fix: throw on external links in resolve#15733
Merged
elliott-with-the-longest-name-on-github merged 1 commit intoApr 21, 2026
Merged
fix: throw on external links in resolve#15733elliott-with-the-longest-name-on-github merged 1 commit into
resolve#15733elliott-with-the-longest-name-on-github merged 1 commit into
Conversation
🦋 Changeset detectedLatest commit: 3aea3eb The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
|
||
| /** @type {import('./client.js').resolve} */ | ||
| export function resolve(id, params) { | ||
| if (!id.startsWith('/')) { |
Contributor
There was a problem hiding this comment.
The resolve() function fails to reject protocol-relative URLs like //example.com/foo, allowing them to be mangled instead of throwing an error.
teemingc
approved these changes
Apr 21, 2026
ee8047b
into
main
29 checks passed
This was referenced Apr 20, 2026
Merged
elliott-with-the-longest-name-on-github
pushed a commit
that referenced
this pull request
Apr 23, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @sveltejs/kit@2.58.0 ### Minor Changes - breaking: require `limit` in `requested` (as originally intended) ([#15739](#15739)) - feat: `RemoteQueryFunction` gains an optional third generic parameter `Validated` (defaulting to `Input`) that represents the argument type after schema validation/transformation ([#15739](#15739)) - breaking: `requested` now yields `{ arg, query }` entries instead of the validated argument ([#15739](#15739)) ### Patch Changes - fix: allow `query().current`, `.error`, `.loading`, and `.ready` to work in non-reactive contexts ([#15699](#15699)) - fix: prevent `deep_set` crash on nullish nested values ([#15600](#15600)) - fix: restore correct `RemoteFormFields` typing for nullable array fields (e.g. when a schema uses `.default([])`), so `.as('checkbox')` and friends work again ([#15723](#15723)) - fix: don't warn about removed SSI comments in `transformPageChunk` ([#15695](#15695)) Server-side include (SSI) directives like `<!--#include virtual="..." -->` are HTML comments that are replaced by servers such as nginx. Previously, removing them in `transformPageChunk` would trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with `<!--#` and Svelte's hydration comments never do, they can be safely excluded from the check. - Change enhance function return type from void to MaybePromise<void>. ([#15710](#15710)) - fix: throw an error when `resolve` is called with an external URL ([#15733](#15733)) - fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts ([#15718](#15718)) - fix: reset form result on redirect ([#15724](#15724)) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
stickerdaniel
added a commit
to stickerdaniel/saas-starter
that referenced
this pull request
May 1, 2026
- Patch oxlint-plugin-convex@0.1.1 to import definePlugin/defineRule from @oxlint/plugins (oxlint moved them out of its main entry point starting in 1.45 — see oxc-project/oxc#18828) - Drop resolve('#') in team-two.svelte; sveltekit 2.58 made resolve() strict and rejects non-absolute paths (sveltejs/kit#15733) - Ignore varlock-generated env types in eslint (varlock 0.9 emits @ts-nocheck, tripping ban-ts-comment) - Drop now-stale eslint-disable directives surfaced by typescript-eslint See also: juliusmarminge/agent-tools#26
stickerdaniel
added a commit
to stickerdaniel/saas-starter
that referenced
this pull request
May 1, 2026
* fix(deps): update all non-major dependencies * fix(deps): unblock CI on oxlint 1.45+ and sveltekit 2.58 - Patch oxlint-plugin-convex@0.1.1 to import definePlugin/defineRule from @oxlint/plugins (oxlint moved them out of its main entry point starting in 1.45 — see oxc-project/oxc#18828) - Drop resolve('#') in team-two.svelte; sveltekit 2.58 made resolve() strict and rejects non-absolute paths (sveltejs/kit#15733) - Ignore varlock-generated env types in eslint (varlock 0.9 emits @ts-nocheck, tripping ban-ts-comment) - Drop now-stale eslint-disable directives surfaced by typescript-eslint See also: juliusmarminge/agent-tools#26 --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Daniel Sticker <daniel.sticker@rwth-aachen.de>
stickerdaniel
added a commit
to stickerdaniel/saas-starter
that referenced
this pull request
Jun 3, 2026
* fix(deps): update all non-major dependencies * fix(deps): unblock CI on oxlint 1.45+ and sveltekit 2.58 - Patch oxlint-plugin-convex@0.1.1 to import definePlugin/defineRule from @oxlint/plugins (oxlint moved them out of its main entry point starting in 1.45 — see oxc-project/oxc#18828) - Drop resolve('#') in team-two.svelte; sveltekit 2.58 made resolve() strict and rejects non-absolute paths (sveltejs/kit#15733) - Ignore varlock-generated env types in eslint (varlock 0.9 emits @ts-nocheck, tripping ban-ts-comment) - Drop now-stale eslint-disable directives surfaced by typescript-eslint See also: juliusmarminge/agent-tools#26 --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Daniel Sticker <daniel.sticker@rwth-aachen.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #15714
resolveshould not accept external links; the whole point of it is to resolve internal links.