Releases: oekazuma/svelte-vitals
Releases · oekazuma/svelte-vitals
Release list
svelte-vitals@0.29.0
Minor Changes
- b10c26a: Add CORRECT006 (critical): flag orphan
$effectcalls that throweffect_orphanat runtime — a top-level$effectin a.svelte.ts/.svelte.jsrunes module or a.svelte<script module>, and a module-scopenewof a class whose constructor creates a bare$effect..svelte.ts/.svelte.jsrunes modules are now analyzed by the component-facts pipeline. - e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (
onMount,getContext,setContext, …) that run outside component initialisation and throwlifecycle_outside_componentat runtime — at module scope in runes modules and<script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classicgetContext-in-loadtrap). - b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (
window,document,localStorage, …) read in server-executed code — module scope of runes modules and<script module>, SvelteKit load/handler/initbodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognisesbrowser/typeofguards, respects same-fileexport const ssr = false, and never descends intoonMount/$effect/function bodies. - d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope
let/varreassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of.svelte.tsmodules holding module-scope$state. Kit route/hooks files are now analyzed via a newKitModuleFactschannel.
Patch Changes
- c4ef9d8: Fix
ci install/ci upgradeto never pin@svelte-vitals/actionto a commit SHA that isn't actually onorigin/mainyet. The pin is generated at build time fromgit rev-parse HEAD; if a local build runs before that commit is pushed (e.g. testing against apnpm linked checkout), the generated GitHub Actions workflow referenced an unresolvable action and every PR's CI job failed. The generator now falls back to the nearest ancestor commit that is onorigin/mainwhen HEAD itself isn't reachable there. - 76701e0: Fix monorepo app detection (
discoverApps, andinstall --app) to recognize a SvelteKit app that has nosvelte.config.{js,ts}— currentsv createoutput folds SvelteKit's adapter/compiler config directly into thesveltekit()plugin call invite.config.tsand no longer emits a separatesvelte.configfile. Detection now also accepts apackage.jsondeclaring@sveltejs/kit, mirroringdetectProject's existing rule. Previously such an app was silently invisible tosvelte-vitals(from a monorepo root) orsvelte-vitals install --app <dir>(explicit--appfailed with "not a SvelteKit app"). - Updated dependencies [b10c26a]
- Updated dependencies [e38ea4d]
- Updated dependencies [b0c2040]
- Updated dependencies [d6511a7]
- Updated dependencies [15f0b61]
- @svelte-vitals/core@0.26.0
@svelte-vitals/vite@0.18.0
Minor Changes
- b10c26a: Add CORRECT006 (critical): flag orphan
$effectcalls that throweffect_orphanat runtime — a top-level$effectin a.svelte.ts/.svelte.jsrunes module or a.svelte<script module>, and a module-scopenewof a class whose constructor creates a bare$effect..svelte.ts/.svelte.jsrunes modules are now analyzed by the component-facts pipeline. - e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (
onMount,getContext,setContext, …) that run outside component initialisation and throwlifecycle_outside_componentat runtime — at module scope in runes modules and<script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classicgetContext-in-loadtrap). - b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (
window,document,localStorage, …) read in server-executed code — module scope of runes modules and<script module>, SvelteKit load/handler/initbodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognisesbrowser/typeofguards, respects same-fileexport const ssr = false, and never descends intoonMount/$effect/function bodies. - d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope
let/varreassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of.svelte.tsmodules holding module-scope$state. Kit route/hooks files are now analyzed via a newKitModuleFactschannel.
Patch Changes
@svelte-vitals/mcp@0.13.0
Minor Changes
- b10c26a: Add CORRECT006 (critical): flag orphan
$effectcalls that throweffect_orphanat runtime — a top-level$effectin a.svelte.ts/.svelte.jsrunes module or a.svelte<script module>, and a module-scopenewof a class whose constructor creates a bare$effect..svelte.ts/.svelte.jsrunes modules are now analyzed by the component-facts pipeline. - e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (
onMount,getContext,setContext, …) that run outside component initialisation and throwlifecycle_outside_componentat runtime — at module scope in runes modules and<script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classicgetContext-in-loadtrap). - b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (
window,document,localStorage, …) read in server-executed code — module scope of runes modules and<script module>, SvelteKit load/handler/initbodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognisesbrowser/typeofguards, respects same-fileexport const ssr = false, and never descends intoonMount/$effect/function bodies. - d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope
let/varreassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of.svelte.tsmodules holding module-scope$state. Kit route/hooks files are now analyzed via a newKitModuleFactschannel.
Patch Changes
@svelte-vitals/core@0.26.0
Minor Changes
- b10c26a: Add CORRECT006 (critical): flag orphan
$effectcalls that throweffect_orphanat runtime — a top-level$effectin a.svelte.ts/.svelte.jsrunes module or a.svelte<script module>, and a module-scopenewof a class whose constructor creates a bare$effect..svelte.ts/.svelte.jsrunes modules are now analyzed by the component-facts pipeline. - e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (
onMount,getContext,setContext, …) that run outside component initialisation and throwlifecycle_outside_componentat runtime — at module scope in runes modules and<script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classicgetContext-in-loadtrap). - b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (
window,document,localStorage, …) read in server-executed code — module scope of runes modules and<script module>, SvelteKit load/handler/initbodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognisesbrowser/typeofguards, respects same-fileexport const ssr = false, and never descends intoonMount/$effect/function bodies. - d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope
let/varreassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of.svelte.tsmodules holding module-scope$state. Kit route/hooks files are now analyzed via a newKitModuleFactschannel.
Patch Changes
- 15f0b61: SEC003 no longer flags
.set()/.update()calls on modules imported fromsrc/lib/server/**via a relative path — the exemption now checks the resolved path, not just the$lib/server/alias form.
svelte-vitals@0.28.0
Minor Changes
- 2cd25d8:
svelte-vitals installnow understands monorepos. The app-scoped targets —vite-plugin,vite-hooks, andconfig-file— resolve the SvelteKit app directory the same way the analyzer does: an explicit--app apps/webwins, a cwd that is itself an app is used as-is, one detected app is used automatically with a notice, several prompt a picker on a TTY, and non-interactive runs exit 2 asking for--app. The@svelte-vitals/viteauto-install also runs inside the chosen app (with the package manager still detected from the workspace root's lockfile). Root-scoped targets (MCP client configs, agent skills/rules,ci-workflow) keep writing at the current directory, which is their correct home in a monorepo. - 28e92c0:
svelte-vitals --reporter htmland the vite live dashboard now share one renderer (core's newrenderAppShell), so the two surfaces can't drift apart again. The static HTML report gets the dashboard's full UI — master/detail layout with a searchable, sortable route list, severity/category filters, dark mode, and the per-finding copy-to-clipboard AI Prompt — while staying fully self-contained and offline; the only difference is that the live-update machinery (SSE connection,measuredrefinement, the connection/analyzing indicators) is absent when there is no dev server behind the page.@svelte-vitals/coregainsrenderAppShell/AppSnapshot/RouteBadge/APP_SCRIPT/APP_STYLEexports;buildHtmlDocument/formatHtmlReportkeep their signatures but emit the new document. The dashboard itself is unchanged, now served from the shared shell.
Patch Changes
- Updated dependencies [28e92c0]
- @svelte-vitals/core@0.25.0
@svelte-vitals/vite@0.17.0
Minor Changes
- 28e92c0:
svelte-vitals --reporter htmland the vite live dashboard now share one renderer (core's newrenderAppShell), so the two surfaces can't drift apart again. The static HTML report gets the dashboard's full UI — master/detail layout with a searchable, sortable route list, severity/category filters, dark mode, and the per-finding copy-to-clipboard AI Prompt — while staying fully self-contained and offline; the only difference is that the live-update machinery (SSE connection,measuredrefinement, the connection/analyzing indicators) is absent when there is no dev server behind the page.@svelte-vitals/coregainsrenderAppShell/AppSnapshot/RouteBadge/APP_SCRIPT/APP_STYLEexports;buildHtmlDocument/formatHtmlReportkeep their signatures but emit the new document. The dashboard itself is unchanged, now served from the shared shell.
Patch Changes
@svelte-vitals/mcp@0.12.3
@svelte-vitals/core@0.25.0
Minor Changes
- 28e92c0:
svelte-vitals --reporter htmland the vite live dashboard now share one renderer (core's newrenderAppShell), so the two surfaces can't drift apart again. The static HTML report gets the dashboard's full UI — master/detail layout with a searchable, sortable route list, severity/category filters, dark mode, and the per-finding copy-to-clipboard AI Prompt — while staying fully self-contained and offline; the only difference is that the live-update machinery (SSE connection,measuredrefinement, the connection/analyzing indicators) is absent when there is no dev server behind the page.@svelte-vitals/coregainsrenderAppShell/AppSnapshot/RouteBadge/APP_SCRIPT/APP_STYLEexports;buildHtmlDocument/formatHtmlReportkeep their signatures but emit the new document. The dashboard itself is unchanged, now served from the shared shell.
svelte-vitals@0.27.0
Minor Changes
- d243f01:
svelte-vitals install --client config-filenow auto-picks the best extension for the environment instead of always scaffolding.mjs:.ts(usingdefineConfigfor real type-checking/autocomplete) when the current Node supports loading it natively, the project looks TypeScript-oriented (atsconfig.jsonorvite.config.tspresent), andsvelte-vitalsis a declared dependency (thedefineConfigimport resolves at load time, so npx-only projects keep getting the dependency-free default); otherwise the safe.mjs. Detecting whether a config file already exists now checks all three candidate extensions (.mjs/.js/.ts), not just.mjs— a project with an existingsvelte-vitals.config.tsno longer gets a redundant.mjscreated alongside it.--forcealways regenerates whichever file is already there, never switching its extension or module syntax (a.jsconfig in a CommonJS project is regenerated asmodule.exports, not ESM). - 0bb628d:
svelte-vitals install's interactive picker now groups targets by category — MCP server, Vite integration, Agent Skills & rules, CI (GitHub Actions), Config file — instead of one flat list, making it easier to tell what each of the ten targets is for. The GitHub Actions workflow (previously only available via the standalonesvelte-vitals ci install) is now also a selectableci-workflowtarget insideinstall, so CI can be set up in the same pass as the MCP server/Vite/skills instead of a separate command.svelte-vitals ci install/ci upgraderemain available standalone. - f1cbfd0:
svelte-vitals install --client claude-skillandclaude-skill-improvenow write the same generated skill content to three conventional locations at once —.claude/skills/,.agents/skills/, and.cursor/skills/— instead of just.claude/skills/. Claude Code, Codex, and Cursor all read the same frontmatter-drivenSKILL.mdconvention (directory name decides the invocable command), so a project that picksclaude-skill/claude-skill-improvenow gets a working skill in all three tools with no extra action.--forceand--refreshapply per-file, so a project with only the old single-path install gets the two new destinations created without disturbing the existing one.cursor-rules(.cursor/rules/*.mdc) is unchanged.
Patch Changes
- 25efcde: Fix
svelte-vitals install --client config-file, which was rejected with "unknown --client 'config-file'" despite being documented in--helpandsvelte-vitals install --help— the CLI argument parser's list of valid--clientids never included the config-file target.
svelte-vitals@0.26.0
Minor Changes
- 7fb7d55: Add a
claude-skill-improveinstall target:svelte-vitals install --client claude-skill-improvewrites a second, read-only Claude Code skill (.claude/skills/improve-svelte/SKILL.md). Where the existingclaude-skilltarget is the every-edit regression-check playbook, this new skill audits the whole codebase as a senior Svelte/SvelteKit engineer — using svelte-vitals' own scan as evidence — and writes prioritized, self-contained implementation plans underplans/for another agent (or cheaper model) to execute later; it never edits source itself. It reuses the same rule-catalog generator the existing skill already renders, so every rule's canonical fix is inlined with no network fetch required. Supports--force/--refreshlike the other agent targets.