feat: streaming support

[harlan-zw]

🔗 Linked issue

#396

❓ Type of change

• 📖 Documentation (updates to the documentation or readme)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

Updates head tags dynamically as suspense boundaries resolve during streaming SSR.

How it works

The streaming system uses a queue-based pattern where the server renders head entries (title, meta, links) and immediately renders them as inline <script> tags that push data to a global queue.

On the client side, a bootstrap script creates a queue (window.__unhead__) that collects these entries as they stream in before the main JavaScript bundle loads. Once the client head instance initializes, it processes all queued entries and takes over future pushes directly.

This approach solves the race condition between streaming chunks arriving and client JS loading, ensuring no head entries are ever lost regardless of timing and allows unhead core to dedupe and sort as needed.

1. Shell injects queue stub

<script>window.__unhead__={_q:[],push(e){this._q.push(e)}}</script>

2. Suspense chunks push updates

<!-- as each boundary resolves -->
<script>window.__unhead__.push([{title:"Reviews"}])</script>

3. IIFE consumes queue & renders to DOM

// consumes _q, creates head instance, applies to DOM
const queue = window.__unhead__
for (const entries of queue._q)
  head.push(entries)
head.render()

Example (Vue)

// vite.config.ts
import { unheadVuePlugin } from '@unhead/vue/stream/vite'

export default defineConfig({
  plugins: [vue(), unheadVuePlugin()],
})

// entry-server.ts
import { renderToWebStream } from 'vue/server-renderer'
import { createStreamableHead } from '@unhead/vue/stream/server'

export async function render(url: string, template: string) {
  const { app, router } = createApp()
  const { head, wrapStream } = createStreamableHead()

  app.use(head)
  router.push(url)
  await router.isReady()

  return wrapStream(renderToWebStream(app), template)
}

// entry-client.ts
import { createStreamableHead } from '@unhead/vue/stream/client'

const head = createStreamableHead()
app.use(head)

Documentation

• Vue Streaming
• React Streaming
• Solid.js Streaming
• Svelte Streaming
• TypeScript Streaming

Related PRs

• ⚠️ fix(unhead)!: sync resolve tag engine #619 (includes hookable v6)
• ⚠️ perf(unhead)!: composable resolveTags() #622
• ⚠️ fix!: sync renderDOMHead() #628
• fix: pure unhead core #632
• ⚠️ fix!: sync renderSSRHead() #629

[github-actions]

Bundle Size Analysis

Bundle	Size	Gzipped
Client (Minimal)	0.2 kB	0.2 kB
Server (Minimal)	0.3 kB	0.2 kB
Vue Client (Minimal)	0.3 kB	0.2 kB
Vue Server (Minimal)	0.3 kB	0.2 kB

[harlan-zw]

@birkskyum in the works fyi

[birkskyum]

@harlan-zw sounds good - looking forward to react and solid support for this, as streaming is a must-have for adoption.

[harlan-zw]

This is mostly working for react I just don't fully understand how the suspense boundaries are being resolved and can't hook in

[MatthieuStadelmann]

Hi @harlan-zw!
Any update on the status of this PR?

In general, the way to fix this problem is to introduce rate limiting for the HTTP routes that perform expensive operations, using a middleware such as express-rate-limit. The middleware should be applied before the relevant route handler so that excessive requests from any given client are rejected or delayed, preventing the server from being overwhelmed by repeated expensive work (like filesystem access).

For this specific file, the best minimal fix is to add express-rate-limit and use it as middleware on the app instance before the catch‑all app.use(async (req, res) => { ... }) handler. We will:

1. Import or require express-rate-limit at the top of the file (while preserving existing imports).
2. Create a limiter instance (for example, 100 requests per 15 minutes per IP, matching the background example) after the Express app is created (const app = express()).
3. Apply app.use(limiter) before the main app.use(async (req, res) => { ... }) handler, so all incoming requests are subject to rate limiting.

All changes will be confined to examples/vite-ssr-svelte-streaming/server.js. We will not alter existing logic around Vite, template rendering, or streaming; only add the import, limiter definition, and app.use(limiter) line.

---

In general, to fix missing rate limiting in an Express application, you introduce a rate-limiting middleware (for example, express-rate-limit) and apply it to the relevant routes or the whole app. The middleware enforces a maximum number of requests from a given client within a time window, helping protect expensive handlers from abuse and DoS.

For this file, the best fix with minimal behavioral change is:

• Import and configure a rate limiter once at the top level.
• Apply the rate limiter middleware only to the expensive HTML-serving route, i.e., the app.use('*all', async (req, res) => { ... }) handler, rather than globally, to avoid unintended side effects on other middleware such as Vite or static serving.
• Keep the existing handler logic unchanged; only wrap it with the limiter.

Concretely:

1. Add an import (or require) for a well-known rate limiting library. Since this file uses ES module syntax (import), we can use dynamic import inside an async IIFE or top-level await. However, the instructions allow adding imports of well-known external libraries, and the file already uses top-level await for fs.readFile and dynamic import for vite, compression, and sirv, so we can follow the same pattern: dynamically import express-rate-limit when setting up the app.

2. Define a limiter instance, e.g.:

   const { default: rateLimit } = await import('express-rate-limit')
   const ssrLimiter = rateLimit({
     windowMs: 15 * 60 * 1000,
     max: 100,
   })

   or equivalent.

3. Apply ssrLimiter to the SSR route by changing:

   app.use('*all', async (req, res) => {

   to:

   app.use('*all', ssrLimiter, async (req, res) => {

   This ensures that rate limiting is enforced before the expensive operations in this handler while leaving other middleware behavior intact.

All changes are confined to examples/vite-ssr-react-streaming-simple/server.js: one new dynamic import/limiter definition in the setup section, and one modification of the app.use('*all', ...) call to insert the middleware.

To fix the problem, avoid sending the raw exception stack trace directly to the HTTP response in a way that the browser interprets as HTML. Instead, send a generic error message (optionally with a 500 status code) and log the detailed error, including its stack trace, only on the server. If you still need to expose some error information to the client, you must HTML-escape it before sending, or use a non-HTML content type such as text/plain with proper escaping; however, for production SSR errors, a generic message is usually preferred.

The minimal, behavior-preserving (from an API-contract perspective) and safe change here is:

• In the catch block (catch (e) { ... }), keep vite?.ssrFixStacktrace(e) and console.log(e.stack) as they are (for server-side debugging).
• Replace res.status(500).end(e.stack) with a response that does not reveal the stack trace, such as res.status(500).send('Internal Server Error'), or, if you want to be consistent with the earlier shell error handler, an HTML snippet like <h1>Something went wrong</h1>. Both options avoid reflecting any user-controlled content.

Concretely, in examples/vite-ssr-react-streaming-simple/server.js, modify the lines 113–117 catch block so that the only thing sent to the client is a generic message and the status code remains 500. No new imports or helper functions are strictly needed for this simple fix.

In general, the fix is to stop including the stack trace (or any detailed exception object) in HTTP responses, and instead log it only on the server while sending a generic, user-friendly error message to the client. This prevents disclosure of internal file paths, implementation details, and potentially sensitive data embedded in error messages.

In this file, the necessary change is confined to the catch (e) { ... } block of the app.use('*all', ...) middleware. We should keep or improve the server-side logging (e.g., log e and/or e.stack), but replace res.status(500).end(e.stack) with a generic error message that does not reveal implementation details. To avoid changing existing functionality more than necessary, we can keep the HTTP 500 status code and just change the response body. A reasonable minimal change is:

• Leave vite?.ssrFixStacktrace(e) as-is (it only adjusts the stack trace for server-side logging / debugging).
• Optionally keep console.log(e.stack) or upgrade it to console.error(e); this does not affect the client.
• Change res.status(500).end(e.stack) to res.status(500).end('Internal Server Error') (or similarly generic text).

All edits are within examples/vite-ssr-react-streaming-simple/server.js, and no new imports or helpers are required.

[birkskyum]

Really excited about this work - thanks for looking into it!

[harlan-zw]

Initial version is available in 3.0.0-beta.5 with support for React, Vue, Solid.js, and Svelte. They all require Vite for the time being.