life as a svelte developer is full of disappointment, but i persist

Actually, you should just do `return (event.locals.user ??= await auth(…)`

This way you only authenticate once per request!

The real way to do this is to use a preprocessor. Look at how `enhanced:img` is implemented in the SvelteKit repo!

we see you. not creepily, though! 😂

me every day

Why yes, leasing office, I would just love to attend the amazing event you've planned with soda and cheap snacks so that I can be ambushed by whatever insane internet/insurance/dentist's office sales team you've decided to foist upon our complex today

feat: `hydratable` and a more consistent remote functions model by elliott-with-the-longest-name-on-github · Pull Request #15533 · sveltejs/kit This PR makes a number of substantial changes to how remote queries work. hydratable Implementation-wise, it replaces our custom transport solution with hydratable for queries that are used during ...

I'm updating the docs ASAP as well. (See PR for a good description of the changes in the meantime: github.com/sveltejs/kit...)

Just merged a relatively significant set of changes to remote functions, especially `query`. It's fairly likely your next upgrade will break your app if you're doing anything decently advanced, but the errors should be pretty helpful/descriptive.

Thanks for the reports! As always, I’m dismayed at the completely unexpected ways you can bog down JavaScript 😅

Community Session: Svelte on Vercel Learn more about Svelte on Vercel.

@svelte.dev devs / Svelte-curious folks - join us for a live session with the team!

I'll be chatting with @rich-harris.dev, @ell.iott.dev and @dummdidumm.bsky.social + @eveporcello.com to share more on @vercel.com Academy.

Thursday 12th March, 10AM PST

community.vercel.com/live/34169-c...

Hmm, I think "release contains bare commits" (as opposed to PR references) is probably a pretty good signal. I don't think there are typically any scenarios where we'd do that if we weren't releasing from a GitHub private fork.

This is legit; super cool. Is there anything we can do from our end to make sure this shows up correctly / doesn't miss security releases?

Thanks Jorian! Glad we got this one fixed and glad you found it.

bsky.app/profile/ell....

Thankfully nothing huge, but yes! The new bug bounty has brought a lot of really good scrutiny to the Svelte ecosystem's projects.

Huge thanks to everyone involved, and a special shoutout for the security team at Vercel for working with us to pay our reporters and managing this new bug bounty!

The `@sveltejs/adapter-vercel` patches are available in 6.3.2. If you're on Vercel, you should upgrade. We deployed WAF protections for most exploit patterns, but the only way to immunize yourself to this one is by upgrading or being lucky enough to have an app configuration that prevents it.

The `devalue` patches are available in version `5.6.3`. It's very, very unlikely you're affected, but you should upgrade anyway!

The `@sveltejs/kit` patches are available in version 2.52.2. Only applications using both `experimental.remoteFunctions` and `form` are vulnerable.

The `svelte` security patches are available in version 5.51.5. All of these had to do with SSR escaping issues. Thankfully, they're all very difficult to exploit in practice. (Most of them would require upstream system compromise along with some level of knowledge of the application's internals).

We just released a number of security patches across the Svelte ecosystem. If you use SvelteKit, the Vercel adapter for SvelteKit, Svelte, or devalue, you should upgrade.

The Vercel OSS Bug Bounty paid out over $14,000 for these reports!

We’re basically at “Wow, this is awesome, and we still have so much work to do!” 😂 I’m hoping to get the bandwidth to write streaming SSR soon, but we’re also working on SvelteKit 3, so there’s a lot of juggling going on. Rich and Simon are mostly focusing on async reactivity bug bashing right now.

The Vercel OSS Bug Bounty program is now available - Vercel Vercel is opening its open source software bug bounty program to the public for researchers find vulnerabilities and make OSS safer

It's official, you can now get paid up to $10,000 for finding security issues in Svelte and SvelteKit! Big thanks to both the security team at Vercel and the Svelte maintainers' group for coming together to make this possible. Learn more: vercel.com/blog/the-ver...

I also really enjoyed it, thank you! One minor thing: the table of contents is getting way too touchy-feely with the article content 😂

CVEs affecting the Svelte ecosystem Time to upgrade

We've released fixes for 5 CVEs affecting the Svelte ecosystem. Please upgrade your apps!

Read the post to learn if you're affected:

svelte.dev/blog/cves-af...

Monster bolsters zero-sugar portfolio with Bang acquisition, expands Java line Energy drink giant Monster more aggressively is going after the better-for-you beverage space through its Bang acquisition, and zero-sugar and coffee innovation, representatives told FoodNavigator-USA...

we'll never know if he's talking about software development or this: www.foodnavigator-usa.com/Article/2023...

Yeah but if you can survive with a global “singleton” of the class, you can just export it as `export const myThing = new Thing()`! And you don’t need multiple paradigms for “needs config” vs “doesn’t need config”

I have typically used a class with state fields and arrow function methods for event handlers. Then you can do `const myThing = new Thing()` and pass `myThing.onclick` to a click handler and Thing still owns all the state.

GitHub - sveltejs/svelte.dev: The Svelte omnisite The Svelte omnisite. Contribute to sveltejs/svelte.dev development by creating an account on GitHub.

the svelte docs themselves are a decent example: github.com/sveltejs/sve...

why writing `{foo}` in your HTML will always update the DOM.

something reactive, you’ll “lose” reactivity. `$derived` is your way of telling Svelte “I want this variable to always refer to the current value of an expression”.

One caveat here is that variable references in the template (outside of the script block) are automatically made reactive, which is