Merge branch 'sveltejs:main' into main

Author: yuki0418

.changeset/eleven-papayas-share.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: make config deprecation warnings more visible

.changeset/weak-clouds-tell.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+chore: deprecate `csrf.checkOrigin` in favour of `csrf.trustedOrigins: ['*']`

packages/kit/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @sveltejs/kit
 
+## 2.36.1
+### Patch Changes
+
+
+- fix: ensure importing from `$app/navigation` works in test files ([#14195](https://github.com/sveltejs/kit/pull/14195))
+
 ## 2.36.0
 ### Minor Changes
 

packages/kit/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@sveltejs/kit",
-	"version": "2.36.0",
+	"version": "2.36.1",
 	"description": "SvelteKit is the fastest way to build Svelte apps",
 	"keywords": [
 		"framework",

packages/kit/src/core/config/options.js

@@ -1,4 +1,5 @@
 import process from 'node:process';
+import colors from 'kleur';
 
 /** @typedef {import('./types.js').Validator} Validator */
 
@@ -108,7 +109,11 @@ const options = object(
 			}),
 
 			csrf: object({
-				checkOrigin: boolean(true),
+				checkOrigin: deprecate(
+					boolean(true),
+					(keypath) =>
+						`\`${keypath}\` has been deprecated in favour of \`csrf.trustedOrigins\`. It will be removed in a future version`
+				),
 				trustedOrigins: string_array([])
 			}),
 
@@ -323,7 +328,7 @@ function deprecate(
 ) {
 	return (input, keypath) => {
 		if (input !== undefined) {
-			console.warn(get_message(keypath));
+			console.warn(colors.bold().yellow(get_message(keypath)));
 		}
 
 		return fn(input, keypath);

packages/kit/src/core/sync/write_server.js

@@ -37,7 +37,7 @@ import { set_private_env, set_public_env } from '${runtime_directory}/shared-ser
 export const options = {
 	app_template_contains_nonce: ${template.includes('%sveltekit.nonce%')},
 	csp: ${s(config.kit.csp)},
-	csrf_check_origin: ${s(config.kit.csrf.checkOrigin)},
+	csrf_check_origin: ${s(config.kit.csrf.checkOrigin && !config.kit.csrf.trustedOrigins.includes('*'))},
 	csrf_trusted_origins: ${s(config.kit.csrf.trustedOrigins)},
 	embedded: ${config.kit.embedded},
 	env_public_prefix: '${config.kit.env.publicPrefix}',

packages/kit/src/exports/public.d.ts

@@ -426,14 +426,17 @@ export interface KitConfig {
 		 *
 		 * To allow people to make `POST`, `PUT`, `PATCH`, or `DELETE` requests with a `Content-Type` of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain` to your app from other origins, you will need to disable this option. Be careful!
 		 * @default true
+		 * @deprecated Use `trustedOrigins: ['*']` instead
 		 */
 		checkOrigin?: boolean;
 		/**
-		 * An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+		 * An array of origins that are allowed to make cross-origin form submissions to your app.
 		 *
 		 * Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 		 * This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 		 *
+		 * If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+		 *
 		 * **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 		 * @default []
 		 * @example ['https://checkout.stripe.com', 'https://accounts.google.com']

packages/kit/src/runtime/client/client.js

@@ -185,7 +185,10 @@ let target;
 export let app;
 
 /** @type {Record<string, any>} */
-export const remote_responses = __SVELTEKIT_PAYLOAD__.data ?? {};
+// we have to conditionally access the properties of `__SVELTEKIT_PAYLOAD__`
+// because it will be `undefined` when users import the exports from this module.
+// It's only defined when the server renders a page.
+export const remote_responses = __SVELTEKIT_PAYLOAD__?.data ?? {};
 
 /** @type {Array<((url: URL) => boolean)>} */
 const invalidated = [];

packages/kit/src/version.js

@@ -1,4 +1,4 @@
 // generated during release, do not modify
 
 /** @type {string} */
-export const VERSION = '2.36.0';
+export const VERSION = '2.36.1';

packages/kit/test/apps/basics/package.json

@@ -8,25 +8,28 @@
 		"preview": "vite preview",
 		"prepare": "svelte-kit sync",
 		"check": "svelte-kit sync && tsc && svelte-check",
-		"test": "node test/setup.js && pnpm test:dev && pnpm test:build",
+		"test": "node test/setup.js && pnpm test:unit && pnpm test:dev && pnpm test:build",
 		"test:dev": "rm -rf test/errors.json && DEV=true playwright test",
 		"test:build": "rm -rf test/errors.json && PUBLIC_PRERENDERING=false playwright test",
 		"test:cross-platform:dev": "node test/setup.js && rm -rf test/errors.json && DEV=true playwright test test/cross-platform/",
 		"test:cross-platform:build": "node test/setup.js && rm -rf test/errors.json && playwright test test/cross-platform/",
 		"test:server-side-route-resolution:dev": "node test/setup.js && rm -rf test/errors.json && DEV=true ROUTER_RESOLUTION=server playwright test",
-		"test:server-side-route-resolution:build": "node test/setup.js && rm -rf test/errors.json && PUBLIC_PRERENDERING=false ROUTER_RESOLUTION=server playwright test"
+		"test:server-side-route-resolution:build": "node test/setup.js && rm -rf test/errors.json && PUBLIC_PRERENDERING=false ROUTER_RESOLUTION=server playwright test",
+		"test:unit": "vitest run"
 	},
 	"devDependencies": {
 		"@opentelemetry/api": "^1.9.0",
 		"@opentelemetry/sdk-node": "^0.203.0",
 		"@opentelemetry/sdk-trace-node": "^2.0.1",
 		"@sveltejs/kit": "workspace:^",
 		"@sveltejs/vite-plugin-svelte": "catalog:",
+		"@vitest/browser": "^3.2.4",
 		"svelte": "^5.35.5",
 		"svelte-check": "^4.1.1",
 		"test-redirect-importer": "workspace:*",
 		"typescript": "^5.5.4",
-		"vite": "catalog:"
+		"vite": "catalog:",
+		"vitest": "catalog:"
 	},
 	"type": "module"
 }