feat: streaming support #537

harlan-zw · 2025-04-01T15:37:17Z

🔗 Linked issue

#396

❓ Type of change

📖 Documentation (updates to the documentation or readme)
🐞 Bug fix (a non-breaking change that fixes an issue)
👌 Enhancement (improving an existing functionality)
✨ New feature (a non-breaking change that adds functionality)
🧹 Chore (updates to the build process or auxiliary tools and libraries)
⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

WIP Support for streaming.

TypeScript - should just work
🔨 Vue - Development working fully, likely some edge cases and production issues to look at
🔨 React - App shell working, but don't know enough about <Suspense> to know how it's meant to work, seems okay in development
Solid.js
Svelte
Angular

How it works

We hijack framework stream response prepending and appending the head data in the HTML template.

Outside of the app shell (for suspense) we need to inject code to insert the head tags. When we hydrate our app it should swap out any of the tags without issue.

Both of these are handled by the function renderSSRStreamComponents(unhead, htmlPartial), which can augment Unhead tags into partial HTML.

A utility is provided streamAppWithUnhead which can take an app stream and augment it for Unhead, this is practical for Vue and TypeScript but likely not for frameworks with more fine-tuned streaming such as React and Solid.js

github-actions · 2025-04-01T15:37:54Z

Bundle Size Analysis

File	Size	Gzipped Size	Size Diff	Gzipped Size Diff
Client	10.7 kB (10996 B)	4.5 kB (4581 B)	0.00% (0 B)	0.00% ( 0 B)
Server	8 kB (8174 B)	3.4 kB (3467 B)	0.00% (0 B)	0.00% ( 0 B)

examples/vite-ssr-react-streaming-ts/server.js

+app.use('*all', async (req, res) => {
+  try {
+    const url = req.originalUrl.replace(base, '')
+
+    /** @type {string} */
+    let template
+    /** @type {import('./src/entry-server.ts').render} */
+    let render
+    if (!isProduction) {
+      // Always read fresh template in development
+      template = await fs.readFile('./index.html', 'utf-8')
+      template = await vite.transformIndexHtml(url, template)
+      render = (await vite.ssrLoadModule('/src/entry-server.tsx')).render
+    } else {
+      template = templateHtml
+      render = (await import('./dist/server/entry-server.js')).render
+    }
+
+    let didError = false
+
+    const { stream, head } = render(url, {
+      onShellError() {
+        res.status(500)
+        res.set({ 'Content-Type': 'text/html' })
+        res.send('<h1>Something went wrong</h1>')
+      },
+      async onShellReady() {
+        res.status(didError ? 500 : 200)
+        res.set({
+          'Content-Type': 'text/html',
+        })
+
+        const transformStream = new Transform({
+          async transform(chunk, encoding, callback) {
+            res.write(await renderSSRStreamComponents(head, new TextDecoder().decode(chunk)))
+            callback()
+          },
+        })
+
+        const [htmlStart, htmlEnd] = template.split(`<!--app-html-->`)
+        res.write(await renderSSRStreamComponents(head, htmlStart))
+
+        transformStream.on('finish', async () => {
+          res.end(await renderSSRStreamComponents(head, htmlEnd))
+        })
+
+        stream.pipe(transformStream)
+      },
+      onError(error) {
+        didError = true
+        console.error(error)
+      },
+    })
+
+    setTimeout(() => {
+      stream.abort()
+    }, ABORT_DELAY)
+  } catch (e) {
+    vite?.ssrFixStacktrace(e)
+    console.log(e.stack)
+    res.status(500).end(e.stack)
+  }
+})


To fix the problem, we need to introduce rate limiting to the Express application to prevent potential DoS attacks. We can use the express-rate-limit package to achieve this. The rate limiter will be applied to all incoming requests to ensure that the server is protected from excessive requests.

Install the express-rate-limit package.

Import the express-rate-limit package in the server file.

Configure the rate limiter with appropriate settings (e.g., maximum number of requests per time window).

Apply the rate limiter middleware to the Express application.

examples/vite-ssr-react-streaming-ts/server.js

+  } catch (e) {
+    vite?.ssrFixStacktrace(e)
+    console.log(e.stack)
+    res.status(500).end(e.stack)


To fix the problem, we need to ensure that the stack trace is not sent back to the user. Instead, we should log the stack trace on the server and send a generic error message to the user. This can be achieved by modifying the catch block to log the error and send a generic message.

Modify the catch block starting at line 96 to log the error stack trace and send a generic error message.

Ensure that the error stack trace is logged using console.error or a similar logging mechanism.

examples/vite-ssr-react-streaming-ts/server.js

+  } catch (e) {
+    vite?.ssrFixStacktrace(e)
+    console.log(e.stack)
+    res.status(500).end(e.stack)


To fix the problem, we need to ensure that any error messages sent in the HTTP response are properly sanitized or escaped to prevent XSS vulnerabilities. The best way to fix this issue is to use a library like he (HTML entities) to escape the error message before sending it in the response.

Install the he library to handle HTML escaping.

Import the he library in the file.

Use the he.escape function to escape the error message before sending it in the response.

harlan-zw · 2025-04-01T15:46:40Z

@birkskyum in the works fyi

birkskyum · 2025-04-11T13:10:48Z

@harlan-zw sounds good - looking forward to react and solid support for this, as streaming is a must-have for adoption.

harlan-zw · 2025-04-12T10:19:39Z

This is mostly working for react I just don't fully understand how the suspense boundaries are being resolved and can't hook in

MatthieuStadelmann · 2025-06-30T16:17:38Z

Hi @harlan-zw!
Any update on the status of this PR?

feat: streaming support

675bb06

github-advanced-security bot found potential problems Apr 1, 2025

View reviewed changes

harlan-zw mentioned this pull request Jul 6, 2025

feat: vue streaming support WIP #560

Open

6 tasks

@@ -4,2 +4,9 @@
             import { renderSSRStreamComponents } from 'unhead/server'
+            import rateLimit from 'express-rate-limit'
+            // Rate limiter configuration
+            const limiter = rateLimit({
+              windowMs: 15 * 60 * 1000, // 15 minutes
+              max: 100, // limit each IP to 100 requests per windowMs
+            })
@@ -19,2 +26,5 @@
+            // Apply rate limiter to all requests
+            app.use(limiter)
             // Add Vite or respective production middlewares

@@ -18,3 +18,4 @@
                 "react-dom": "^19.0.0",
-                "sirv": "^3.0.1"
+                "sirv": "^3.0.1",
+                "express-rate-limit": "^7.5.0"
               },

Package	Version	Security advisories
express-rate-limit (npm)	7.5.0	None

@@ -4,2 +4,3 @@
             import { renderSSRStreamComponents } from 'unhead/server'
+            import he from 'he'
@@ -98,3 +99,3 @@
                 console.log(e.stack)
-                res.status(500).end(e.stack)
+                res.status(500).end(he.escape(e.stack))
               }

@@ -18,3 +18,4 @@
                 "react-dom": "^19.0.0",
-                "sirv": "^3.0.1"
+                "sirv": "^3.0.1",
+                "he": "^1.2.0"
               },

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

feat: streaming support #537

feat: streaming support #537

Uh oh!

harlan-zw commented Apr 1, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Apr 1, 2025

Uh oh!

Check failure

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

harlan-zw commented Apr 1, 2025

Uh oh!

birkskyum commented Apr 11, 2025 •

edited

Loading

Uh oh!

harlan-zw commented Apr 12, 2025

Uh oh!

MatthieuStadelmann commented Jun 30, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

feat: streaming support #537

Are you sure you want to change the base?

feat: streaming support #537

Uh oh!

Conversation

harlan-zw commented Apr 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔗 Linked issue

❓ Type of change

📚 Description

Uh oh!

github-actions bot commented Apr 1, 2025

Bundle Size Analysis

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

harlan-zw commented Apr 1, 2025

Uh oh!

birkskyum commented Apr 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

harlan-zw commented Apr 12, 2025

Uh oh!

MatthieuStadelmann commented Jun 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

harlan-zw commented Apr 1, 2025 •

edited

Loading

birkskyum commented Apr 11, 2025 •

edited

Loading

MatthieuStadelmann commented Jun 30, 2025 •

edited

Loading