From db676efa5a609a83cf1730b6aca9a24d83f914be Mon Sep 17 00:00:00 2001
From: "S. Elliott Johnson" <sejohnson@torchcloudconsulting.com>
Date: Fri, 8 Dec 2023 12:05:45 -0700
Subject: [PATCH] breaking: Remove

---
 packages/kit/src/core/config/index.spec.js    |  4 +---
 packages/kit/src/core/config/options.js       |  5 +----
 packages/kit/src/core/sync/write_server.js    |  1 -
 packages/kit/src/exports/public.d.ts          |  8 +-------
 packages/kit/src/runtime/server/data/index.js |  3 +--
 packages/kit/src/runtime/server/page/index.js |  3 +--
 .../kit/src/runtime/server/page/load_data.js  | 15 +--------------
 .../runtime/server/page/respond_with_error.js |  3 +--
 packages/kit/src/types/internal.d.ts          |  1 -
 .../kit/test/apps/basics/test/client.test.js  |  3 ++-
 .../kit/test/apps/options/svelte.config.js    |  3 ---
 packages/kit/test/apps/options/test/test.js   | 19 -------------------
 12 files changed, 9 insertions(+), 59 deletions(-)

diff --git a/packages/kit/src/core/config/index.spec.js b/packages/kit/src/core/config/index.spec.js
index faaf138aebb3f..f414e08c1e077 100644
--- a/packages/kit/src/core/config/index.spec.js
+++ b/packages/kit/src/core/config/index.spec.js
@@ -69,9 +69,7 @@ const get_defaults = (prefix = '') => ({
 		csrf: {
 			checkOrigin: true
 		},
-		dangerZone: {
-			trackServerFetches: false
-		},
+		dangerZone: {},
 		embedded: false,
 		env: {
 			dir: process.cwd(),
diff --git a/packages/kit/src/core/config/options.js b/packages/kit/src/core/config/options.js
index 2d0c928d92901..b8e976addec9c 100644
--- a/packages/kit/src/core/config/options.js
+++ b/packages/kit/src/core/config/options.js
@@ -111,10 +111,7 @@ const options = object(
 				checkOrigin: boolean(true)
 			}),
 
-			dangerZone: object({
-				// TODO 2.0: Remove this
-				trackServerFetches: boolean(false)
-			}),
+			dangerZone: object({}),
 
 			embedded: boolean(false),
 
diff --git a/packages/kit/src/core/sync/write_server.js b/packages/kit/src/core/sync/write_server.js
index f3d29dfbb20ba..ae18efe2f4fe0 100644
--- a/packages/kit/src/core/sync/write_server.js
+++ b/packages/kit/src/core/sync/write_server.js
@@ -34,7 +34,6 @@ export const options = {
 	app_template_contains_nonce: ${template.includes('%sveltekit.nonce%')},
 	csp: ${s(config.kit.csp)},
 	csrf_check_origin: ${s(config.kit.csrf.checkOrigin)},
-	track_server_fetches: ${s(config.kit.dangerZone.trackServerFetches)},
 	embedded: ${config.kit.embedded},
 	env_public_prefix: '${config.kit.env.publicPrefix}',
 	env_private_prefix: '${config.kit.env.privatePrefix}',
diff --git a/packages/kit/src/exports/public.d.ts b/packages/kit/src/exports/public.d.ts
index 05fa8d832e2d7..0937be7024f8a 100644
--- a/packages/kit/src/exports/public.d.ts
+++ b/packages/kit/src/exports/public.d.ts
@@ -346,13 +346,7 @@ export interface KitConfig {
 	/**
 	 * Here be dragons. Enable at your peril.
 	 */
-	dangerZone?: {
-		/**
-		 * Automatically add server-side `fetch`ed URLs to the `dependencies` map of `load` functions. This will expose secrets
-		 * to the client if your URL contains them.
-		 */
-		trackServerFetches?: boolean;
-	};
+	dangerZone?: Record<string, never>;
 	/**
 	 * Whether or not the app is embedded inside a larger app. If `true`, SvelteKit will add its event listeners related to navigation etc on the parent of `%sveltekit.body%` instead of `window`, and will pass `params` from the server rather than inferring them from `location.pathname`.
 	 * @default false
diff --git a/packages/kit/src/runtime/server/data/index.js b/packages/kit/src/runtime/server/data/index.js
index 472c2c10c4792..d8f22e57c4047 100644
--- a/packages/kit/src/runtime/server/data/index.js
+++ b/packages/kit/src/runtime/server/data/index.js
@@ -76,8 +76,7 @@ export async function render_data(
 								}
 							}
 							return data;
-						},
-						track_server_fetches: options.track_server_fetches
+						}
 					});
 				} catch (e) {
 					aborted = true;
diff --git a/packages/kit/src/runtime/server/page/index.js b/packages/kit/src/runtime/server/page/index.js
index c1a01e4614d3c..4210ee83851bb 100644
--- a/packages/kit/src/runtime/server/page/index.js
+++ b/packages/kit/src/runtime/server/page/index.js
@@ -150,8 +150,7 @@ export async function render_page(event, page, options, manifest, state, resolve
 								if (parent) Object.assign(data, await parent.data);
 							}
 							return data;
-						},
-						track_server_fetches: options.track_server_fetches
+						}
 					});
 				} catch (e) {
 					load_error = /** @type {Error} */ (e);
diff --git a/packages/kit/src/runtime/server/page/load_data.js b/packages/kit/src/runtime/server/page/load_data.js
index e24dad5b3bedc..0fac12b1f5505 100644
--- a/packages/kit/src/runtime/server/page/load_data.js
+++ b/packages/kit/src/runtime/server/page/load_data.js
@@ -10,18 +10,10 @@ import { validate_depends } from '../../shared.js';
  *   state: import('types').SSRState;
  *   node: import('types').SSRNode | undefined;
  *   parent: () => Promise<Record<string, any>>;
- *   track_server_fetches: boolean;
  * }} opts
  * @returns {Promise<import('types').ServerDataNode | null>}
  */
-export async function load_server_data({
-	event,
-	state,
-	node,
-	parent,
-	// TODO 2.0: Remove this
-	track_server_fetches
-}) {
+export async function load_server_data({ event, state, node, parent }) {
 	if (!node?.server) return null;
 
 	let done = false;
@@ -59,11 +51,6 @@ export async function load_server_data({
 				);
 			}
 
-			// TODO 2.0: Remove this
-			if (track_server_fetches) {
-				uses.dependencies.add(url.href);
-			}
-
 			return event.fetch(info, init);
 		},
 		/** @param {string[]} deps */
diff --git a/packages/kit/src/runtime/server/page/respond_with_error.js b/packages/kit/src/runtime/server/page/respond_with_error.js
index 59e3697896e17..ef7925d60f22d 100644
--- a/packages/kit/src/runtime/server/page/respond_with_error.js
+++ b/packages/kit/src/runtime/server/page/respond_with_error.js
@@ -49,8 +49,7 @@ export async function respond_with_error({
 				event,
 				state,
 				node: default_layout,
-				parent: async () => ({}),
-				track_server_fetches: options.track_server_fetches
+				parent: async () => ({})
 			});
 
 			const server_data = await server_data_promise;
diff --git a/packages/kit/src/types/internal.d.ts b/packages/kit/src/types/internal.d.ts
index ea3023245503c..49a3e781dfcc3 100644
--- a/packages/kit/src/types/internal.d.ts
+++ b/packages/kit/src/types/internal.d.ts
@@ -333,7 +333,6 @@ export interface SSROptions {
 	app_template_contains_nonce: boolean;
 	csp: ValidatedConfig['kit']['csp'];
 	csrf_check_origin: boolean;
-	track_server_fetches: boolean;
 	embedded: boolean;
 	env_public_prefix: string;
 	env_private_prefix: string;
diff --git a/packages/kit/test/apps/basics/test/client.test.js b/packages/kit/test/apps/basics/test/client.test.js
index aac4812f51c18..265b8e772b251 100644
--- a/packages/kit/test/apps/basics/test/client.test.js
+++ b/packages/kit/test/apps/basics/test/client.test.js
@@ -483,7 +483,8 @@ test.describe('Invalidation', () => {
 	});
 
 	test('fetch in server load cannot be invalidated', async ({ page, app, request }) => {
-		// TODO 2.0: Can remove this test after `dangerZone.trackServerFetches` and associated code is removed
+		// legacy behavior was to track server dependencies -- this could leak secrets to the client (see github.com/sveltejs/kit/pull/9945)
+		// we keep this test just to make sure the behavior stays the same.
 		await request.get('/load/invalidation/server-fetch/count.json?reset');
 		await page.goto('/load/invalidation/server-fetch');
 		const selector = '[data-testid="count"]';
diff --git a/packages/kit/test/apps/options/svelte.config.js b/packages/kit/test/apps/options/svelte.config.js
index 465f142e0066f..e32d72250a910 100644
--- a/packages/kit/test/apps/options/svelte.config.js
+++ b/packages/kit/test/apps/options/svelte.config.js
@@ -9,9 +9,6 @@ const config = {
 				'require-trusted-types-for': ['script']
 			}
 		},
-		dangerZone: {
-			trackServerFetches: true
-		},
 		files: {
 			assets: 'public',
 			lib: 'source/components',
diff --git a/packages/kit/test/apps/options/test/test.js b/packages/kit/test/apps/options/test/test.js
index 577345850f71a..fa2caabb18fb5 100644
--- a/packages/kit/test/apps/options/test/test.js
+++ b/packages/kit/test/apps/options/test/test.js
@@ -302,22 +302,3 @@ test.describe('Routing', () => {
 		await expect(page.locator('h2')).toHaveText('target: 0');
 	});
 });
-
-test.describe('load', () => {
-	// TODO 2.0: Remove this test
-	test('fetch in server load can be invalidated when `dangerZone.trackServerFetches` is set', async ({
-		page,
-		app,
-		request,
-		javaScriptEnabled
-	}) => {
-		test.skip(!javaScriptEnabled, 'JavaScript is disabled');
-		await request.get('/path-base/server-fetch-invalidate/count.json?reset');
-		await page.goto('/path-base/server-fetch-invalidate');
-		const selector = '[data-testid="count"]';
-
-		expect(await page.textContent(selector)).toBe('1');
-		await app.invalidate('/path-base/server-fetch-invalidate/count.json');
-		expect(await page.textContent(selector)).toBe('2');
-	});
-});