chore: update dependency @sveltejs/kit to v2.4.3 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@sveltejs/kit (source)	2.0.6 -> 2.4.3

GitHub Vulnerability Alerts

CVE-2024-23641

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:181:26
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:172:6
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:211:27
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)

Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

1. npm run build
2. npm run preview
3. Go to http://localhost:4173 (works)
4. curl -X GET -d "{}" http://localhost:4173/bye
5. Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.4.3

Compare Source

Patch Changes

• fix: only disallow body with GET/HEAD (#​11710)

v2.4.2

Compare Source

Patch Changes

• fix: ignore bodies sent with non-PUT/PATCH/POST requests (#​11708)

v2.4.1

Compare Source

Patch Changes

• fix: use Vite's default value for build.target and respect override supplied by user (#​11688)

• fix: properly decode base64 strings inside read (#​11682)

• fix: default route config to {} for feature checking (#​11685)

• fix: handle onNavigate callbacks correctly (#​11678)

v2.4.0

Compare Source

Minor Changes

• feat: add $app/server module with read function for reading assets from filesystem (#​11649)

v2.3.5

Compare Source

Patch Changes

• fix: log a warning if fallback page overwrites prerendered page (#​11661)

v2.3.4

Compare Source

Patch Changes

• fix: don't stash away original history methods so other libs can monkeypatch it (#​11657)

v2.3.3

Compare Source

Patch Changes

• fix: remove internal __sveltekit/ module declarations from types (#​11620)

v2.3.2

Compare Source

Patch Changes

• fix: return plaintext 404 for anything under appDir (#​11597)

• fix: populate dynamic public env without using top-level await, which fails in Safari (#​11601)

v2.3.1

Compare Source

Patch Changes

• fix: amend onNavigate type (#​11599)

• fix: better error message when peer dependency cannot be found (#​11598)

v2.3.0

Compare Source

Minor Changes

• feat: add reroute hook (#​11537)

v2.2.2

Compare Source

Patch Changes

• fix: only add nonce to style-src CSP directive when unsafe-inline is not present (#​11575)

v2.2.1

Compare Source

Patch Changes

• feat: add CSP support for style-src-elem (#​11562)

• fix: address CSP conflicts with sha/nonce during dev (#​11562)

v2.2.0

Compare Source

Minor Changes

• feat: expose $env/static/public in service workers (#​10994)

Patch Changes

• fix: reload page on startup if document.URL contains credentials (#​11179)

v2.1.2

Compare Source

Patch Changes

• fix: restore invalid route error message during build process (#​11559)

v2.1.1

Compare Source

Patch Changes

• fix: respect the trailing slash option when navigating from the basepath root page (#​11388)

• chore: shrink error messages shipped to client (#​11551)

v2.1.0

Compare Source

Minor Changes

• feat: make client router treeshakeable (#​11340)

Patch Changes

• chore: reduce client bundle size (#​11547)

v2.0.8

Compare Source

Patch Changes

• fix: always scroll to top when clicking a # or #top link (099608c428a49504785eab3afe3b2e76a9317bdf)

• fix: add nonce or hash to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in CSP config (#​11485)

• fix: decode server data with stream: true during client-side navigation (#​11409)

• fix: capture scroll position when using pushState (#​11540)

• chore: use peer dependencies when linked (#​11433)

v2.0.7

Compare Source

Patch Changes

• chore: removed deprecated config.package type (#​11462)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.