Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency @sveltejs/kit to v2.4.3 [security] #1786

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency @sveltejs/kit to v2.4.3 [security] #1786

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 25, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) 2.0.2 -> 2.4.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-23641

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:181:26
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:172:6
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:211:27
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)

Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

  1. npm run build
  2. npm run preview
  3. Go to http://localhost:4173 (works)
  4. curl -X GET -d "{}" http://localhost:4173/bye
  5. Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.4.3

Compare Source

Patch Changes
  • fix: only disallow body with GET/HEAD (#​11710)

v2.4.2

Compare Source

Patch Changes
  • fix: ignore bodies sent with non-PUT/PATCH/POST requests (#​11708)

v2.4.1

Compare Source

Patch Changes

  • fix: use Vite's default value for build.target and respect override supplied by user (#​11688)

  • fix: properly decode base64 strings inside read (#​11682)

  • fix: default route config to {} for feature checking (#​11685)

  • fix: handle onNavigate callbacks correctly (#​11678)

v2.4.0

Compare Source

Minor Changes
  • feat: add $app/server module with read function for reading assets from filesystem (#​11649)

v2.3.5

Compare Source

Patch Changes
  • fix: log a warning if fallback page overwrites prerendered page (#​11661)

v2.3.4

Compare Source

Patch Changes
  • fix: don't stash away original history methods so other libs can monkeypatch it (#​11657)

v2.3.3

Compare Source

Patch Changes
  • fix: remove internal __sveltekit/ module declarations from types (#​11620)

v2.3.2

Compare Source

Patch Changes

  • fix: return plaintext 404 for anything under appDir (#​11597)

  • fix: populate dynamic public env without using top-level await, which fails in Safari (#​11601)

v2.3.1

Compare Source

Patch Changes

  • fix: amend onNavigate type (#​11599)

  • fix: better error message when peer dependency cannot be found (#​11598)

v2.3.0

Compare Source

Minor Changes

v2.2.2

Compare Source

Patch Changes
  • fix: only add nonce to style-src CSP directive when unsafe-inline is not present (#​11575)

v2.2.1

Compare Source

Patch Changes

  • feat: add CSP support for style-src-elem (#​11562)

  • fix: address CSP conflicts with sha/nonce during dev (#​11562)

v2.2.0

Compare Source

Minor Changes
  • feat: expose $env/static/public in service workers (#​10994)
Patch Changes
  • fix: reload page on startup if document.URL contains credentials (#​11179)

v2.1.2

Compare Source

Patch Changes
  • fix: restore invalid route error message during build process (#​11559)

v2.1.1

Compare Source

Patch Changes

  • fix: respect the trailing slash option when navigating from the basepath root page (#​11388)

  • chore: shrink error messages shipped to client (#​11551)

v2.1.0

Compare Source

Minor Changes
  • feat: make client router treeshakeable (#​11340)
Patch Changes
  • chore: reduce client bundle size (#​11547)

v2.0.8

Compare Source

Patch Changes

  • fix: always scroll to top when clicking a # or #top link (099608c428a49504785eab3afe3b2e76a9317bdf)

  • fix: add nonce or hash to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in CSP config (#​11485)

  • fix: decode server data with stream: true during client-side navigation (#​11409)

  • fix: capture scroll position when using pushState (#​11540)

  • chore: use peer dependencies when linked (#​11433)

v2.0.7

Compare Source

Patch Changes
  • chore: removed deprecated config.package type (#​11462)

v2.0.6

Compare Source

Patch Changes
  • fix: allow dynamic env access when building but not prerendering (#​11436)

v2.0.5

Compare Source

Patch Changes

  • fix: render SPA shell when SSR is turned off and there is no server data (#​11405)

  • fix: upgrade sirv and mrmime to modernize javascript mime type (#​11419)

v2.0.4

Compare Source

Patch Changes

v2.0.3

Compare Source

Patch Changes
  • fix: reinstantiate state parameter for goto (#​11342)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@nichenqin nichenqin temporarily deployed to renovate/npm-@sveltejs/kit-vulnerability - undb PR #1786 February 25, 2024 10:06 — with Render Destroyed
@nichenqin nichenqin closed this Feb 26, 2024
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Feb 26, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^2.0.2). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@nichenqin