chore(deps): update dependency @sveltejs/adapter-node to v4.0.1 [security] - autoclosed

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@sveltejs/adapter-node (source)	4.0.0 -> 4.0.1

GitHub Vulnerability Alerts

CVE-2024-23641

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:181:26
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:172:6
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:211:27
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)

Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

1. npm run build
2. npm run preview
3. Go to http://localhost:4173 (works)
4. curl -X GET -d "{}" http://localhost:4173/bye
5. Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

---

Release Notes

sveltejs/kit (@​sveltejs/adapter-node)

### [`v4.0.1`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/adapter-node/CHANGELOG.md#401) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/adapter-node@4.0.0...@sveltejs/adapter-node@4.0.1) ##### Patch Changes - fix: return 400 response if request construction fails ([#​11713](https://togithub.com/sveltejs/kit/pull/11713)) - Updated dependencies \[[`f56781fa47a0f958b228e4a51bb3cbf173854f12`](https://togithub.com/sveltejs/kit/commit/f56781fa47a0f958b228e4a51bb3cbf173854f12)]: - [@​sveltejs/kit](https://togithub.com/sveltejs/kit)[@​2](https://togithub.com/2).4.3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
tech-trek	❌ Failed (Inspect)			Jan 28, 2024 8:54am