fix: posixify internal app server path (#14049)

dummdidumm · web-flow · commit de3be9a78020 · 2025-07-25T15:53:37.000+02:00
Noticed this while working on remote functions - this could yield false negatives on windows for resolving internal server path and for the server module guard (there's no security issue here, this would've just failed right away both at runtime and build time since the imported server code, which is only SvelteKit runtime code and not user code, is invalid in the browser)
diff --git a/.changeset/loose-tips-go.md b/.changeset/loose-tips-go.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: posixify internal app server path
diff --git a/packages/kit/src/exports/vite/module_ids.js b/packages/kit/src/exports/vite/module_ids.js
@@ -1,4 +1,5 @@
 import { fileURLToPath } from 'node:url';
+import { posixify } from '../../utils/filesystem.js';
 
 export const env_static_private = '\0virtual:env/static/private';
 export const env_static_public = '\0virtual:env/static/public';
@@ -11,6 +12,6 @@ export const sveltekit_environment = '\0virtual:__sveltekit/environment';
 export const sveltekit_paths = '\0virtual:__sveltekit/paths';
 export const sveltekit_server = '\0virtual:__sveltekit/server';
 
-export const app_server = fileURLToPath(
-	new URL('../../runtime/app/server/index.js', import.meta.url)
+export const app_server = posixify(
+	fileURLToPath(new URL('../../runtime/app/server/index.js', import.meta.url))
 );
diff --git a/packages/kit/test/apps/dev-only/src/routes/illegal-imports/server-only-modules/static-import-2/+page.svelte b/packages/kit/test/apps/dev-only/src/routes/illegal-imports/server-only-modules/static-import-2/+page.svelte
@@ -0,0 +1,4 @@
+<script>
+	import { read } from '$app/server';
+	read;
+</script>
diff --git a/packages/kit/test/apps/dev-only/test/test.js b/packages/kit/test/apps/dev-only/test/test.js
@@ -76,6 +76,18 @@ Tips:
  - If you're not sure which module is causing this, try building your app -- it will create a more helpful error.`);
 	});
 
+	test('$app/server module is not statically importable from the client', async ({ page }) => {
+		await page.goto('/illegal-imports/server-only-modules/static-import-2', {
+			wait_for_started: false
+		});
+		expect(await page.textContent('.message-body'))
+			.toBe(`Cannot import $app/server into client-side code. This could leak sensitive information.
+Tips:
+ - To resolve this error, ensure that no exports from $app/server are used, even transitively, in client-side code.
+ - If you're only using the import as a type, change it to \`import type\`.
+ - If you're not sure which module is causing this, try building your app -- it will create a more helpful error.`);
+	});
+
 	test('server-only module is not dynamically importable from the client', async ({ page }) => {
 		await page.goto('/illegal-imports/server-only-modules/dynamic-import', {
 			wait_for_started: false

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@sveltejs/kit': patch
 +---
++
 +fix: posixify internal app server path