search

aqmebrak / ArtsWarehouse

arts-warehouse.vercel.app
0 stars 0 forks source link

Update dependency @sveltejs/kit to v2.4.3 [SECURITY] #97

Open renovate[bot] opened 2 months ago

renovate[bot] commented 2 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) 2.0.6 -> 2.4.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-23641

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:181:26
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:172:6
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:211:27
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)

Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

  1. npm run build
  2. npm run preview
  3. Go to http://localhost:4173 (works)
  4. curl -X GET -d "{}" http://localhost:4173/bye
  5. Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

Release Notes

sveltejs/kit (@​sveltejs/kit) ### [`v2.4.3`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#243) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.4.2...@sveltejs/kit@2.4.3) ##### Patch Changes - fix: only disallow body with GET/HEAD ([#​11710](https://togithub.com/sveltejs/kit/pull/11710)) ### [`v2.4.2`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#242) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.4.1...@sveltejs/kit@2.4.2) ##### Patch Changes - fix: ignore bodies sent with non-PUT/PATCH/POST requests ([#​11708](https://togithub.com/sveltejs/kit/pull/11708)) ### [`v2.4.1`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#241) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.4.0...@sveltejs/kit@2.4.1) ##### Patch Changes - fix: use Vite's default value for `build.target` and respect override supplied by user ([#​11688](https://togithub.com/sveltejs/kit/pull/11688)) - fix: properly decode base64 strings inside `read` ([#​11682](https://togithub.com/sveltejs/kit/pull/11682)) - fix: default route config to `{}` for feature checking ([#​11685](https://togithub.com/sveltejs/kit/pull/11685)) - fix: handle `onNavigate` callbacks correctly ([#​11678](https://togithub.com/sveltejs/kit/pull/11678)) ### [`v2.4.0`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#240) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.3.5...@sveltejs/kit@2.4.0) ##### Minor Changes - feat: add `$app/server` module with `read` function for reading assets from filesystem ([#​11649](https://togithub.com/sveltejs/kit/pull/11649)) ### [`v2.3.5`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#235) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.3.4...@sveltejs/kit@2.3.5) ##### Patch Changes - fix: log a warning if fallback page overwrites prerendered page ([#​11661](https://togithub.com/sveltejs/kit/pull/11661)) ### [`v2.3.4`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#234) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.3.3...@sveltejs/kit@2.3.4) ##### Patch Changes - fix: don't stash away original `history` methods so other libs can monkeypatch it ([#​11657](https://togithub.com/sveltejs/kit/pull/11657)) ### [`v2.3.3`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#233) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.3.2...@sveltejs/kit@2.3.3) ##### Patch Changes - fix: remove internal `__sveltekit/` module declarations from types ([#​11620](https://togithub.com/sveltejs/kit/pull/11620)) ### [`v2.3.2`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#232) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.3.1...@sveltejs/kit@2.3.2) ##### Patch Changes - fix: return plaintext 404 for anything under appDir ([#​11597](https://togithub.com/sveltejs/kit/pull/11597)) - fix: populate dynamic public env without using top-level await, which fails in Safari ([#​11601](https://togithub.com/sveltejs/kit/pull/11601)) ### [`v2.3.1`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#231) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.3.0...@sveltejs/kit@2.3.1) ##### Patch Changes - fix: amend onNavigate type ([#​11599](https://togithub.com/sveltejs/kit/pull/11599)) - fix: better error message when peer dependency cannot be found ([#​11598](https://togithub.com/sveltejs/kit/pull/11598)) ### [`v2.3.0`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#230) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.2.2...@sveltejs/kit@2.3.0) ##### Minor Changes - feat: add `reroute` hook ([#​11537](https://togithub.com/sveltejs/kit/pull/11537)) ### [`v2.2.2`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#222) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.2.1...@sveltejs/kit@2.2.2) ##### Patch Changes - fix: only add nonce to `style-src` CSP directive when `unsafe-inline` is not present ([#​11575](https://togithub.com/sveltejs/kit/pull/11575)) ### [`v2.2.1`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#221) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.2.0...@sveltejs/kit@2.2.1) ##### Patch Changes - feat: add CSP support for style-src-elem ([#​11562](https://togithub.com/sveltejs/kit/pull/11562)) - fix: address CSP conflicts with sha/nonce during dev ([#​11562](https://togithub.com/sveltejs/kit/pull/11562)) ### [`v2.2.0`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#220) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.1.2...@sveltejs/kit@2.2.0) ##### Minor Changes - feat: expose `$env/static/public` in service workers ([#​10994](https://togithub.com/sveltejs/kit/pull/10994)) ##### Patch Changes - fix: reload page on startup if `document.URL` contains credentials ([#​11179](https://togithub.com/sveltejs/kit/pull/11179)) ### [`v2.1.2`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#212) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.1.1...@sveltejs/kit@2.1.2) ##### Patch Changes - fix: restore invalid route error message during build process ([#​11559](https://togithub.com/sveltejs/kit/pull/11559)) ### [`v2.1.1`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#211) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.1.0...@sveltejs/kit@2.1.1) ##### Patch Changes - fix: respect the trailing slash option when navigating from the basepath root page ([#​11388](https://togithub.com/sveltejs/kit/pull/11388)) - chore: shrink error messages shipped to client ([#​11551](https://togithub.com/sveltejs/kit/pull/11551)) ### [`v2.1.0`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#210) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.0.8...@sveltejs/kit@2.1.0) ##### Minor Changes - feat: make client router treeshakeable ([#​11340](https://togithub.com/sveltejs/kit/pull/11340)) ##### Patch Changes - chore: reduce client bundle size ([#​11547](https://togithub.com/sveltejs/kit/pull/11547)) ### [`v2.0.8`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#208) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.0.7...@sveltejs/kit@2.0.8) ##### Patch Changes - fix: always scroll to top when clicking a # or #top link ([`099608c428a49504785eab3afe3b2e76a9317bdf`](https://togithub.com/sveltejs/kit/commit/099608c428a49504785eab3afe3b2e76a9317bdf)) - fix: add nonce or hash to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in CSP config ([#​11485](https://togithub.com/sveltejs/kit/pull/11485)) - fix: decode server data with `stream: true` during client-side navigation ([#​11409](https://togithub.com/sveltejs/kit/pull/11409)) - fix: capture scroll position when using `pushState` ([#​11540](https://togithub.com/sveltejs/kit/pull/11540)) - chore: use peer dependencies when linked ([#​11433](https://togithub.com/sveltejs/kit/pull/11433)) ### [`v2.0.7`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#207) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.0.6...@sveltejs/kit@2.0.7) ##### Patch Changes - chore: removed deprecated config.package type ([#​11462](https://togithub.com/sveltejs/kit/pull/11462))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

vercel[bot] commented 2 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
arts-warehouse ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 6, 2024 9:54am