
124
+ );
125
+ }
126
+
30
127
  /**
31
128
  * @param {string} path
32
129
  * @param {import('types').TrailingSlash} trailing_slash
@@ -119,6 +216,7 @@ export function make_trackable(url, callback, search_params_callback, allow_hash
119
216
  /**
120
217
  * URL properties that could change during the lifetime of the page,
121
218
  * which excludes things like `origin`
219
+ * @type {(keyof URL)[]}
122
220
  */
123
221
  const tracked_url_properties = ['href', 'pathname', 'search', 'toString', 'toJSON'];
124
222
  if (allow_hash) tracked_url_properties.push('hash');
@@ -127,7 +225,6 @@ export function make_trackable(url, callback, search_params_callback, allow_hash
127
225
  Object.defineProperty(tracked, property, {
128
226
  get() {
129
227
  callback();
130
- // @ts-expect-error
131
228
  return url[property];
132
229
  },
133
230
 
package/src/version.js CHANGED
@@ -1,4 +1,4 @@
1
1
  // generated during release, do not modify
2
2
 
3
3
  /** @type {string} */
4
- export const VERSION = '3.0.0-next.3';
4
+ export const VERSION = '3.0.0-next.6';