@sveltejs/kit 3.0.0-next.3 → 3.0.0-next.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +17 -17
- package/src/core/adapt/builder.js +18 -4
- package/src/core/adapt/index.js +1 -4
- package/src/core/config/index.js +64 -5
- package/src/core/config/options.js +73 -21
- package/src/core/env.js +35 -4
- package/src/core/postbuild/analyse.js +8 -12
- package/src/core/postbuild/crawl.js +22 -6
- package/src/core/postbuild/prerender.js +40 -23
- package/src/core/sync/create_manifest_data/index.js +23 -5
- package/src/core/sync/write_client_manifest.js +7 -0
- package/src/core/sync/write_server.js +13 -10
- package/src/core/sync/write_tsconfig.js +2 -4
- package/src/exports/index.js +32 -10
- package/src/exports/internal/env.js +1 -1
- package/src/exports/internal/index.js +6 -5
- package/src/exports/node/index.js +57 -6
- package/src/exports/public.d.ts +218 -114
- package/src/exports/vite/build/build_server.js +6 -1
- package/src/exports/vite/dev/index.js +10 -20
- package/src/exports/vite/index.js +306 -222
- package/src/exports/vite/preview/index.js +15 -7
- package/src/exports/vite/utils.js +8 -10
- package/src/runtime/app/env/types.d.ts +1 -1
- package/src/runtime/app/forms.js +22 -5
- package/src/runtime/app/paths/client.js +1 -3
- package/src/runtime/app/paths/public.d.ts +0 -28
- package/src/runtime/app/paths/server.js +7 -3
- package/src/runtime/app/server/remote/form.js +10 -3
- package/src/runtime/app/server/remote/query.js +3 -6
- package/src/runtime/app/server/remote/requested.js +8 -4
- package/src/runtime/app/server/remote/shared.js +5 -7
- package/src/runtime/client/client.js +190 -95
- package/src/runtime/client/fetcher.js +3 -2
- package/src/runtime/client/remote-functions/form.svelte.js +134 -24
- package/src/runtime/client/remote-functions/prerender.svelte.js +8 -2
- package/src/runtime/client/remote-functions/query/index.js +3 -2
- package/src/runtime/client/remote-functions/query/instance.svelte.js +26 -10
- package/src/runtime/client/remote-functions/query-batch.svelte.js +4 -3
- package/src/runtime/client/remote-functions/query-live/instance.svelte.js +26 -9
- package/src/runtime/client/remote-functions/shared.svelte.js +17 -7
- package/src/runtime/client/types.d.ts +9 -1
- package/src/runtime/client/utils.js +1 -1
- package/src/runtime/form-utils.js +84 -16
- package/src/runtime/server/cookie.js +22 -33
- package/src/runtime/server/csrf.js +65 -0
- package/src/runtime/server/data/index.js +7 -7
- package/src/runtime/server/env_module.js +0 -5
- package/src/runtime/server/index.js +1 -1
- package/src/runtime/server/page/actions.js +41 -26
- package/src/runtime/server/page/index.js +2 -1
- package/src/runtime/server/page/render.js +21 -23
- package/src/runtime/server/page/respond_with_error.js +7 -8
- package/src/runtime/server/remote.js +64 -27
- package/src/runtime/server/respond.js +81 -50
- package/src/runtime/server/utils.js +7 -7
- package/src/runtime/telemetry/otel.js +1 -1
- package/src/types/ambient.d.ts +5 -4
- package/src/types/global-private.d.ts +4 -4
- package/src/types/internal.d.ts +8 -10
- package/src/types/private.d.ts +33 -1
- package/src/types/synthetic/$lib.md +1 -1
- package/src/utils/error.js +11 -3
- package/src/utils/shared-iterator.js +5 -0
- package/src/utils/url.js +99 -2
- package/src/version.js +1 -1
- package/types/index.d.ts +340 -186
- package/types/index.d.ts.map +10 -9
package/src/types/internal.d.ts
CHANGED
|
@@ -17,7 +17,6 @@ import {
|
|
|
17
17
|
RequestEvent,
|
|
18
18
|
SSRManifest,
|
|
19
19
|
Emulator,
|
|
20
|
-
Adapter,
|
|
21
20
|
ServerInit,
|
|
22
21
|
ClientInit,
|
|
23
22
|
Transport,
|
|
@@ -44,7 +43,6 @@ export interface ServerModule {
|
|
|
44
43
|
export interface ServerInternalModule {
|
|
45
44
|
set_assets(path: string): void;
|
|
46
45
|
set_building(): void;
|
|
47
|
-
set_env(environment: Record<string, string>): void;
|
|
48
46
|
set_manifest(manifest: SSRManifest): void;
|
|
49
47
|
set_prerendering(): void;
|
|
50
48
|
set_read_implementation(implementation: (path: string) => ReadableStream): void;
|
|
@@ -101,6 +99,9 @@ export interface BuildData {
|
|
|
101
99
|
routes?: SSRClientRoute[];
|
|
102
100
|
stylesheets: string[];
|
|
103
101
|
fonts: string[];
|
|
102
|
+
/**
|
|
103
|
+
* Whether the client uses public dynamic env vars — `$env/dynamic/public` or `$app/env/public`.
|
|
104
|
+
*/
|
|
104
105
|
uses_env_dynamic_public: boolean;
|
|
105
106
|
/** Only set in case of `bundleStrategy === 'inline'`. */
|
|
106
107
|
inline?: {
|
|
@@ -194,7 +195,7 @@ export class InternalServer extends Server {
|
|
|
194
195
|
}
|
|
195
196
|
|
|
196
197
|
export interface ManifestData {
|
|
197
|
-
/** Static files from `
|
|
198
|
+
/** Static files from `config.files.assets`. */
|
|
198
199
|
assets: Asset[];
|
|
199
200
|
hooks: {
|
|
200
201
|
client: string | null;
|
|
@@ -293,6 +294,7 @@ export interface RouteData {
|
|
|
293
294
|
|
|
294
295
|
export type ServerRedirectNode = {
|
|
295
296
|
type: 'redirect';
|
|
297
|
+
status: number;
|
|
296
298
|
location: string;
|
|
297
299
|
};
|
|
298
300
|
|
|
@@ -308,7 +310,7 @@ export type RemoteFunctionDataNode = {
|
|
|
308
310
|
/** value */
|
|
309
311
|
v?: any;
|
|
310
312
|
/** error */
|
|
311
|
-
e?:
|
|
313
|
+
e?: App.Error;
|
|
312
314
|
};
|
|
313
315
|
|
|
314
316
|
export type RemoteFunctionData = {
|
|
@@ -389,10 +391,6 @@ export interface ServerDataSkippedNode {
|
|
|
389
391
|
export interface ServerErrorNode {
|
|
390
392
|
type: 'error';
|
|
391
393
|
error: App.Error;
|
|
392
|
-
/**
|
|
393
|
-
* Only set for HttpErrors.
|
|
394
|
-
*/
|
|
395
|
-
status?: number;
|
|
396
394
|
}
|
|
397
395
|
|
|
398
396
|
export interface ServerMetadataRoute {
|
|
@@ -503,6 +501,7 @@ export interface SSROptions {
|
|
|
503
501
|
hash_routing: boolean;
|
|
504
502
|
hooks: ServerHooks;
|
|
505
503
|
link_header_preload: ValidatedConfig['kit']['output']['linkHeaderPreload'];
|
|
504
|
+
paths_origin: string | undefined;
|
|
506
505
|
root: SSRComponent['default'];
|
|
507
506
|
service_worker: boolean;
|
|
508
507
|
service_worker_options: RegistrationOptions;
|
|
@@ -604,8 +603,7 @@ export type ValidatedConfig = Config & {
|
|
|
604
603
|
extensions: string[];
|
|
605
604
|
};
|
|
606
605
|
|
|
607
|
-
|
|
608
|
-
export type ValidatedKitConfig = Omit<RecursiveRequired<KitConfig>, 'adapter'>;
|
|
606
|
+
export type ValidatedKitConfig = RecursiveRequired<KitConfig>;
|
|
609
607
|
|
|
610
608
|
export type BinaryFormMeta = {
|
|
611
609
|
remote_refreshes?: string[];
|
package/src/types/private.d.ts
CHANGED
|
@@ -61,7 +61,10 @@ export namespace Csp {
|
|
|
61
61
|
| 'unsafe-eval'
|
|
62
62
|
| 'unsafe-hashes'
|
|
63
63
|
| 'unsafe-inline'
|
|
64
|
+
| 'unsafe-allow-redirects'
|
|
65
|
+
| 'unsafe-webtransport-hashes'
|
|
64
66
|
| 'wasm-unsafe-eval'
|
|
67
|
+
| 'trusted-types-eval'
|
|
65
68
|
| 'none';
|
|
66
69
|
type CryptoSource = `${'nonce' | 'sha256' | 'sha384' | 'sha512'}-${string}`;
|
|
67
70
|
type FrameSource = HostSource | SchemeSource | 'self' | 'none';
|
|
@@ -70,7 +73,16 @@ export namespace Csp {
|
|
|
70
73
|
type HostProtocolSchemes = `${string}://` | '';
|
|
71
74
|
type HttpDelineator = '/' | '?' | '#' | '\\';
|
|
72
75
|
type PortScheme = `:${number}` | '' | ':*';
|
|
73
|
-
type SchemeSource =
|
|
76
|
+
type SchemeSource =
|
|
77
|
+
| 'http:'
|
|
78
|
+
| 'https:'
|
|
79
|
+
| 'ws:'
|
|
80
|
+
| 'wss:'
|
|
81
|
+
| 'data:'
|
|
82
|
+
| 'mediastream:'
|
|
83
|
+
| 'blob:'
|
|
84
|
+
| 'filesystem:'
|
|
85
|
+
| (`${string}:` & {});
|
|
74
86
|
type Source = HostSource | SchemeSource | CryptoSource | BaseSource;
|
|
75
87
|
type Sources = Source[];
|
|
76
88
|
}
|
|
@@ -212,6 +224,10 @@ export interface PrerenderUnseenRoutesHandler {
|
|
|
212
224
|
(details: { routes: string[]; message: string }): void;
|
|
213
225
|
}
|
|
214
226
|
|
|
227
|
+
export interface PrerenderInvalidUrlHandler {
|
|
228
|
+
(details: { href: string; referrer: string | null; message: string }): void;
|
|
229
|
+
}
|
|
230
|
+
|
|
215
231
|
export type PrerenderHttpErrorHandlerValue = 'fail' | 'warn' | 'ignore' | PrerenderHttpErrorHandler;
|
|
216
232
|
export type PrerenderMissingIdHandlerValue = 'fail' | 'warn' | 'ignore' | PrerenderMissingIdHandler;
|
|
217
233
|
export type PrerenderUnseenRoutesHandlerValue =
|
|
@@ -224,6 +240,11 @@ export type PrerenderEntryGeneratorMismatchHandlerValue =
|
|
|
224
240
|
| 'warn'
|
|
225
241
|
| 'ignore'
|
|
226
242
|
| PrerenderEntryGeneratorMismatchHandler;
|
|
243
|
+
export type PrerenderInvalidUrlHandlerValue =
|
|
244
|
+
| 'fail'
|
|
245
|
+
| 'warn'
|
|
246
|
+
| 'ignore'
|
|
247
|
+
| PrerenderInvalidUrlHandler;
|
|
227
248
|
|
|
228
249
|
export type PrerenderOption = boolean | 'auto';
|
|
229
250
|
|
|
@@ -252,3 +273,14 @@ export type DeepPartial<T> = T extends Record<PropertyKey, unknown> | unknown[]
|
|
|
252
273
|
: T | undefined;
|
|
253
274
|
|
|
254
275
|
export type IsAny<T> = 0 extends 1 & T ? true : false;
|
|
276
|
+
|
|
277
|
+
export type HasNonOptionalBoolean<T> =
|
|
278
|
+
IsAny<T> extends true
|
|
279
|
+
? never
|
|
280
|
+
: [T] extends [boolean]
|
|
281
|
+
? true
|
|
282
|
+
: T extends Array<infer U>
|
|
283
|
+
? HasNonOptionalBoolean<U>
|
|
284
|
+
: T extends Record<string, any>
|
|
285
|
+
? { [K in keyof T]: HasNonOptionalBoolean<T[K]> }[keyof T]
|
|
286
|
+
: never;
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
This is a simple alias to `src/lib`, or whatever directory is specified as [`config.
|
|
1
|
+
This is a simple alias to `src/lib`, or whatever directory is specified as [`config.files.lib`](https://svelte.dev/docs/kit/configuration#files). It allows you to access common components and utility modules without `../../../../` nonsense.
|
|
2
2
|
|
|
3
3
|
### `$lib/server`
|
|
4
4
|
|
package/src/utils/error.js
CHANGED
|
@@ -36,10 +36,18 @@ export function normalize_error(error) {
|
|
|
36
36
|
}
|
|
37
37
|
|
|
38
38
|
/**
|
|
39
|
-
* @param {
|
|
39
|
+
* @param {any} transformed
|
|
40
|
+
* @param {any} [error]
|
|
40
41
|
*/
|
|
41
|
-
export function get_status(error) {
|
|
42
|
-
|
|
42
|
+
export function get_status(transformed, error) {
|
|
43
|
+
const err = error ?? transformed;
|
|
44
|
+
const status = err instanceof HttpError || err instanceof SvelteKitError ? err.status : 500;
|
|
45
|
+
|
|
46
|
+
if (error == null || typeof transformed?.status !== 'number') {
|
|
47
|
+
return status;
|
|
48
|
+
} else {
|
|
49
|
+
return transformed.status;
|
|
50
|
+
}
|
|
43
51
|
}
|
|
44
52
|
|
|
45
53
|
/**
|
|
@@ -52,6 +52,11 @@ export class SharedIterator {
|
|
|
52
52
|
/** @type {unknown} */
|
|
53
53
|
#terminal_error = undefined;
|
|
54
54
|
|
|
55
|
+
/** Whether `done()` or `fail()` has been broadcast. */
|
|
56
|
+
get closed() {
|
|
57
|
+
return this.#closed;
|
|
58
|
+
}
|
|
59
|
+
|
|
55
60
|
/**
|
|
56
61
|
* @param {(instance: SharedIterator<T>) => (() => void)} [start]
|
|
57
62
|
*/
|
package/src/utils/url.js
CHANGED
|
@@ -1,10 +1,13 @@
|
|
|
1
1
|
import { BROWSER, DEV } from 'esm-env';
|
|
2
|
+
import { try_get_request_store } from '../exports/internal/event.js';
|
|
2
3
|
|
|
3
4
|
/**
|
|
4
5
|
* Matches a URI scheme. See https://www.rfc-editor.org/rfc/rfc3986#section-3.1
|
|
5
6
|
* @type {RegExp}
|
|
6
7
|
*/
|
|
7
|
-
export const SCHEME = /^[a-z][a-z\d+\-.]
|
|
8
|
+
export const SCHEME = /^[a-z][a-z\d+\-.]*:/i;
|
|
9
|
+
// See https://datatracker.ietf.org/doc/html/rfc2606 - no domains under the .invalid TLD can be registered
|
|
10
|
+
const REDIRECT_BASE = 'https://sveltekit-redirect.invalid';
|
|
8
11
|
|
|
9
12
|
const internal = new URL('a://');
|
|
10
13
|
|
|
@@ -27,6 +30,100 @@ export function is_root_relative(path) {
|
|
|
27
30
|
return path[0] === '/' && path[1] !== '/';
|
|
28
31
|
}
|
|
29
32
|
|
|
33
|
+
/**
|
|
34
|
+
* Whether a redirect location is absolute, i.e. not a root-relative or path-relative URL,
|
|
35
|
+
* and not pointing to the same origin as we're currently on (if determineable).
|
|
36
|
+
* @param {string} location
|
|
37
|
+
*/
|
|
38
|
+
export function is_external_location(location) {
|
|
39
|
+
const origin = BROWSER ? window.location.origin : try_get_request_store()?.event.url.origin;
|
|
40
|
+
|
|
41
|
+
try {
|
|
42
|
+
return !matches_external_allowlist_entry(location, origin ?? REDIRECT_BASE);
|
|
43
|
+
} catch {
|
|
44
|
+
return true;
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
/**
|
|
49
|
+
* @param {string} location
|
|
50
|
+
*/
|
|
51
|
+
function is_javascript_location(location) {
|
|
52
|
+
try {
|
|
53
|
+
return new URL(location, REDIRECT_BASE).protocol === 'javascript:';
|
|
54
|
+
} catch {
|
|
55
|
+
return false;
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
|
|
59
|
+
/**
|
|
60
|
+
* @param {string} location
|
|
61
|
+
* @param {string} allowed
|
|
62
|
+
*/
|
|
63
|
+
export function matches_external_allowlist_entry(location, allowed) {
|
|
64
|
+
if (location === allowed) return true;
|
|
65
|
+
|
|
66
|
+
try {
|
|
67
|
+
const allow = new URL(allowed);
|
|
68
|
+
const loc = new URL(location, allow);
|
|
69
|
+
|
|
70
|
+
// this is stricter than `loc.origin === allow.origin`, which can fail in `blob:` cases
|
|
71
|
+
return loc.protocol === allow.protocol && loc.host === allow.host;
|
|
72
|
+
} catch {
|
|
73
|
+
return false;
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
|
|
77
|
+
/**
|
|
78
|
+
* @param {string} location
|
|
79
|
+
* @param {{ external?: boolean | string[] }} [options]
|
|
80
|
+
*/
|
|
81
|
+
export function validate_redirect_location(location, options) {
|
|
82
|
+
if (!is_external_location(location)) return;
|
|
83
|
+
|
|
84
|
+
const external = options?.external;
|
|
85
|
+
|
|
86
|
+
if (!external) {
|
|
87
|
+
throw new Error(
|
|
88
|
+
DEV
|
|
89
|
+
? `Cannot redirect to external URL ${JSON.stringify(location)}. ` +
|
|
90
|
+
'To redirect to an external URL, pass `{ external: true }` or an allowlist of permitted origins as the third argument to `redirect`'
|
|
91
|
+
: 'Cannot redirect to external URL unless explicitly allowed'
|
|
92
|
+
);
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
if (external === true) {
|
|
96
|
+
if (is_javascript_location(location)) {
|
|
97
|
+
throw new Error(
|
|
98
|
+
DEV
|
|
99
|
+
? `Cannot redirect to ${JSON.stringify(location)} with \`{ external: true }\`. ` +
|
|
100
|
+
'The `:javascript` protocol must be explicitly listed in the `external` allowlist'
|
|
101
|
+
: 'Cannot redirect to external URL unless explicitly allowed'
|
|
102
|
+
);
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
return;
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
if (Array.isArray(external)) {
|
|
109
|
+
if (!external.some((allowed) => matches_external_allowlist_entry(location, allowed))) {
|
|
110
|
+
throw new Error(
|
|
111
|
+
DEV
|
|
112
|
+
? `Cannot redirect to ${JSON.stringify(location)}: URL origin is not included in the \`external\` allowlist`
|
|
113
|
+
: 'Cannot redirect to external URL unless explicitly allowed'
|
|
114
|
+
);
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
return;
|
|
118
|
+
}
|
|
119
|
+
|
|
120
|
+
throw new Error(
|
|
121
|
+
DEV
|
|
122
|
+
? '`redirect` options.external must be `true` or an array of allowed origins'
|
|
123
|
+
: 'Invalid redirect options.external value'
|
|
124
|
+
);
|
|
125
|
+
}
|
|
126
|
+
|
|
30
127
|
/**
|
|
31
128
|
* @param {string} path
|
|
32
129
|
* @param {import('types').TrailingSlash} trailing_slash
|
|
@@ -119,6 +216,7 @@ export function make_trackable(url, callback, search_params_callback, allow_hash
|
|
|
119
216
|
/**
|
|
120
217
|
* URL properties that could change during the lifetime of the page,
|
|
121
218
|
* which excludes things like `origin`
|
|
219
|
+
* @type {(keyof URL)[]}
|
|
122
220
|
*/
|
|
123
221
|
const tracked_url_properties = ['href', 'pathname', 'search', 'toString', 'toJSON'];
|
|
124
222
|
if (allow_hash) tracked_url_properties.push('hash');
|
|
@@ -127,7 +225,6 @@ export function make_trackable(url, callback, search_params_callback, allow_hash
|
|
|
127
225
|
Object.defineProperty(tracked, property, {
|
|
128
226
|
get() {
|
|
129
227
|
callback();
|
|
130
|
-
// @ts-expect-error
|
|
131
228
|
return url[property];
|
|
132
229
|
},
|
|
133
230
|
|
package/src/version.js
CHANGED