Skip to content

Releases: oekazuma/svelte-vitals

svelte-vitals@0.29.0

Choose a tag to compare

Minor Changes

  • b10c26a: Add CORRECT006 (critical): flag orphan $effect calls that throw effect_orphan at runtime — a top-level $effect in a .svelte.ts/.svelte.js runes module or a .svelte <script module>, and a module-scope new of a class whose constructor creates a bare $effect. .svelte.ts/.svelte.js runes modules are now analyzed by the component-facts pipeline.
  • e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (onMount, getContext, setContext, …) that run outside component initialisation and throw lifecycle_outside_component at runtime — at module scope in runes modules and <script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classic getContext-in-load trap).
  • b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (window, document, localStorage, …) read in server-executed code — module scope of runes modules and <script module>, SvelteKit load/handler/init bodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognises browser/typeof guards, respects same-file export const ssr = false, and never descends into onMount/$effect/function bodies.
  • d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope let/var reassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of .svelte.ts modules holding module-scope $state. Kit route/hooks files are now analyzed via a new KitModuleFacts channel.

Patch Changes

  • c4ef9d8: Fix ci install/ci upgrade to never pin @svelte-vitals/action to a commit SHA that isn't actually on origin/main yet. The pin is generated at build time from git rev-parse HEAD; if a local build runs before that commit is pushed (e.g. testing against a pnpm linked checkout), the generated GitHub Actions workflow referenced an unresolvable action and every PR's CI job failed. The generator now falls back to the nearest ancestor commit that is on origin/main when HEAD itself isn't reachable there.
  • 76701e0: Fix monorepo app detection (discoverApps, and install --app) to recognize a SvelteKit app that has no svelte.config.{js,ts} — current sv create output folds SvelteKit's adapter/compiler config directly into the sveltekit() plugin call in vite.config.ts and no longer emits a separate svelte.config file. Detection now also accepts a package.json declaring @sveltejs/kit, mirroring detectProject's existing rule. Previously such an app was silently invisible to svelte-vitals (from a monorepo root) or svelte-vitals install --app <dir> (explicit --app failed with "not a SvelteKit app").
  • Updated dependencies [b10c26a]
  • Updated dependencies [e38ea4d]
  • Updated dependencies [b0c2040]
  • Updated dependencies [d6511a7]
  • Updated dependencies [15f0b61]
    • @svelte-vitals/core@0.26.0

@svelte-vitals/vite@0.18.0

Choose a tag to compare

Minor Changes

  • b10c26a: Add CORRECT006 (critical): flag orphan $effect calls that throw effect_orphan at runtime — a top-level $effect in a .svelte.ts/.svelte.js runes module or a .svelte <script module>, and a module-scope new of a class whose constructor creates a bare $effect. .svelte.ts/.svelte.js runes modules are now analyzed by the component-facts pipeline.
  • e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (onMount, getContext, setContext, …) that run outside component initialisation and throw lifecycle_outside_component at runtime — at module scope in runes modules and <script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classic getContext-in-load trap).
  • b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (window, document, localStorage, …) read in server-executed code — module scope of runes modules and <script module>, SvelteKit load/handler/init bodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognises browser/typeof guards, respects same-file export const ssr = false, and never descends into onMount/$effect/function bodies.
  • d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope let/var reassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of .svelte.ts modules holding module-scope $state. Kit route/hooks files are now analyzed via a new KitModuleFacts channel.

Patch Changes

  • Updated dependencies [b10c26a]
  • Updated dependencies [e38ea4d]
  • Updated dependencies [b0c2040]
  • Updated dependencies [c4ef9d8]
  • Updated dependencies [76701e0]
  • Updated dependencies [d6511a7]
  • Updated dependencies [15f0b61]
    • @svelte-vitals/core@0.26.0
    • svelte-vitals@0.29.0

@svelte-vitals/mcp@0.13.0

Choose a tag to compare

Minor Changes

  • b10c26a: Add CORRECT006 (critical): flag orphan $effect calls that throw effect_orphan at runtime — a top-level $effect in a .svelte.ts/.svelte.js runes module or a .svelte <script module>, and a module-scope new of a class whose constructor creates a bare $effect. .svelte.ts/.svelte.js runes modules are now analyzed by the component-facts pipeline.
  • e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (onMount, getContext, setContext, …) that run outside component initialisation and throw lifecycle_outside_component at runtime — at module scope in runes modules and <script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classic getContext-in-load trap).
  • b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (window, document, localStorage, …) read in server-executed code — module scope of runes modules and <script module>, SvelteKit load/handler/init bodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognises browser/typeof guards, respects same-file export const ssr = false, and never descends into onMount/$effect/function bodies.
  • d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope let/var reassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of .svelte.ts modules holding module-scope $state. Kit route/hooks files are now analyzed via a new KitModuleFacts channel.

Patch Changes

  • Updated dependencies [b10c26a]
  • Updated dependencies [e38ea4d]
  • Updated dependencies [b0c2040]
  • Updated dependencies [c4ef9d8]
  • Updated dependencies [76701e0]
  • Updated dependencies [d6511a7]
  • Updated dependencies [15f0b61]
    • @svelte-vitals/core@0.26.0
    • svelte-vitals@0.29.0

@svelte-vitals/core@0.26.0

Choose a tag to compare

Minor Changes

  • b10c26a: Add CORRECT006 (critical): flag orphan $effect calls that throw effect_orphan at runtime — a top-level $effect in a .svelte.ts/.svelte.js runes module or a .svelte <script module>, and a module-scope new of a class whose constructor creates a bare $effect. .svelte.ts/.svelte.js runes modules are now analyzed by the component-facts pipeline.
  • e38ea4d: Add CORRECT007 (critical): flag Svelte lifecycle/context calls (onMount, getContext, setContext, …) that run outside component initialisation and throw lifecycle_outside_component at runtime — at module scope in runes modules and <script module>, in constructors of module-scope-instantiated classes, and inside SvelteKit load/action/endpoint handlers (the classic getContext-in-load trap).
  • b0c2040: Add CORRECT008 (critical) and CORRECT009 (warning): flag browser-only globals (window, document, localStorage, …) read in server-executed code — module scope of runes modules and <script module>, SvelteKit load/handler/init bodies and file top levels (CORRECT008), and component instance-script top levels that run during SSR (CORRECT009). Recognises browser/typeof guards, respects same-file export const ssr = false, and never descends into onMount/$effect/function bodies.
  • d6511a7: Add SEC003–005: SSR shared-state leak detection for SvelteKit server/universal route files. SEC003 (critical) flags load/action/endpoint handlers writing to imported module state; SEC004 (warning) flags module-scope let/var reassigned from functions in Kit server files; SEC005 (warning) flags server-side imports of .svelte.ts modules holding module-scope $state. Kit route/hooks files are now analyzed via a new KitModuleFacts channel.

Patch Changes

  • 15f0b61: SEC003 no longer flags .set()/.update() calls on modules imported from src/lib/server/** via a relative path — the exemption now checks the resolved path, not just the $lib/server/ alias form.

svelte-vitals@0.28.0

Choose a tag to compare

Minor Changes

  • 2cd25d8: svelte-vitals install now understands monorepos. The app-scoped targets — vite-plugin, vite-hooks, and config-file — resolve the SvelteKit app directory the same way the analyzer does: an explicit --app apps/web wins, a cwd that is itself an app is used as-is, one detected app is used automatically with a notice, several prompt a picker on a TTY, and non-interactive runs exit 2 asking for --app. The @svelte-vitals/vite auto-install also runs inside the chosen app (with the package manager still detected from the workspace root's lockfile). Root-scoped targets (MCP client configs, agent skills/rules, ci-workflow) keep writing at the current directory, which is their correct home in a monorepo.
  • 28e92c0: svelte-vitals --reporter html and the vite live dashboard now share one renderer (core's new renderAppShell), so the two surfaces can't drift apart again. The static HTML report gets the dashboard's full UI — master/detail layout with a searchable, sortable route list, severity/category filters, dark mode, and the per-finding copy-to-clipboard AI Prompt — while staying fully self-contained and offline; the only difference is that the live-update machinery (SSE connection, measured refinement, the connection/analyzing indicators) is absent when there is no dev server behind the page. @svelte-vitals/core gains renderAppShell/AppSnapshot/RouteBadge/APP_SCRIPT/APP_STYLE exports; buildHtmlDocument/formatHtmlReport keep their signatures but emit the new document. The dashboard itself is unchanged, now served from the shared shell.

Patch Changes

  • Updated dependencies [28e92c0]
    • @svelte-vitals/core@0.25.0

@svelte-vitals/vite@0.17.0

Choose a tag to compare

Minor Changes

  • 28e92c0: svelte-vitals --reporter html and the vite live dashboard now share one renderer (core's new renderAppShell), so the two surfaces can't drift apart again. The static HTML report gets the dashboard's full UI — master/detail layout with a searchable, sortable route list, severity/category filters, dark mode, and the per-finding copy-to-clipboard AI Prompt — while staying fully self-contained and offline; the only difference is that the live-update machinery (SSE connection, measured refinement, the connection/analyzing indicators) is absent when there is no dev server behind the page. @svelte-vitals/core gains renderAppShell/AppSnapshot/RouteBadge/APP_SCRIPT/APP_STYLE exports; buildHtmlDocument/formatHtmlReport keep their signatures but emit the new document. The dashboard itself is unchanged, now served from the shared shell.

Patch Changes

  • Updated dependencies [2cd25d8]
  • Updated dependencies [28e92c0]
    • svelte-vitals@0.28.0
    • @svelte-vitals/core@0.25.0

@svelte-vitals/mcp@0.12.3

Choose a tag to compare

Patch Changes

  • Updated dependencies [2cd25d8]
  • Updated dependencies [28e92c0]
    • svelte-vitals@0.28.0
    • @svelte-vitals/core@0.25.0

@svelte-vitals/core@0.25.0

Choose a tag to compare

Minor Changes

  • 28e92c0: svelte-vitals --reporter html and the vite live dashboard now share one renderer (core's new renderAppShell), so the two surfaces can't drift apart again. The static HTML report gets the dashboard's full UI — master/detail layout with a searchable, sortable route list, severity/category filters, dark mode, and the per-finding copy-to-clipboard AI Prompt — while staying fully self-contained and offline; the only difference is that the live-update machinery (SSE connection, measured refinement, the connection/analyzing indicators) is absent when there is no dev server behind the page. @svelte-vitals/core gains renderAppShell/AppSnapshot/RouteBadge/APP_SCRIPT/APP_STYLE exports; buildHtmlDocument/formatHtmlReport keep their signatures but emit the new document. The dashboard itself is unchanged, now served from the shared shell.

svelte-vitals@0.27.0

Choose a tag to compare

Minor Changes

  • d243f01: svelte-vitals install --client config-file now auto-picks the best extension for the environment instead of always scaffolding .mjs: .ts (using defineConfig for real type-checking/autocomplete) when the current Node supports loading it natively, the project looks TypeScript-oriented (a tsconfig.json or vite.config.ts present), and svelte-vitals is a declared dependency (the defineConfig import resolves at load time, so npx-only projects keep getting the dependency-free default); otherwise the safe .mjs. Detecting whether a config file already exists now checks all three candidate extensions (.mjs/.js/.ts), not just .mjs — a project with an existing svelte-vitals.config.ts no longer gets a redundant .mjs created alongside it. --force always regenerates whichever file is already there, never switching its extension or module syntax (a .js config in a CommonJS project is regenerated as module.exports, not ESM).
  • 0bb628d: svelte-vitals install's interactive picker now groups targets by category — MCP server, Vite integration, Agent Skills & rules, CI (GitHub Actions), Config file — instead of one flat list, making it easier to tell what each of the ten targets is for. The GitHub Actions workflow (previously only available via the standalone svelte-vitals ci install) is now also a selectable ci-workflow target inside install, so CI can be set up in the same pass as the MCP server/Vite/skills instead of a separate command. svelte-vitals ci install/ci upgrade remain available standalone.
  • f1cbfd0: svelte-vitals install --client claude-skill and claude-skill-improve now write the same generated skill content to three conventional locations at once — .claude/skills/, .agents/skills/, and .cursor/skills/ — instead of just .claude/skills/. Claude Code, Codex, and Cursor all read the same frontmatter-driven SKILL.md convention (directory name decides the invocable command), so a project that picks claude-skill/claude-skill-improve now gets a working skill in all three tools with no extra action. --force and --refresh apply per-file, so a project with only the old single-path install gets the two new destinations created without disturbing the existing one. cursor-rules (.cursor/rules/*.mdc) is unchanged.

Patch Changes

  • 25efcde: Fix svelte-vitals install --client config-file, which was rejected with "unknown --client 'config-file'" despite being documented in --help and svelte-vitals install --help — the CLI argument parser's list of valid --client ids never included the config-file target.

svelte-vitals@0.26.0

Choose a tag to compare

@github-actions github-actions released this 14 Jul 08:15
e30438c

Minor Changes

  • 7fb7d55: Add a claude-skill-improve install target: svelte-vitals install --client claude-skill-improve writes a second, read-only Claude Code skill (.claude/skills/improve-svelte/SKILL.md). Where the existing claude-skill target is the every-edit regression-check playbook, this new skill audits the whole codebase as a senior Svelte/SvelteKit engineer — using svelte-vitals' own scan as evidence — and writes prioritized, self-contained implementation plans under plans/ for another agent (or cheaper model) to execute later; it never edits source itself. It reuses the same rule-catalog generator the existing skill already renders, so every rule's canonical fix is inlined with no network fetch required. Supports --force/--refresh like the other agent targets.