chore(deps): update dependency @sveltejs/kit to v2.4.3 [security] #1786
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.0.2
->2.4.3
GitHub Vulnerability Alerts
CVE-2024-23641
Summary
In SvelteKit 2 sending a GET request with a body eg
{}
to a SvelteKit app in preview or withadapter-node
throwsRequest with GET/HEAD method cannot have body.
and crashes the app.TRACE
requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.PoC
First do a fresh install of SvelteKit 2 with the example app. Typescript.
npm run build
npm run preview
Impact
Denial of Service for apps using
adapter-node
Release Notes
sveltejs/kit (@sveltejs/kit)
v2.4.3
Compare Source
Patch Changes
v2.4.2
Compare Source
Patch Changes
v2.4.1
Compare Source
Patch Changes
fix: use Vite's default value for
build.target
and respect override supplied by user (#11688)fix: properly decode base64 strings inside
read
(#11682)fix: default route config to
{}
for feature checking (#11685)fix: handle
onNavigate
callbacks correctly (#11678)v2.4.0
Compare Source
Minor Changes
$app/server
module withread
function for reading assets from filesystem (#11649)v2.3.5
Compare Source
Patch Changes
v2.3.4
Compare Source
Patch Changes
history
methods so other libs can monkeypatch it (#11657)v2.3.3
Compare Source
Patch Changes
__sveltekit/
module declarations from types (#11620)v2.3.2
Compare Source
Patch Changes
fix: return plaintext 404 for anything under appDir (#11597)
fix: populate dynamic public env without using top-level await, which fails in Safari (#11601)
v2.3.1
Compare Source
Patch Changes
fix: amend onNavigate type (#11599)
fix: better error message when peer dependency cannot be found (#11598)
v2.3.0
Compare Source
Minor Changes
reroute
hook (#11537)v2.2.2
Compare Source
Patch Changes
style-src
CSP directive whenunsafe-inline
is not present (#11575)v2.2.1
Compare Source
Patch Changes
feat: add CSP support for style-src-elem (#11562)
fix: address CSP conflicts with sha/nonce during dev (#11562)
v2.2.0
Compare Source
Minor Changes
$env/static/public
in service workers (#10994)Patch Changes
document.URL
contains credentials (#11179)v2.1.2
Compare Source
Patch Changes
v2.1.1
Compare Source
Patch Changes
fix: respect the trailing slash option when navigating from the basepath root page (#11388)
chore: shrink error messages shipped to client (#11551)
v2.1.0
Compare Source
Minor Changes
Patch Changes
v2.0.8
Compare Source
Patch Changes
fix: always scroll to top when clicking a # or #top link (
099608c428a49504785eab3afe3b2e76a9317bdf
)fix: add nonce or hash to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in CSP config (#11485)
fix: decode server data with
stream: true
during client-side navigation (#11409)fix: capture scroll position when using
pushState
(#11540)chore: use peer dependencies when linked (#11433)
v2.0.7
Compare Source
Patch Changes
v2.0.6
Compare Source
Patch Changes
v2.0.5
Compare Source
Patch Changes
fix: render SPA shell when SSR is turned off and there is no server data (#11405)
fix: upgrade
sirv
andmrmime
to modernize javascript mime type (#11419)v2.0.4
Compare Source
Patch Changes
chore: update primary branch from master to main (
47779436c5f6c4d50011d0ef8b2709a07c0fec5d
)fix: adjust missing inner content warning (#11394)
fix: prevent esbuild adding phantom exports to service worker (#11400)
fix: goto type include state (#11398)
fix: ensure assets are served gzip in preview (#11377)
v2.0.3
Compare Source
Patch Changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.