Skip to content

feat: whitelist external remote functions #14156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: whitelist external remote functions #14156

wants to merge 3 commits into from
+92 −17

Conversation

ottomated
Copy link
Contributor

(retargeting #14028)

fixes #13979

Adds a new config option, remoteFunctions.allowedPaths, which allows remote functions to be loaded outside of $lib and routes.

I like this approach because:

  • It's pretty simple to implement
  • It follows the pattern of stuff like vite & pnpm, requiring explicit authorization
  • Because users whitelist whole folders at once, they can easily allow a whole npm package
  • It's way more performant than walking the entire node_modules directory recursively to detect remote functions there
  • The warning when a user attempts to import remote functions that aren't whitelisted is intuitive and easy to fix:
Remote function 'query' from src/external-remotes/not-allowed/not-allowed.remote.js is not accessible by default. To whitelist it, add 'src/external-remotes/not-allowed' to `kit.remoteFunctions.allowedPaths` in `svelte.config.js`.

Also, if there's a better way to give the vite plugin access to manifest_data at dev time, let me know.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 8, 2025

🦋 Changeset detected

Latest commit: 9ffc9cf

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@madeleineostoja
Copy link

I'm in favour of just fixing this weirdness no matter what, but I will say that I think this is a seperate issue to allowing remote functions outside of $lib and routes within your project source.

I feel like whitelisting "external" sources (eg: node_modules) and src should probably be handled differently

@benmccann benmccann changed the title feat(remote functions): whitelist external remote functions feat: whitelist external remote functions Aug 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remote Functions don't work in node_modules
2 participants
@ottomated @madeleineostoja