SvelteKit 2.70.0
SvelteKit 2.70.0 Drops Today
July 17, 2026 — The SvelteKit team ships version 2.70.0 with one new feature and a critical security-oriented fix for production builds. Let's break it down.
Feature: defineEnvVars Moves to @sveltejs/kit/env
The defineEnvVars utility has been relocated to @sveltejs/kit/env (PR #16378). This re-export makes environment variable handling more discoverable and aligns with the kit's module organisation. Update your imports if you were using the internal path.
Fix: CSRF Protection for Non-Production NODE_ENV
CSRF (Cross-Site Request Forgery) protection was previously disabled in builds where NODE_ENV was set to anything other than "production". This meant staging, preview, and custom-environment builds could be vulnerable. The fix ensures CSRF protection is always active regardless of the environment variable value (PR #16313).
How to Upgrade
Run npx svelte-kit sync or update your @sveltejs/kit dependency in package.json. No breaking changes — this is a clean minor bump.