Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prefer (allowed) static assets to routes #5070

Merged
merged 13 commits into from
Jul 8, 2022
Merged

Prefer (allowed) static assets to routes #5070

merged 13 commits into from
Jul 8, 2022

Conversation

Rich-Harris
Copy link
Member

@Rich-Harris Rich-Harris commented May 25, 2022

#5066 happens because of #4974, which we need because otherwise files in the project root will shadow stuff in src/routes. As of that PR, we attempt to render requests with server.respond(...), and only defer to viteServeStaticMiddleware if that results in a 404.

In the case where you have rest routes, that's no good, because you can get a 200 response even when you're requesting a static asset.

I'm having a hard time figuring out what the correct fix for this is, so I'm just going to leave this failing test here for now.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

@changeset-bot
Copy link

changeset-bot bot commented May 25, 2022

🦋 Changeset detected

Latest commit: 1bce523

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@benmccann
Copy link
Member

I think the correct fix is probably vitejs/vite#7363

@benmccann benmccann marked this pull request as draft May 25, 2022 17:00
@7antra
Copy link

7antra commented Jun 30, 2022

@benmccann & @Rich-Harris , I think Vite doesn't take this seriously, but it's a real problem for sveltekit users. If you log url.pathname in the layout and hook in dev mode, you will see that all assets (imported like this) are now triggered like route, it causes a lot of troubles if you are using $page.stuff too.

@Rich-Harris
Copy link
Member Author

In lieu of a fix in Vite itself, I think this is a reasonable solution — we mimic Vite's internal logic to determine if an extant file is allowed, and if so we defer to serve_static_middleware

expect(r1.status()).toBe(200);
expect(await r1.text()).toContain('http://www.w3.org/2000/svg');

const r2 = await request.get('/package.json');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems surprising to me. I wouldn't expect you to be able to get the package.json, node_modules, etc. It will also make it available to everyone on your network. I'm not sure that's a huge risk, but I'm not really sure why we'd expose it either

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not getting package.json. The test is there to check that it will serve a route called /package.json despite there being a package.json in the project directory outside the allow list. Check two lines further down.

node_modules on the other hand are on the allow list so that you can use node_modules!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants