svelte-realtime 0.1.4 → 0.1.6

package/client.js

@@ -4,6 +4,14 @@ import { writable } from 'svelte/store';
 
 const _textEncoder = new TextEncoder();
 
+/**
+ * RAF-based event batching for high-frequency streams (cursors, presence).
+ * In the browser, incoming pub/sub events are queued and flushed once per
+ * animation frame, reducing Svelte reactive updates from N-per-event to
+ * 1-per-frame. In Node/SSR, events apply synchronously (no DOM to protect).
+ */
+const _useRAF = typeof window !== 'undefined' && typeof requestAnimationFrame === 'function';
+
 /**
  * Typed error for RPC failures.
  */
@@ -22,6 +30,12 @@ export class RpcError extends Error {
 const _idPrefix = Math.random().toString(36).slice(2, 6);
 let idCounter = 0;
 
+/** Generate a unique correlation ID, wrapping the counter before exceeding safe integer range */
+function _nextId() {
+	if (idCounter >= 0x1FFFFFFFFFFFFF) idCounter = 0;
+	return _idPrefix + (idCounter++).toString(36);
+}
+
 /** @type {Array<{ rpc: string, id: string, args: any[] }> | null} */
 let _batchCollector = null;
 
@@ -160,7 +174,7 @@ function _sendRpc(path, args) {
 		});
 	}
 
-	const id = _idPrefix + (idCounter++).toString(36);
+	const id = _nextId();
 
 	// If inside a batch() call, collect instead of sending
 	if (_batchCollector) {
@@ -201,7 +215,7 @@ export function __binaryRpc(path) {
 		ensureListener();
 		ensureDisconnectListener();
 
-		const id = _idPrefix + (idCounter++).toString(36);
+		const id = _nextId();
 
 		_devtoolsStart(path, id, args);
 		const conn = _connect();
@@ -238,6 +252,9 @@ export function __binaryRpc(path) {
 /** @type {Map<string, { store: any, refCount: number }>} */
 const _streamCache = new Map();
 
+/** Hard cap on cached stream instances to prevent memory exhaustion */
+const _STREAM_CACHE_MAX = 1000;
+
 /**
  * Create a reactive stream store for a given path.
  * Used by generated client stubs.
@@ -268,6 +285,17 @@ export function __stream(path, options, isDynamic) {
 			const store = _createStream(path, options, args);
 			// Capture the original subscribe once, before wrapping
 			const rawSubscribe = store.subscribe.bind(store);
+
+			// Evict idle entries (refCount 0) if cache is at capacity
+			if (_streamCache.size >= _STREAM_CACHE_MAX) {
+				for (const [k, v] of _streamCache) {
+					if (v.refCount <= 0) {
+						_streamCache.delete(k);
+						if (_streamCache.size < _STREAM_CACHE_MAX) break;
+					}
+				}
+			}
+
 			_streamCache.set(cacheKey, { store, refCount: 0 });
 
 			// Wrap subscribe to track ref count and clean up cache on last unsubscribe
@@ -515,18 +543,49 @@ function _createStream(path, options, dynamicArgs) {
 		return false;
 	}
 
+	/** @type {Array<{ event: string, data: any }>} Queued events waiting for next animation frame */
+	let _eventQueue = [];
+
+	/** @type {number | null} */
+	let _rafId = null;
+
 	/**
-	 * Apply a single pub/sub event to the current value using the merge strategy.
-	 * Creates a new array reference for Svelte reactivity only when needed.
-	 * @param {{ event: string, data: any }} envelope
+	 * Flush all queued events in a single batch, then update the store once.
+	 * Reduces reactive updates from N-per-event to 1-per-frame.
 	 */
-	function applyEvent(envelope) {
-		const replaced = _applyMerge(envelope);
-		if (!replaced && Array.isArray(currentValue)) currentValue = currentValue.slice();
+	function _flushEvents() {
+		_rafId = null;
+		if (_eventQueue.length === 0) return;
+		const queue = _eventQueue;
+		_eventQueue = [];
+		for (let i = 0; i < queue.length; i++) {
+			_applyMerge(queue[i]);
+		}
+		if (Array.isArray(currentValue)) currentValue = currentValue.slice();
 		store.set(currentValue);
 		_recordHistory();
 	}
 
+	/**
+	 * Apply a pub/sub event to the store. In the browser, events are queued
+	 * and flushed once per animation frame to reduce reactive updates from
+	 * N-per-event to 1-per-frame. In Node/SSR, events apply immediately.
+	 * @param {{ event: string, data: any }} envelope
+	 */
+	function applyEvent(envelope) {
+		if (_useRAF) {
+			_eventQueue.push(envelope);
+			if (_rafId === null) {
+				_rafId = requestAnimationFrame(_flushEvents);
+			}
+		} else {
+			const replaced = _applyMerge(envelope);
+			if (!replaced && Array.isArray(currentValue)) currentValue = currentValue.slice();
+			store.set(currentValue);
+			_recordHistory();
+		}
+	}
+
 	/**
 	 * Fetch initial data and subscribe to live updates.
 	 */
@@ -549,7 +608,7 @@ function _createStream(path, options, dynamicArgs) {
 		ensureListener();
 		ensureDisconnectListener();
 
-		const id = _idPrefix + (idCounter++).toString(36);
+		const id = _nextId();
 		pendingId = id;
 		const conn = _connect();
 
@@ -696,6 +755,11 @@ function _createStream(path, options, dynamicArgs) {
 			clearTimeout(_reconnectTimer);
 			_reconnectTimer = null;
 		}
+		if (_rafId !== null) {
+			cancelAnimationFrame(_rafId);
+			_rafId = null;
+		}
+		_eventQueue = [];
 		topic = null;
 		initialLoaded = false;
 		fetching = false;
@@ -791,7 +855,7 @@ function _createStream(path, options, dynamicArgs) {
 			_loadingMore = true;
 
 			ensureListener();
-			const id = _idPrefix + (idCounter++).toString(36);
+			const id = _nextId();
 			const conn = _connect();
 
 			return new Promise((resolve, reject) => {
@@ -1114,6 +1178,18 @@ export function batch(fn, options) {
 
 	if (collected.length === 0) return Promise.resolve([]);
 
+	if (collected.length > 50) {
+		for (const call of collected) {
+			const entry = pending.get(call.id);
+			if (entry) {
+				pending.delete(call.id);
+				if (entry.timer) clearTimeout(entry.timer);
+				entry.reject(new RpcError('INVALID_REQUEST', 'Batch exceeds maximum of 50 calls'));
+			}
+		}
+		return Promise.reject(new RpcError('INVALID_REQUEST', 'Batch exceeds maximum of 50 calls'));
+	}
+
 	// Set a batch-level timeout
 	const batchTimer = setTimeout(() => {
 		for (const call of collected) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svelte-realtime",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Realtime RPC and reactive subscriptions for SvelteKit, built on svelte-adapter-uws",
   "author": "Kevin Radziszewski",
   "license": "MIT",

package/server.js

@@ -284,6 +284,9 @@ const _rateLimits = new Map();
 /** @type {number} */
 let _rateLimitLastSweep = Date.now();
 
+/** Hard cap on rate limit buckets to prevent memory exhaustion */
+const _RATE_LIMIT_MAX = 5000;
+
 /**
  * Declarative per-function rate limiting.
  * Wraps a live() function with a sliding window rate limiter.
@@ -301,23 +304,19 @@ live.rateLimit = function rateLimit(config, fn) {
 		const bucketKey = /** @type {any} */ (wrapper).__rateLimitPath + '\0' + userKey;
 		const now = Date.now();
 
-		// Lazy sweep: prune stale entries, but limit work per sweep
-		if (now - _rateLimitLastSweep > 60000) {
+		// Lazy sweep: prune stale entries every 30s, sweep all entries
+		if (now - _rateLimitLastSweep > 30000) {
 			_rateLimitLastSweep = now;
-			if (_rateLimits.size > 0) {
-				const maxSweep = Math.max(200, _rateLimits.size >> 2);
-				let swept = 0;
-				for (const [k, bucket] of _rateLimits) {
-					if (now - bucket.windowStart >= windowMs * 2) {
-						_rateLimits.delete(k);
-					}
-					if (++swept >= maxSweep) break;
+			for (const [k, bucket] of _rateLimits) {
+				if (now - bucket.windowStart >= windowMs * 2) {
+					_rateLimits.delete(k);
 				}
 			}
 		}
 
-		if (_rateLimits.size > 10000) {
-			let excess = _rateLimits.size - 10000;
+		// Hard cap: evict oldest entries (Map iteration order = insertion order)
+		if (_rateLimits.size > _RATE_LIMIT_MAX) {
+			let excess = _rateLimits.size - _RATE_LIMIT_MAX;
 			for (const k of _rateLimits.keys()) {
 				if (excess-- <= 0) break;
 				_rateLimits.delete(k);
@@ -1475,7 +1474,11 @@ export function handleRpc(ws, data, platform, options) {
 					_executeBinaryRpc(ws, header, payload, platform, options);
 					return true;
 				}
-			} catch {}
+			} catch (err) {
+				if (typeof process !== 'undefined' && process.env?.NODE_ENV !== 'production') {
+					console.warn('[svelte-realtime] Failed to parse binary RPC header:', err);
+				}
+			}
 		}
 		return false;
 	}
@@ -2030,6 +2033,9 @@ function _runWithMiddleware(ctx, handler) {
 
 // -- Throttle / Debounce infrastructure ----------------------------------------
 
+/** Hard cap on throttle/debounce entries to prevent memory exhaustion */
+const _THROTTLE_DEBOUNCE_MAX = 5000;
+
 /** @type {Map<string, { timer: ReturnType<typeof setTimeout>, lastData: any, lastEvent: string, platform: any, lastRun: number }>} */
 const _throttles = new Map();
 
@@ -2052,6 +2058,13 @@ function _throttlePublish(platform, topic, event, data, ms) {
 	const now = Date.now();
 
 	if (!existing) {
+		// Hard cap: evict oldest entry if at limit
+		if (_throttles.size >= _THROTTLE_DEBOUNCE_MAX) {
+			const oldest = _throttles.keys().next().value;
+			const entry = _throttles.get(oldest);
+			if (entry) clearTimeout(entry.timer);
+			_throttles.delete(oldest);
+		}
 		// First call -- publish immediately, set up trailing edge
 		platform.publish(topic, event, data);
 		_throttles.set(key, {
@@ -2089,6 +2102,13 @@ function _debouncePublish(platform, topic, event, data, ms) {
 	const existing = _debounces.get(key);
 	if (existing) clearTimeout(existing);
 
+	// Hard cap: evict oldest entry if at limit
+	if (!existing && _debounces.size >= _THROTTLE_DEBOUNCE_MAX) {
+		const oldest = _debounces.keys().next().value;
+		clearTimeout(_debounces.get(oldest));
+		_debounces.delete(oldest);
+	}
+
 	_debounces.set(key, setTimeout(() => {
 		_debounces.delete(key);
 		platform.publish(topic, event, data);
@@ -2157,9 +2177,11 @@ function _respond(ws, platform, correlationId, payload) {
 				`[svelte-realtime] RPC response was not delivered (backpressure or closed connection)`
 			);
 		}
-	} catch {
-		// uWS throws when accessing a closed WebSocket — silently discard.
-		// This is expected when the client disconnects mid-RPC.
+	} catch (err) {
+		// uWS throws when accessing a closed WebSocket -- expected during mid-RPC disconnect.
+		if (typeof process !== 'undefined' && process.env?.NODE_ENV !== 'production') {
+			console.warn(`[svelte-realtime] RPC response for '${correlationId}' could not be delivered (client likely disconnected)`);
+		}
 	}
 }
 

package/vite.js

@@ -315,28 +315,32 @@ function _generateSsrStubs(filePath, modulePath) {
 		}
 	}
 
+	// Escape paths for safe embedding in generated code
+	const safePath = JSON.stringify(normalized);
+	const safeModulePath = (name) => JSON.stringify(modulePath + '/' + name);
+
 	// If no store-like exports, simple re-export
 	if (storeNames.length === 0) {
-		return `export * from '${normalized}';\n`;
+		return `export * from ${safePath};\n`;
 	}
 
 	// Re-export non-stream exports, wrap store-like exports in readable() for SSR $ prefix support
 	const lines = [
 		`import { readable } from 'svelte/store';`,
 		`import { __directCall } from 'svelte-realtime/server';`,
-		`export * from '${normalized}';`
+		`export * from ${safePath};`
 	];
 
 	for (const name of storeNames) {
 		if (dynamicNames.has(name)) {
 			// Dynamic stream: return a readable store from a function so name(args) works during SSR
 			lines.push(`const _${name} = (...args) => readable(undefined);`);
-			lines.push(`_${name}.load = (platform, options) => __directCall('${modulePath}/${name}', options?.args || [], platform, options);`);
+			lines.push(`_${name}.load = (platform, options) => __directCall(${safeModulePath(name)}, options?.args || [], platform, options);`);
 			lines.push(`export { _${name} as ${name} };`);
 		} else {
 			// Static stream: plain readable store
 			lines.push(`const _${name} = readable(undefined);`);
-			lines.push(`_${name}.load = (platform, options) => __directCall('${modulePath}/${name}', options?.args || [], platform, options);`);
+			lines.push(`_${name}.load = (platform, options) => __directCall(${safeModulePath(name)}, options?.args || [], platform, options);`);
 			lines.push(`export { _${name} as ${name} };`);
 		}
 	}