Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

breaking: Remove dangerZone.trackServerFetches #11235

Merged
merged 3 commits into from
Dec 10, 2023
Merged

breaking: Remove dangerZone.trackServerFetches #11235

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
563e013
breaking: Remove and related code
elliott-with-the-longest-name-on-github Dec 8, 2023
5c91a33
changeset
elliott-with-the-longest-name-on-github Dec 8, 2023
a3a52bb
remove dangerZone per discussion
Rich-Harris Dec 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/twenty-birds-eat.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sveltejs/kit': major
---

breaking: remove `dangerZone.trackServerFetches`
4 changes: 1 addition & 3 deletions packages/kit/src/core/config/index.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,7 @@ const get_defaults = (prefix = '') => ({
csrf: {
checkOrigin: true
},
dangerZone: {
trackServerFetches: false
},
dangerZone: {},
embedded: false,
env: {
dir: process.cwd(),
Expand Down
5 changes: 1 addition & 4 deletions packages/kit/src/core/config/options.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,10 +111,7 @@ const options = object(
checkOrigin: boolean(true)
}),

dangerZone: object({
// TODO 2.0: Remove this
trackServerFetches: boolean(false)
}),
dangerZone: object({}),

embedded: boolean(false),

Expand Down
1 change: 0 additions & 1 deletion packages/kit/src/core/sync/write_server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ export const options = {
app_template_contains_nonce: ${template.includes('%sveltekit.nonce%')},
csp: ${s(config.kit.csp)},
csrf_check_origin: ${s(config.kit.csrf.checkOrigin)},
track_server_fetches: ${s(config.kit.dangerZone.trackServerFetches)},
embedded: ${config.kit.embedded},
env_public_prefix: '${config.kit.env.publicPrefix}',
env_private_prefix: '${config.kit.env.privatePrefix}',
Expand Down
8 changes: 1 addition & 7 deletions packages/kit/src/exports/public.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,13 +346,7 @@ export interface KitConfig {
/**
* Here be dragons. Enable at your peril.
*/
dangerZone?: {
/**
* Automatically add server-side `fetch`ed URLs to the `dependencies` map of `load` functions. This will expose secrets
* to the client if your URL contains them.
*/
trackServerFetches?: boolean;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm. I wonder if we should leave this in the docs for now with a note that it was only available in 1.0 in case anyone wants to refer to what the option did in 1.0. It's kind of unfortunate that would also expose it publicly though. Maybe there's a way to merge in type declarations that are only used for generating the docs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could always change it to trackServerFetches: never and mark it deprecated.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That probably works well enough

};
dangerZone?: Record<string, never>;
/**
* Whether or not the app is embedded inside a larger app. If `true`, SvelteKit will add its event listeners related to navigation etc on the parent of `%sveltekit.body%` instead of `window`, and will pass `params` from the server rather than inferring them from `location.pathname`.
* @default false
Expand Down
3 changes: 1 addition & 2 deletions packages/kit/src/runtime/server/data/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,7 @@ export async function render_data(
}
}
return data;
},
track_server_fetches: options.track_server_fetches
}
});
} catch (e) {
aborted = true;
Expand Down
3 changes: 1 addition & 2 deletions packages/kit/src/runtime/server/page/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,8 +150,7 @@ export async function render_page(event, page, options, manifest, state, resolve
if (parent) Object.assign(data, await parent.data);
}
return data;
},
track_server_fetches: options.track_server_fetches
}
});
} catch (e) {
load_error = /** @type {Error} */ (e);
Expand Down
15 changes: 1 addition & 14 deletions packages/kit/src/runtime/server/page/load_data.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,10 @@ import { validate_depends } from '../../shared.js';
* state: import('types').SSRState;
* node: import('types').SSRNode | undefined;
* parent: () => Promise<Record<string, any>>;
* track_server_fetches: boolean;
* }} opts
* @returns {Promise<import('types').ServerDataNode | null>}
*/
export async function load_server_data({
event,
state,
node,
parent,
// TODO 2.0: Remove this
track_server_fetches
}) {
export async function load_server_data({ event, state, node, parent }) {
if (!node?.server) return null;

let done = false;
Expand Down Expand Up @@ -59,11 +51,6 @@ export async function load_server_data({
);
}

// TODO 2.0: Remove this
if (track_server_fetches) {
uses.dependencies.add(url.href);
}

return event.fetch(info, init);
},
/** @param {string[]} deps */
Expand Down
3 changes: 1 addition & 2 deletions packages/kit/src/runtime/server/page/respond_with_error.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,7 @@ export async function respond_with_error({
event,
state,
node: default_layout,
parent: async () => ({}),
track_server_fetches: options.track_server_fetches
parent: async () => ({})
});

const server_data = await server_data_promise;
Expand Down
1 change: 0 additions & 1 deletion packages/kit/src/types/internal.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,7 +333,6 @@ export interface SSROptions {
app_template_contains_nonce: boolean;
csp: ValidatedConfig['kit']['csp'];
csrf_check_origin: boolean;
track_server_fetches: boolean;
embedded: boolean;
env_public_prefix: string;
env_private_prefix: string;
Expand Down
3 changes: 2 additions & 1 deletion packages/kit/test/apps/basics/test/client.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,7 +483,8 @@ test.describe('Invalidation', () => {
});

test('fetch in server load cannot be invalidated', async ({ page, app, request }) => {
// TODO 2.0: Can remove this test after `dangerZone.trackServerFetches` and associated code is removed
// legacy behavior was to track server dependencies -- this could leak secrets to the client (see github.com/sveltejs/kit/pull/9945)
// we keep this test just to make sure the behavior stays the same.
await request.get('/load/invalidation/server-fetch/count.json?reset');
await page.goto('/load/invalidation/server-fetch');
const selector = '[data-testid="count"]';
Expand Down
3 changes: 0 additions & 3 deletions packages/kit/test/apps/options/svelte.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@ const config = {
'require-trusted-types-for': ['script']
}
},
dangerZone: {
trackServerFetches: true
},
files: {
assets: 'public',
lib: 'source/components',
Expand Down
19 changes: 0 additions & 19 deletions packages/kit/test/apps/options/test/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -302,22 +302,3 @@ test.describe('Routing', () => {
await expect(page.locator('h2')).toHaveText('target: 0');
});
});

test.describe('load', () => {
// TODO 2.0: Remove this test
test('fetch in server load can be invalidated when `dangerZone.trackServerFetches` is set', async ({
page,
app,
request,
javaScriptEnabled
}) => {
test.skip(!javaScriptEnabled, 'JavaScript is disabled');
await request.get('/path-base/server-fetch-invalidate/count.json?reset');
await page.goto('/path-base/server-fetch-invalidate');
const selector = '[data-testid="count"]';

expect(await page.textContent(selector)).toBe('1');
await app.invalidate('/path-base/server-fetch-invalidate/count.json');
expect(await page.textContent(selector)).toBe('2');
});
});
Loading