Skip to content

feat: whitelist external remote functions #14156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

feat: whitelist external remote functions #14156

wants to merge 6 commits into from

Conversation

@ottomated
Copy link
Contributor

@ottomated ottomated commented Aug 8, 2025
edited
Loading

(retargeting #14028)

fixes #13979

Adds a new config option, remoteFunctions.allowedPaths, which allows remote functions to be loaded outside of src.

I like this approach because:

  • It's pretty simple to implement
  • It follows the pattern of stuff like vite & pnpm, requiring explicit authorization
  • Because users whitelist whole folders at once, they can easily allow a whole npm package
  • It's way more performant than walking the entire node_modules directory recursively to detect remote functions there
  • The warning when a user attempts to import remote functions that aren't whitelisted is intuitive and easy to fix:
Remote function 'query' from src/external-remotes/not-allowed/not-allowed.remote.js is not accessible by default. To whitelist it, add 'src/external-remotes/not-allowed' to `kit.remoteFunctions.allowedPaths` in `svelte.config.js`.

Also, if there's a better way to give the vite plugin access to manifest_data at dev time, let me know.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.
@changeset-bot
Copy link

changeset-bot bot commented Aug 8, 2025
edited
Loading

🦋 Changeset detected

Latest commit: d4be49c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR
@madeleineostoja
Copy link

I'm in favour of just fixing this weirdness no matter what, but I will say that I think this is a seperate issue to allowing remote functions outside of $lib and routes within your project source.

I feel like whitelisting "external" sources (eg: node_modules) and src should probably be handled differently
@benmccann benmccann changed the title feat(remote functions): whitelist external remote functions feat: whitelist external remote functions Aug 10, 2025
@Rich-Harris Rich-Harris mentioned this pull request Aug 23, 2025
Merged
6 tasks
@Rich-Harris
Copy link
Member

#14293 was merged, so I'll close this — thanks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@ottomated @madeleineostoja @Rich-Harris