npm - svelte-realtime - Versions diffs - 0.1.4 → 0.1.5 - Mend

svelte-realtime 0.1.4 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/client.js CHANGED Viewed

@@ -22,6 +22,12 @@ export class RpcError extends Error {
 const _idPrefix = Math.random().toString(36).slice(2, 6);
 let idCounter = 0;
+/** Generate a unique correlation ID, wrapping the counter before exceeding safe integer range */
+function _nextId() {
+	if (idCounter >= 0x1FFFFFFFFFFFFF) idCounter = 0;
+	return _idPrefix + (idCounter++).toString(36);
+}
 /** @type {Array<{ rpc: string, id: string, args: any[] }> | null} */
 let _batchCollector = null;
@@ -160,7 +166,7 @@ function _sendRpc(path, args) {
 		});
 	}
-	const id = _idPrefix + (idCounter++).toString(36);
+	const id = _nextId();
 	// If inside a batch() call, collect instead of sending
 	if (_batchCollector) {
@@ -201,7 +207,7 @@ export function __binaryRpc(path) {
 		ensureListener();
 		ensureDisconnectListener();
-		const id = _idPrefix + (idCounter++).toString(36);
+		const id = _nextId();
 		_devtoolsStart(path, id, args);
 		const conn = _connect();
@@ -238,6 +244,9 @@ export function __binaryRpc(path) {
 /** @type {Map<string, { store: any, refCount: number }>} */
 const _streamCache = new Map();
+/** Hard cap on cached stream instances to prevent memory exhaustion */
+const _STREAM_CACHE_MAX = 1000;
 /**
  * Create a reactive stream store for a given path.
  * Used by generated client stubs.
@@ -268,6 +277,17 @@ export function __stream(path, options, isDynamic) {
 			const store = _createStream(path, options, args);
 			// Capture the original subscribe once, before wrapping
 			const rawSubscribe = store.subscribe.bind(store);
+			// Evict idle entries (refCount 0) if cache is at capacity
+			if (_streamCache.size >= _STREAM_CACHE_MAX) {
+				for (const [k, v] of _streamCache) {
+					if (v.refCount <= 0) {
+						_streamCache.delete(k);
+						if (_streamCache.size < _STREAM_CACHE_MAX) break;
+					}
+				}
+			}
 			_streamCache.set(cacheKey, { store, refCount: 0 });
 			// Wrap subscribe to track ref count and clean up cache on last unsubscribe
@@ -549,7 +569,7 @@ function _createStream(path, options, dynamicArgs) {
 		ensureListener();
 		ensureDisconnectListener();
-		const id = _idPrefix + (idCounter++).toString(36);
+		const id = _nextId();
 		pendingId = id;
 		const conn = _connect();
@@ -791,7 +811,7 @@ function _createStream(path, options, dynamicArgs) {
 			_loadingMore = true;
 			ensureListener();
-			const id = _idPrefix + (idCounter++).toString(36);
+			const id = _nextId();
 			const conn = _connect();
 			return new Promise((resolve, reject) => {
@@ -1114,6 +1134,18 @@ export function batch(fn, options) {
 	if (collected.length === 0) return Promise.resolve([]);
+	if (collected.length > 50) {
+		for (const call of collected) {
+			const entry = pending.get(call.id);
+			if (entry) {
+				pending.delete(call.id);
+				if (entry.timer) clearTimeout(entry.timer);
+				entry.reject(new RpcError('INVALID_REQUEST', 'Batch exceeds maximum of 50 calls'));
+			}
+		}
+		return Promise.reject(new RpcError('INVALID_REQUEST', 'Batch exceeds maximum of 50 calls'));
+	}
 	// Set a batch-level timeout
 	const batchTimer = setTimeout(() => {
 		for (const call of collected) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "svelte-realtime",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Realtime RPC and reactive subscriptions for SvelteKit, built on svelte-adapter-uws",
   "author": "Kevin Radziszewski",
   "license": "MIT",

package/server.js CHANGED Viewed

@@ -284,6 +284,9 @@ const _rateLimits = new Map();
 /** @type {number} */
 let _rateLimitLastSweep = Date.now();
+/** Hard cap on rate limit buckets to prevent memory exhaustion */
+const _RATE_LIMIT_MAX = 5000;
 /**
  * Declarative per-function rate limiting.
  * Wraps a live() function with a sliding window rate limiter.
@@ -301,23 +304,19 @@ live.rateLimit = function rateLimit(config, fn) {
 		const bucketKey = /** @type {any} */ (wrapper).__rateLimitPath + '\0' + userKey;
 		const now = Date.now();
-		// Lazy sweep: prune stale entries, but limit work per sweep
-		if (now - _rateLimitLastSweep > 60000) {
+		// Lazy sweep: prune stale entries every 30s, sweep all entries
+		if (now - _rateLimitLastSweep > 30000) {
 			_rateLimitLastSweep = now;
-			if (_rateLimits.size > 0) {
-				const maxSweep = Math.max(200, _rateLimits.size >> 2);
-				let swept = 0;
-				for (const [k, bucket] of _rateLimits) {
-					if (now - bucket.windowStart >= windowMs * 2) {
-						_rateLimits.delete(k);
-					}
-					if (++swept >= maxSweep) break;
+			for (const [k, bucket] of _rateLimits) {
+				if (now - bucket.windowStart >= windowMs * 2) {
+					_rateLimits.delete(k);
 				}
 			}
 		}
-		if (_rateLimits.size > 10000) {
-			let excess = _rateLimits.size - 10000;
+		// Hard cap: evict oldest entries (Map iteration order = insertion order)
+		if (_rateLimits.size > _RATE_LIMIT_MAX) {
+			let excess = _rateLimits.size - _RATE_LIMIT_MAX;
 			for (const k of _rateLimits.keys()) {
 				if (excess-- <= 0) break;
 				_rateLimits.delete(k);
@@ -1475,7 +1474,11 @@ export function handleRpc(ws, data, platform, options) {
 					_executeBinaryRpc(ws, header, payload, platform, options);
 					return true;
 				}
-			} catch {}
+			} catch (err) {
+				if (typeof process !== 'undefined' && process.env?.NODE_ENV !== 'production') {
+					console.warn('[svelte-realtime] Failed to parse binary RPC header:', err);
+				}
+			}
 		}
 		return false;
 	}
@@ -2030,6 +2033,9 @@ function _runWithMiddleware(ctx, handler) {
 // -- Throttle / Debounce infrastructure ----------------------------------------
+/** Hard cap on throttle/debounce entries to prevent memory exhaustion */
+const _THROTTLE_DEBOUNCE_MAX = 5000;
 /** @type {Map<string, { timer: ReturnType<typeof setTimeout>, lastData: any, lastEvent: string, platform: any, lastRun: number }>} */
 const _throttles = new Map();
@@ -2052,6 +2058,13 @@ function _throttlePublish(platform, topic, event, data, ms) {
 	const now = Date.now();
 	if (!existing) {
+		// Hard cap: evict oldest entry if at limit
+		if (_throttles.size >= _THROTTLE_DEBOUNCE_MAX) {
+			const oldest = _throttles.keys().next().value;
+			const entry = _throttles.get(oldest);
+			if (entry) clearTimeout(entry.timer);
+			_throttles.delete(oldest);
+		}
 		// First call -- publish immediately, set up trailing edge
 		platform.publish(topic, event, data);
 		_throttles.set(key, {
@@ -2089,6 +2102,13 @@ function _debouncePublish(platform, topic, event, data, ms) {
 	const existing = _debounces.get(key);
 	if (existing) clearTimeout(existing);
+	// Hard cap: evict oldest entry if at limit
+	if (!existing && _debounces.size >= _THROTTLE_DEBOUNCE_MAX) {
+		const oldest = _debounces.keys().next().value;
+		clearTimeout(_debounces.get(oldest));
+		_debounces.delete(oldest);
+	}
 	_debounces.set(key, setTimeout(() => {
 		_debounces.delete(key);
 		platform.publish(topic, event, data);
@@ -2157,9 +2177,11 @@ function _respond(ws, platform, correlationId, payload) {
 				`[svelte-realtime] RPC response was not delivered (backpressure or closed connection)`
 			);
 		}
-	} catch {
-		// uWS throws when accessing a closed WebSocket — silently discard.
-		// This is expected when the client disconnects mid-RPC.
+	} catch (err) {
+		// uWS throws when accessing a closed WebSocket -- expected during mid-RPC disconnect.
+		if (typeof process !== 'undefined' && process.env?.NODE_ENV !== 'production') {
+			console.warn(`[svelte-realtime] RPC response for '${correlationId}' could not be delivered (client likely disconnected)`);
+		}
 	}
 }

package/vite.js CHANGED Viewed

@@ -315,28 +315,32 @@ function _generateSsrStubs(filePath, modulePath) {
 		}
 	}
+	// Escape paths for safe embedding in generated code
+	const safePath = JSON.stringify(normalized);
+	const safeModulePath = (name) => JSON.stringify(modulePath + '/' + name);
 	// If no store-like exports, simple re-export
 	if (storeNames.length === 0) {
-		return `export * from '${normalized}';\n`;
+		return `export * from ${safePath};\n`;
 	}
 	// Re-export non-stream exports, wrap store-like exports in readable() for SSR $ prefix support
 	const lines = [
 		`import { readable } from 'svelte/store';`,
 		`import { __directCall } from 'svelte-realtime/server';`,
-		`export * from '${normalized}';`
+		`export * from ${safePath};`
 	];
 	for (const name of storeNames) {
 		if (dynamicNames.has(name)) {
 			// Dynamic stream: return a readable store from a function so name(args) works during SSR
 			lines.push(`const _${name} = (...args) => readable(undefined);`);
-			lines.push(`_${name}.load = (platform, options) => __directCall('${modulePath}/${name}', options?.args || [], platform, options);`);
+			lines.push(`_${name}.load = (platform, options) => __directCall(${safeModulePath(name)}, options?.args || [], platform, options);`);
 			lines.push(`export { _${name} as ${name} };`);
 		} else {
 			// Static stream: plain readable store
 			lines.push(`const _${name} = readable(undefined);`);
-			lines.push(`_${name}.load = (platform, options) => __directCall('${modulePath}/${name}', options?.args || [], platform, options);`);
+			lines.push(`_${name}.load = (platform, options) => __directCall(${safeModulePath(name)}, options?.args || [], platform, options);`);
 			lines.push(`export { _${name} as ${name} };`);
 		}
 	}