fix: validate ORIGIN env var at startup#15045
Merged
teemingc merged 86 commits intosveltejs:mainfrom Feb 5, 2026
Merged
Conversation
- Add parse_origin() utility to validate and normalize origin URLs - Server now fails fast with clear error for invalid ORIGIN - Automatically normalize default ports and strip path/query/hash - Add tests for origin validation
🦋 Changeset detectedLatest commit: 52b796c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
Author
Added the changeset |
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* checkpoint * donesies * fix: lockfile * update svelte-check * add .env for test app * fix flaky test * polyfill withResolvers
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Tiny detail to make it super clear the import is for remote functions.
Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
* chore: Upgrade Playwright * checkpoint, not sure what else is going wrong * i have never been so happy to see a test failure * fix lockfile maybe * fix: remove playwright * more flaky tests * fix clicknav * fix another flaky test * improve further * another clicknav usage
…tejs#14725) * improvement: expose `waitUntil` also for serverless runtime & add documentation * changeset * revert previous changes and add docs * revert previous changes * change changeset --------- Co-authored-by: Tee Ming <chewteeming01@gmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Tee Ming <chewteeming01@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: teemingc <54401897+teemingc@users.noreply.github.com> Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
* docs: remove `$lib` path customization Updated documentation for $lib import alias in SvelteKit. * Update documentation/docs/98-reference/26-$lib.md Co-authored-by: Tee Ming <chewteeming01@gmail.com> * chore: remove deprecated comment --------- Co-authored-by: Tee Ming <chewteeming01@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
teemingc
changed the title
teemingc
changed the title
teemingc
reviewed
Jan 6, 2026
teemingc
reviewed
Jan 6, 2026
…eltejs#15153) * add fix and test format * add unit test * changeset * add test for inlining conditionally rendered component css * format * Apply suggestion from @teemingc * Apply suggestion from @teemingc * Update css.js * handle whitespace, add some additional test cases * add failing test for assets in static dir * bump svelte * this should just work * fix lockfile * ok its working now * last fix * format * push wip * tests are passing * split tests * rename parser to parse * hoist regexes * use test.each * add test for content and comments * rename assets to paths_assets * add tests for escaped characters * add test for encoded characters * safeguard against trailing slashes * decode vite asset filenames * a bit of clean up * oops * tippex comments * tippex strings * tippex wip * harden comment and escaped character tests * account for nested app dir * bump svelte * chore: fix tippex and add test cases --------- Co-authored-by: Elliott Johnson <hello@ell.iott.dev> Co-authored-by: Rich Harris <rich.harris@vercel.com>
Co-authored-by: Elliott Johnson <hello@ell.iott.dev> Co-authored-by: Rishab49 <25582966+Rishab49@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…in package.json of public packages (sveltejs#15217)
…sveltejs#15231) * fix(kit): properly handle percent-encoded anchors during prerendering * changelog * Apply suggestion from @GauBen * improve tests --------- Co-authored-by: Elliott Johnson <hello@ell.iott.dev>
* feat: export type Picture in enhanced-img
This type is part of public api, so it should be reexported.
Otherwise users have to explicitly add "vite-imagetools", or use hacks
like `typeof import('fake.jpg?enhanced').default`
This type is needed when using `import.meta.glob`, because by default it
is getting typed as `unknown`.
* Apply suggestion from @teemingc
Co-authored-by: Tee Ming <chewteeming01@gmail.com>
* tweak
---------
Co-authored-by: Elliott Johnson <hello@ell.iott.dev>
Co-authored-by: Tee Ming <chewteeming01@gmail.com>
# Conflicts: # packages/adapter-node/tests/utils.spec.js
Contributor
elliott-with-the-longest-name-on-github
left a comment
elliott-with-the-longest-name-on-github
left a comment
There was a problem hiding this comment.
One more thing and I think we're good!
Member
|
I just wanted to say thanks and sorry for the delay! We avoided reviewing this earlier so as not to conflict with getting some security fixes out: d9ae9b0#diff-216dce32a326b5829e531e0315d25a9e5feaab9175dc9a489d3a7d498afe63d4 You were very close to fixing the security issue without knowing it 😄 |
Contributor
Author
No worries at all, security comes first! That's pretty funny that I was close to fixing it without knowing 😄 Thanks for reviewing and for building such an amazing framework, really enjoying working with SvelteKit! |
Co-authored-by: Elliott Johnson <hello@ell.iott.dev>
teemingc
approved these changes
Feb 5, 2026
Merged
Member
|
Oh man the git history was a little wonky and I forgot to fix up the merge commit description 🤦🏼 |
benmccann
pushed a commit
that referenced
this pull request
Feb 12, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @sveltejs/adapter-netlify@6.0.0 ### Major Changes - breaking: `platform.context` is now the [modern Netlify Functions (\[#15203\](#15203)) context](https://docs.netlify.com/build/functions/api/#netlify-specific-context-object) Previously, this was the [AWS Lambda-style context](https://github.com/netlify/primitives/blob/c1ae30f2745f0a73e26e83334695e205a04ab47d/packages/functions/prod/src/function/handler_context.ts). If you were using this in your app (unlikely), you will need to update your code to read from new fields. ### Minor Changes - feat: Migrate to the modern Netlify Functions API ([#15203](#15203)) The Netlify adapter now generates "v2" Netlify Functions, which uses modern standards (ESM, `Request`, `Response`) instead of the legacy "Lambda-compatible" or "v1" format. Under the hood, this greatly simplifies the adapter code and improves maintainability. For more details on features this unlocks for your SvelteKit app, see <https://developers.netlify.com/guides/migrating-to-the-modern-netlify-functions/>. - feat: allow configuring redirects in `netlify.toml` ([#15203](#15203)) The limitation of only being able to configure redirects via the `_redirects` file has been removed. ### Patch Changes - fix: populate `App.Platform` with `context` property ([#15203](#15203)) - Updated dependencies \[[`37293a5`](37293a5), [`5d05ca6`](5d05ca6), [`ed69b77`](ed69b77), [`b1fc959`](b1fc959), [`159aece`](159aece), [`c690579`](c690579), [`dc8cf2d`](dc8cf2d), [`ace2116`](ace2116), [`0f38f49`](0f38f49)]: - @sveltejs/kit@2.51.0 ## @sveltejs/kit@2.51.0 ### Minor Changes - feat: add `scroll` property to `NavigationTarget` in navigation callbacks ([#15248](#15248)) Navigation callbacks (`beforeNavigate`, `onNavigate`, and `afterNavigate`) now include scroll position information via the `scroll` property on `from` and `to` targets: - `from.scroll`: The scroll position at the moment navigation was triggered - `to.scroll`: In `beforeNavigate` and `onNavigate`, this is populated for `popstate` navigations (back/forward) with the scroll position that will be restored, and `null` for other navigation types. In `afterNavigate`, this is always the final scroll position after navigation completed. This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation. - feat: `hydratable`'s injected script now works with CSP ([#15048](#15048)) ### Patch Changes - fix: put preloads before styles ([#15232](#15232)) - fix: suppress false-positive inner content warning when children prop is forwarded to a child component ([#15269](#15269)) - fix: `fetch` not working when URL is same host but different than `paths.base` ([#15291](#15291)) - fix: navigate to hash link when base element is present ([#15236](#15236)) - fix: avoid triggering `handleError` when redirecting in a remote function ([#15222](#15222)) - fix: include `test` directory in generated `tsconfig.json` alongside existing `tests` entry ([#15254](#15254)) - fix: generate `tsconfig.json` using the value of `kit.files.src` ([#15253](#15253)) ## @sveltejs/adapter-cloudflare@7.2.7 ### Patch Changes - fix: error if `_routes.json` is in the `/static` public directory ([#12821](#12821)) - fix: correctly handle pathnames found in the `_redirects` file ([#12821](#12821)) - Updated dependencies \[[`37293a5`](37293a5), [`5d05ca6`](5d05ca6), [`ed69b77`](ed69b77), [`b1fc959`](b1fc959), [`159aece`](159aece), [`c690579`](c690579), [`dc8cf2d`](dc8cf2d), [`ace2116`](ace2116), [`0f38f49`](0f38f49)]: - @sveltejs/kit@2.51.0 ## @sveltejs/adapter-node@5.5.3 ### Patch Changes - fix: validate `ORIGIN` env var at startup ([#15045](#15045)) - chore(deps): update dependency `@rollup/plugin-commonjs` to v29 ([#14856](#14856)) - Updated dependencies \[[`37293a5`](37293a5), [`5d05ca6`](5d05ca6), [`ed69b77`](ed69b77), [`b1fc959`](b1fc959), [`159aece`](159aece), [`c690579`](c690579), [`dc8cf2d`](dc8cf2d), [`ace2116`](ace2116), [`0f38f49`](0f38f49)]: - @sveltejs/kit@2.51.0 ## @sveltejs/enhanced-img@0.10.1 ### Patch Changes - fix: replace erroneous `import.meta.DEV` with `import.meta.env.DEV` in generated code ([#15285](#15285)) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #14978
Please don't delete this checklist! Before submitting the PR, please make sure you do the following:
Tests
pnpm testand lint the project withpnpm lintandpnpm checkChangesets
pnpm changesetand following the prompts. Changesets that add features should beminorand those that fix bugs should bepatch. Please prefix changeset messages withfeat:,fix:, orchore:.Edits