The 10 Svelte 5 & SvelteKit footguns your AI review bot waves through — and how to catch them in PR review

A $env/static/private import that leaks a secret to the browser. A $effect that should have been a $derived. Generic review bots approve all of it. Here are the 10 Svelte 5 footguns to never merge — with a free GitHub Action that catches them automatically.

martedì 2 giugno 2026 New tab

TL;DR — Svelte 5's runes are powerful and quiet about their failure modes. Generic AI review bots (CodeRabbit, Greptile, the default Copilot reviewer) don't model them, so they approve secret leaks, SSR crashes, and broken reactivity without a word. This post catalogues 10 Svelte 5 / SvelteKit footguns, with safe rewrites, and ships a free GitHub Action (Marketplace) that flags them in the PR.

One import that shipped an API secret to every browser

You needed a feature flag in a component, so you reached for the env:

import { STRIPE_SECRET_KEY } from '$env/static/private'; // ❌

The 10 Svelte 5 & SvelteKit footguns your AI review bot waves through — and how to catch them in PR review

The 10 Svelte 5 & SvelteKit footguns your AI review bot waves through — and how to catch them in PR review

Related reading

Audit AI-Generated PRs Before You Merge Them (Swarm Orchestrator 10.3.0)

I built a tool to catch AI coding agents misbehaving — and put zero AI in it

Fixed Before Anyone Notices, Stronger After Every Fix: Self-Healing +…

# I stopped trusting a single AI for code review — here's

AI Code Review Tool - Analyze PRs Before Shipping

A security checklist for AI-generated pull requests

Related reading

Audit AI-Generated PRs Before You Merge Them (Swarm Orchestrator 10.3.0)

I built a tool to catch AI coding agents misbehaving — and put zero AI in it

Fixed Before Anyone Notices, Stronger After Every Fix: Self-Healing +…

# I stopped trusting a single AI for code review — here's

AI Code Review Tool - Analyze PRs Before Shipping

A security checklist for AI-generated pull requests