@sveltejs/kit 1.0.0-next.346 → 1.0.0-next.347

package/dist/chunks/cert.js

@@ -4,9 +4,12 @@ import 'node:http';
 import 'node:https';
 import 'node:zlib';
 import 'node:stream';
+import 'node:buffer';
 import 'node:util';
 import 'node:url';
-import 'net';
+import 'node:net';
+import 'node:fs';
+import 'node:path';
 
 /**
  * Node.js module for Forge.
@@ -5240,6 +5243,10 @@ _IN('1.3.14.3.2.29', 'sha1WithRSASignature');
 _IN('2.16.840.1.101.3.4.2.1', 'sha256');
 _IN('2.16.840.1.101.3.4.2.2', 'sha384');
 _IN('2.16.840.1.101.3.4.2.3', 'sha512');
+_IN('2.16.840.1.101.3.4.2.4', 'sha224');
+_IN('2.16.840.1.101.3.4.2.5', 'sha512-224');
+_IN('2.16.840.1.101.3.4.2.6', 'sha512-256');
+_IN('1.2.840.113549.2.2', 'md2');
 _IN('1.2.840.113549.2.5', 'md5');
 
 // pkcs#7 content types
@@ -5781,6 +5788,8 @@ var _getValueLength = function(bytes, remaining) {
  * @param [options] object with options or boolean strict flag
  *          [strict] true to be strict when checking value lengths, false to
  *            allow truncated values (default: true).
+ *          [parseAllBytes] true to ensure all bytes are parsed
+ *            (default: true)
  *          [decodeBitStrings] true to attempt to decode the content of
  *            BIT STRINGs (not OCTET STRINGs) using strict mode. Note that
  *            without schema support to understand the data context this can
@@ -5788,24 +5797,31 @@ var _getValueLength = function(bytes, remaining) {
  *            flag will be deprecated or removed as soon as schema support is
  *            available. (default: true)
  *
+ * @throws Will throw an error for various malformed input conditions.
+ *
  * @return the parsed asn1 object.
  */
 asn1$8.fromDer = function(bytes, options) {
   if(options === undefined) {
     options = {
       strict: true,
+      parseAllBytes: true,
       decodeBitStrings: true
     };
   }
   if(typeof options === 'boolean') {
     options = {
       strict: options,
+      parseAllBytes: true,
       decodeBitStrings: true
     };
   }
   if(!('strict' in options)) {
     options.strict = true;
   }
+  if(!('parseAllBytes' in options)) {
+    options.parseAllBytes = true;
+  }
   if(!('decodeBitStrings' in options)) {
     options.decodeBitStrings = true;
   }
@@ -5815,7 +5831,15 @@ asn1$8.fromDer = function(bytes, options) {
     bytes = forge$x.util.createBuffer(bytes);
   }
 
-  return _fromDer(bytes, bytes.length(), 0, options);
+  var byteCount = bytes.length();
+  var value = _fromDer(bytes, bytes.length(), 0, options);
+  if(options.parseAllBytes && bytes.length() !== 0) {
+    var error = new Error('Unparsed DER bytes remain after ASN.1 parsing.');
+    error.byteCount = byteCount;
+    error.remaining = bytes.length();
+    throw error;
+  }
+  return value;
 };
 
 /**
@@ -5936,7 +5960,6 @@ function _fromDer(bytes, remaining, depth, options) {
         start = bytes.length();
         var subOptions = {
           // enforce strict mode to avoid parsing ASN.1 from plain data
-          verbose: options.verbose,
           strict: true,
           decodeBitStrings: true
         };
@@ -5985,6 +6008,7 @@ function _fromDer(bytes, remaining, depth, options) {
       }
     } else {
       value = bytes.getBytes(length);
+      remaining -= length;
     }
   }
 
@@ -6760,7 +6784,16 @@ asn1$8.prettyPrint = function(obj, level, indentation) {
       }
       rval += '0x' + forge$x.util.bytesToHex(obj.value);
     } else if(obj.type === asn1$8.Type.UTF8) {
-      rval += forge$x.util.decodeUtf8(obj.value);
+      try {
+        rval += forge$x.util.decodeUtf8(obj.value);
+      } catch(e) {
+        if(e.message === 'URI malformed') {
+          rval +=
+            '0x' + forge$x.util.bytesToHex(obj.value) + ' (malformed UTF8)';
+        } else {
+          throw e;
+        }
+      }
     } else if(obj.type === asn1$8.Type.PRINTABLESTRING ||
       obj.type === asn1$8.Type.IA5String) {
       rval += obj.value;
@@ -11937,6 +11970,43 @@ var publicKeyValidator$2 = forge$i.pki.rsa.publicKeyValidator = {
   }]
 };
 
+// validator for a DigestInfo structure
+var digestInfoValidator = {
+  name: 'DigestInfo',
+  tagClass: asn1$7.Class.UNIVERSAL,
+  type: asn1$7.Type.SEQUENCE,
+  constructed: true,
+  value: [{
+    name: 'DigestInfo.DigestAlgorithm',
+    tagClass: asn1$7.Class.UNIVERSAL,
+    type: asn1$7.Type.SEQUENCE,
+    constructed: true,
+    value: [{
+      name: 'DigestInfo.DigestAlgorithm.algorithmIdentifier',
+      tagClass: asn1$7.Class.UNIVERSAL,
+      type: asn1$7.Type.OID,
+      constructed: false,
+      capture: 'algorithmIdentifier'
+    }, {
+      // NULL paramters
+      name: 'DigestInfo.DigestAlgorithm.parameters',
+      tagClass: asn1$7.Class.UNIVERSAL,
+      type: asn1$7.Type.NULL,
+      // captured only to check existence for md2 and md5
+      capture: 'parameters',
+      optional: true,
+      constructed: false
+    }]
+  }, {
+    // digest
+    name: 'DigestInfo.digest',
+    tagClass: asn1$7.Class.UNIVERSAL,
+    type: asn1$7.Type.OCTETSTRING,
+    constructed: false,
+    capture: 'digest'
+  }]
+};
+
 /**
  * Wrap digest in DigestInfo object.
  *
@@ -12765,15 +12835,27 @@ pki$4.setRsaPublicKey = pki$4.rsa.setPublicKey = function(n, e) {
    *          a Forge PSS object for RSASSA-PSS,
    *          'NONE' or null for none, DigestInfo will not be expected, but
    *            PKCS#1 v1.5 padding will still be used.
+   * @param options optional verify options
+   *          _parseAllDigestBytes testing flag to control parsing of all
+   *            digest bytes. Unsupported and not for general usage.
+   *            (default: true)
    *
    * @return true if the signature was verified, false if not.
    */
-  key.verify = function(digest, signature, scheme) {
+  key.verify = function(digest, signature, scheme, options) {
     if(typeof scheme === 'string') {
       scheme = scheme.toUpperCase();
     } else if(scheme === undefined) {
       scheme = 'RSASSA-PKCS1-V1_5';
     }
+    if(options === undefined) {
+      options = {
+        _parseAllDigestBytes: true
+      };
+    }
+    if(!('_parseAllDigestBytes' in options)) {
+      options._parseAllDigestBytes = true;
+    }
 
     if(scheme === 'RSASSA-PKCS1-V1_5') {
       scheme = {
@@ -12781,9 +12863,51 @@ pki$4.setRsaPublicKey = pki$4.rsa.setPublicKey = function(n, e) {
           // remove padding
           d = _decodePkcs1_v1_5(d, key, true);
           // d is ASN.1 BER-encoded DigestInfo
-          var obj = asn1$7.fromDer(d);
+          var obj = asn1$7.fromDer(d, {
+            parseAllBytes: options._parseAllDigestBytes
+          });
+
+          // validate DigestInfo
+          var capture = {};
+          var errors = [];
+          if(!asn1$7.validate(obj, digestInfoValidator, capture, errors)) {
+            var error = new Error(
+              'ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 ' +
+              'DigestInfo value.');
+            error.errors = errors;
+            throw error;
+          }
+          // check hash algorithm identifier
+          // see PKCS1-v1-5DigestAlgorithms in RFC 8017
+          // FIXME: add support to vaidator for strict value choices
+          var oid = asn1$7.derToOid(capture.algorithmIdentifier);
+          if(!(oid === forge$i.oids.md2 ||
+            oid === forge$i.oids.md5 ||
+            oid === forge$i.oids.sha1 ||
+            oid === forge$i.oids.sha224 ||
+            oid === forge$i.oids.sha256 ||
+            oid === forge$i.oids.sha384 ||
+            oid === forge$i.oids.sha512 ||
+            oid === forge$i.oids['sha512-224'] ||
+            oid === forge$i.oids['sha512-256'])) {
+            var error = new Error(
+              'Unknown RSASSA-PKCS1-v1_5 DigestAlgorithm identifier.');
+            error.oid = oid;
+            throw error;
+          }
+
+          // special check for md2 and md5 that NULL parameters exist
+          if(oid === forge$i.oids.md2 || oid === forge$i.oids.md5) {
+            if(!('parameters' in capture)) {
+              throw new Error(
+                'ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 ' +
+                'DigestInfo value. ' +
+                'Missing algorithm identifer NULL parameters.');
+            }
+          }
+
           // compare the given digest to the decrypted one
-          return digest === obj.value[1].value;
+          return digest === capture.digest;
         }
       };
     } else if(scheme === 'NONE' || scheme === 'NULL' || scheme === null) {
@@ -26379,7 +26503,7 @@ if(typeof(console) !== 'undefined' && 'log' in console) {
 }
 
 /*
- * Check for logging control query vars.
+ * Check for logging control query vars in current URL.
  *
  * console.level=<level-name>
  * Set's the console log level by name.  Useful to override defaults and
@@ -26390,13 +26514,10 @@ if(typeof(console) !== 'undefined' && 'log' in console) {
  * after console.level is processed.  Useful to force a level of verbosity
  * that could otherwise be limited by a user config.
  */
-if(sConsoleLogger !== null) {
-  var query;
-  if(typeof window !== 'undefined' && window.location) {
-    query = new URL(window.location.href).searchParams;
-  } else {
-    query = new URLSearchParams();
-  }
+if(sConsoleLogger !== null &&
+  typeof window !== 'undefined' && window.location
+) {
+  var query = new URL(window.location.href).searchParams;
   if(query.has('console.level')) {
     // set with last value
     forge$3.log.setLevel(

package/dist/chunks/constants.js

@@ -577,7 +577,7 @@ function toHeaders(name, stats, isEtag) {
 	return headers;
 }
 
-function sirv (dir, opts={}) {
+function sirv (dir, opts) {
 	dir = resolve(dir || '.');
 
 	let isNotFound = opts.onNoMatch || is404;

package/dist/chunks/index.js

@@ -12,16 +12,20 @@ import { pathToFileURL, URL as URL$1 } from 'url';
 import { installPolyfills } from '../node/polyfills.js';
 import './write_tsconfig.js';
 import 'chokidar';
-import 'child_process';
 import 'net';
+import 'child_process';
 import 'sade';
 import 'os';
 import 'node:http';
 import 'node:https';
 import 'node:zlib';
 import 'node:stream';
+import 'node:buffer';
 import 'node:util';
 import 'node:url';
+import 'node:net';
+import 'node:fs';
+import 'node:path';
 import 'crypto';
 
 const absolute = /^([a-z]+:)?\/?\//;

package/dist/chunks/index3.js

@@ -4,8 +4,8 @@ import { g as generate_manifest } from './index2.js';
 import 'chokidar';
 import 'fs';
 import 'path';
-import 'child_process';
 import 'net';
+import 'child_process';
 import 'sade';
 import 'vite';
 import 'url';

package/dist/chunks/index4.js

@@ -13,11 +13,15 @@ import 'node:http';
 import 'node:https';
 import 'node:zlib';
 import 'node:stream';
+import 'node:buffer';
 import 'node:util';
 import 'node:url';
-import 'net';
+import 'node:net';
+import 'node:fs';
+import 'node:path';
 import 'crypto';
 import 'chokidar';
+import 'net';
 import 'child_process';
 import 'sade';
 import 'vite';

package/dist/chunks/index5.js

@@ -6,8 +6,8 @@ import chokidar from 'chokidar';
 import { w as walk$1, m as mkdirp, p as posixify, r as rimraf, c as copy } from './filesystem.js';
 import { createRequire } from 'module';
 import { b as write_tsconfig } from './write_tsconfig.js';
-import 'child_process';
 import 'net';
+import 'child_process';
 import 'sade';
 import 'vite';
 import 'url';

package/dist/chunks/multipart-parser.js

@@ -1,22 +1,16 @@
 import 'node:fs';
 import 'node:path';
-import { MessageChannel } from 'node:worker_threads';
 import { F as FormData, a as File } from '../node/polyfills.js';
 import 'node:http';
 import 'node:https';
 import 'node:zlib';
 import 'node:stream';
+import 'node:buffer';
 import 'node:util';
 import 'node:url';
-import 'net';
+import 'node:net';
 import 'crypto';
 
-globalThis.DOMException || (() => {
-  const port = new MessageChannel().port1;
-  const ab = new ArrayBuffer(0);
-  try { port.postMessage(ab, [ab, ab]); } catch (err) { return err.constructor }
-})();
-
 let s = 0;
 const S = {
 	START_BOUNDARY: s++,

package/dist/chunks/plugin.js

@@ -12,8 +12,8 @@ import { p as posixify } from './filesystem.js';
 import { p as parse_route_id } from './misc.js';
 import { d as deep_merge } from './object.js';
 import 'chokidar';
-import 'child_process';
 import 'net';
+import 'child_process';
 import 'sade';
 import 'os';
 import 'querystring';
@@ -21,8 +21,12 @@ import 'node:http';
 import 'node:https';
 import 'node:zlib';
 import 'node:stream';
+import 'node:buffer';
 import 'node:util';
 import 'node:url';
+import 'node:net';
+import 'node:fs';
+import 'node:path';
 import 'crypto';
 import './write_tsconfig.js';
 import 'stream';
@@ -270,9 +274,7 @@ const sveltekit = function (svelte_config) {
 							const file = svelte_config.kit.files.assets + pathname;
 
 							if (fs__default.existsSync(file) && !fs__default.statSync(file).isDirectory()) {
-								const has_correct_case = fs__default.realpathSync.native(file) === path__default.resolve(file);
-
-								if (has_correct_case) {
+								if (has_correct_case(file, svelte_config.kit.files.assets)) {
 									req.url = encodeURI(pathname); // don't need query/hash
 									asset_server(req, res);
 									return;
@@ -450,7 +452,7 @@ const sveltekit = function (svelte_config) {
 };
 
 /** @param {import('http').ServerResponse} res */
-function not_found(res, message = 'Not found') {
+function not_found(res, message) {
 	res.statusCode = 404;
 	res.end(message);
 }
@@ -512,6 +514,27 @@ async function find_deps(vite, node, deps) {
 	await Promise.all(branches);
 }
 
+/**
+ * Determine if a file is being requested with the correct case,
+ * to ensure consistent behaviour between dev and prod and across
+ * operating systems. Note that we can't use realpath here,
+ * because we don't want to follow symlinks
+ * @param {string} file
+ * @param {string} assets
+ * @returns {boolean}
+ */
+function has_correct_case(file, assets) {
+	if (file === assets) return true;
+
+	const parent = path__default.dirname(file);
+
+	if (fs__default.readdirSync(parent).includes(path__default.basename(file))) {
+		return has_correct_case(parent, assets);
+	}
+
+	return false;
+}
+
 /**
  * @param {import('types').ValidatedConfig} svelte_config
  * @return {import('vite').Plugin[]}

package/dist/chunks/sync.js

@@ -6,8 +6,8 @@ import { p as parse_route_id, s } from './misc.js';
 import { fileURLToPath } from 'url';
 import { w as write_if_changed, t as trim, a as write, b as write_tsconfig } from './write_tsconfig.js';
 import 'chokidar';
-import 'child_process';
 import 'net';
+import 'child_process';
 import 'sade';
 import 'vite';
 import 'os';

package/dist/cli.js

@@ -1,8 +1,8 @@
 import chokidar from 'chokidar';
 import fs__default from 'fs';
 import path__default, { join, relative } from 'path';
-import * as child_process from 'child_process';
-import * as net from 'net';
+import { createConnection, createServer } from 'net';
+import { exec as exec$1 } from 'child_process';
 import sade from 'sade';
 import * as vite from 'vite';
 import * as url from 'url';
@@ -115,39 +115,11 @@ function init(open, close) {
 	};
 }
 
-/** @param {string} cmd */
-function exec(cmd) {
-	return new Promise((fulfil, reject) => {
-		child_process.exec(cmd, (error, stdout, stderr) => {
-			if (error) return reject(error);
-			fulfil({ stdout, stderr });
-		});
-	});
-}
-
-/**
- * Find the PID of the process using `port`
- * @param {number} port
- */
-async function blame(port) {
-	try {
-		const { stdout } = await exec(`lsof -i :${port} -sTCP:LISTEN -Fp`);
-
-		if (!stdout) return null;
-		const pid = parseInt(stdout.slice(1), 10);
-		if (isNaN(pid)) throw new Error(`Invalid stdout ${stdout}`);
-
-		return pid;
-	} catch (error) {
-		return null;
-	}
-}
-
 const host = 'localhost';
 
-/** @type {Promise<any>} */
 let promise;
 
+
 function weird() {
 	if (!promise) {
 		promise = get_weird(9000);
@@ -155,10 +127,9 @@ function weird() {
 	return promise;
 }
 
-/** @param {number} port */
 function get_weird(port) {
-	return new Promise((fulfil) => {
-		const server = net.createServer();
+	return new Promise(fulfil => {
+		const server = createServer();
 
 		server.unref();
 
@@ -167,7 +138,7 @@ function get_weird(port) {
 		});
 
 		server.listen({ host, port }, () => {
-			const server2 = net.createServer();
+			const server2 = createServer();
 
 			server2.unref();
 
@@ -178,28 +149,24 @@ function get_weird(port) {
 			});
 
 			server2.listen({ host, port }, () => {
-				server2.close(() => {
-					server.close(() => {
-						fulfil(true);
-					});
-				});
-			});
+        server2.close(() => {
+          server.close(() => {
+            fulfil(true);
+          });
+        });
+      });
 		});
 	});
 }
 
-/**
- * Check if `port` is available
- * @param {number} port
- */
 function check(port) {
-	return weird().then((weird) => {
+	return weird().then(weird => {
 		if (weird) {
 			return check_weird(port);
 		}
 
-		return new Promise((fulfil) => {
-			const server = net.createServer();
+		return new Promise(fulfil => {
+			const server = createServer();
 
 			server.unref();
 
@@ -216,11 +183,9 @@ function check(port) {
 	});
 }
 
-/** @param {number} port */
 function check_weird(port) {
-	return new Promise((fulfil) => {
-		const client = net
-			.createConnection({ host, port }, () => {
+	return new Promise(fulfil => {
+		const client = createConnection({ host, port }, () => {
 				client.end();
 				fulfil(false);
 			})
@@ -230,6 +195,29 @@ function check_weird(port) {
 	});
 }
 
+function exec(cmd) {
+	return new Promise((fulfil, reject) => {
+		exec$1(cmd, (error, stdout, stderr) => {
+			if (error) return reject(error);
+			fulfil({ stdout, stderr });
+		});
+	});
+}
+
+async function blame(port) {
+	try {
+		const { stdout } = await exec(`lsof -i :${port} -sTCP:LISTEN -Fp`);
+
+		if (!stdout) return null;
+		const pid = parseInt(stdout.slice(1), 10);
+		if (isNaN(pid)) throw new Error(`Invalid stdout ${stdout}`);
+
+		return pid;
+	} catch (error) {
+		return null;
+	}
+}
+
 const get_runtime_path = /** @param {import('types').ValidatedConfig} config */ (config) =>
 			posixify_path(path__default.join(config.kit.outDir, 'runtime'))
 	;
@@ -554,7 +542,7 @@ const options = object(
 
 				// TODO: remove this for the 1.0 release
 				force: validate(undefined, (input, keypath) => {
-					if (typeof input !== undefined) {
+					if (typeof input !== 'undefined') {
 						const newSetting = input ? 'continue' : 'fail';
 						const needsSetting = newSetting === 'continue';
 						throw new Error(
@@ -636,7 +624,7 @@ const options = object(
  * @param {boolean} [allow_unknown]
  * @returns {Validator}
  */
-function object(children, allow_unknown = false) {
+function object(children, allow_unknown) {
 	return (input, keypath) => {
 		/** @type {Record<string, any>} */
 		const output = {};
@@ -865,7 +853,7 @@ function validate_config(config) {
  * @param {string=} pathPrefix - prepended in front of the path
  * @param {string=} scope - used to prefix the whole error message
  */
-function print_config_conflicts(conflicts, pathPrefix = '', scope) {
+function print_config_conflicts(conflicts, pathPrefix, scope) {
 	const prefix = scope ? scope + ': ' : '';
 	const log = logger({ verbose: false });
 	conflicts.forEach((conflict) => {
@@ -920,7 +908,7 @@ async function launch(port, https, base) {
 	exec(`${cmd} ${https ? 'https' : 'http'}://localhost:${port}${base}`);
 }
 
-const prog = sade('svelte-kit').version('1.0.0-next.346');
+const prog = sade('svelte-kit').version('1.0.0-next.347');
 
 prog
 	.command('dev')
@@ -1161,7 +1149,7 @@ async function check_port(port) {
 function welcome({ port, host, https, open, base, loose, allow, cwd }) {
 	if (open) launch(port, https, base);
 
-	console.log($.bold().cyan(`\n  SvelteKit v${'1.0.0-next.346'}\n`));
+	console.log($.bold().cyan(`\n  SvelteKit v${'1.0.0-next.347'}\n`));
 
 	const protocol = https ? 'https:' : 'http:';
 	const exposed = typeof host !== 'undefined' && host !== 'localhost' && host !== '127.0.0.1';

package/dist/node/polyfills.js

@@ -1,10 +1,13 @@
 import http from 'node:http';
 import https from 'node:https';
 import zlib from 'node:zlib';
-import Stream, { PassThrough, pipeline } from 'node:stream';
-import { types, deprecate } from 'node:util';
+import Stream, { PassThrough, pipeline as pipeline$1 } from 'node:stream';
+import { Buffer as Buffer$1 } from 'node:buffer';
+import { types, promisify, deprecate } from 'node:util';
 import { format } from 'node:url';
-import { isIP } from 'net';
+import { isIP } from 'node:net';
+import 'node:fs';
+import 'node:path';
 import { webcrypto } from 'crypto';
 
 var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
@@ -64,7 +67,7 @@ function dataUriToBuffer(uri) {
 var ponyfill_es2018 = {exports: {}};
 
 /**
- * web-streams-polyfill v3.2.0
+ * web-streams-polyfill v3.2.1
  */
 
 (function (module, exports) {
@@ -3766,10 +3769,16 @@ var ponyfill_es2018 = {exports: {}};
     const byteLengthSizeFunction = (chunk) => {
         return chunk.byteLength;
     };
-    Object.defineProperty(byteLengthSizeFunction, 'name', {
-        value: 'size',
-        configurable: true
-    });
+    try {
+        Object.defineProperty(byteLengthSizeFunction, 'name', {
+            value: 'size',
+            configurable: true
+        });
+    }
+    catch (_a) {
+        // This property is non-configurable in older browsers, so ignore if this throws.
+        // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/name#browser_compatibility
+    }
     /**
      * A queuing strategy that counts the number of bytes in each chunk.
      *
@@ -3828,10 +3837,16 @@ var ponyfill_es2018 = {exports: {}};
     const countSizeFunction = () => {
         return 1;
     };
-    Object.defineProperty(countSizeFunction, 'name', {
-        value: 'size',
-        configurable: true
-    });
+    try {
+        Object.defineProperty(countSizeFunction, 'name', {
+            value: 'size',
+            configurable: true
+        });
+    }
+    catch (_a) {
+        // This property is non-configurable in older browsers, so ignore if this throws.
+        // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/name#browser_compatibility
+    }
     /**
      * A queuing strategy that counts the number of chunks.
      *
@@ -4319,16 +4334,14 @@ try {
 
 /*! fetch-blob. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
 
-/** @typedef {import('buffer').Blob} NodeBlob} */
-
 // 64 KiB (same size chrome slice theirs blob into Uint8array's)
 const POOL_SIZE = 65536;
 
-/** @param {(Blob | NodeBlob | Uint8Array)[]} parts */
-async function * toIterator (parts, clone = true) {
+/** @param {(Blob | Uint8Array)[]} parts */
+async function * toIterator (parts, clone) {
   for (const part of parts) {
     if ('stream' in part) {
-      yield * part.stream();
+      yield * (/** @type {AsyncIterableIterator<Uint8Array>} */ (part.stream()));
     } else if (ArrayBuffer.isView(part)) {
       if (clone) {
         let position = part.byteOffset;
@@ -4342,17 +4355,16 @@ async function * toIterator (parts, clone = true) {
       } else {
         yield part;
       }
+    /* c8 ignore next 10 */
     } else {
-      /* c8 ignore start */
       // For blobs that have arrayBuffer but no stream method (nodes buffer.Blob)
-      let position = 0;
-      while (position !== part.size) {
-        const chunk = part.slice(position, Math.min(part.size, position + POOL_SIZE));
+      let position = 0, b = (/** @type {Blob} */ (part));
+      while (position !== b.size) {
+        const chunk = b.slice(position, Math.min(b.size, position + POOL_SIZE));
         const buffer = await chunk.arrayBuffer();
         position += buffer.byteLength;
         yield new Uint8Array(buffer);
       }
-      /* c8 ignore end */
     }
   }
 }
@@ -4362,6 +4374,7 @@ const _Blob = class Blob {
   #parts = []
   #type = ''
   #size = 0
+  #endings = 'transparent'
 
   /**
    * The Blob() constructor returns a new Blob object. The content
@@ -4369,7 +4382,7 @@ const _Blob = class Blob {
    * in the parameter array.
    *
    * @param {*} blobParts
-   * @param {{ type?: string }} [options]
+   * @param {{ type?: string, endings?: string }} [options]
    */
   constructor (blobParts = [], options = {}) {
     if (typeof blobParts !== 'object' || blobParts === null) {
@@ -4396,15 +4409,19 @@ const _Blob = class Blob {
       } else if (element instanceof Blob) {
         part = element;
       } else {
-        part = encoder.encode(element);
+        part = encoder.encode(`${element}`);
       }
 
-      this.#size += ArrayBuffer.isView(part) ? part.byteLength : part.size;
-      this.#parts.push(part);
+      const size = ArrayBuffer.isView(part) ? part.byteLength : part.size;
+      // Avoid pushing empty parts into the array to better GC them
+      if (size) {
+        this.#size += size;
+        this.#parts.push(part);
+      }
     }
 
+    this.#endings = `${options.endings === undefined ? 'transparent' : options.endings}`;
     const type = options.type === undefined ? '' : String(options.type);
-
     this.#type = /^[\x20-\x7E]*$/.test(type) ? type : '';
   }
 
@@ -4470,6 +4487,7 @@ const _Blob = class Blob {
     const it = toIterator(this.#parts, true);
 
     return new globalThis.ReadableStream({
+      // @ts-ignore
       type: 'bytes',
       async pull (ctrl) {
         const chunk = await it.next();
@@ -4601,6 +4619,11 @@ const _File = class File extends Blob$1 {
   get [Symbol.toStringTag] () {
     return 'File'
   }
+
+  static [Symbol.hasInstance] (object) {
+    return !!object && object instanceof Blob$1 &&
+      /^(File)$/.test(object[Symbol.toStringTag])
+  }
 };
 
 /** @type {typeof globalThis.File} */// @ts-ignore
@@ -4743,6 +4766,22 @@ const isAbortSignal = object => {
 	);
 };
 
+/**
+ * isDomainOrSubdomain reports whether sub is a subdomain (or exact match) of
+ * the parent domain.
+ *
+ * Both domains must already be in canonical form.
+ * @param {string|URL} original
+ * @param {string|URL} destination
+ */
+const isDomainOrSubdomain = (destination, original) => {
+	const orig = new URL(original).hostname;
+	const dest = new URL(destination).hostname;
+
+	return orig === dest || orig.endsWith(`.${dest}`);
+};
+
+const pipeline = promisify(Stream.pipeline);
 const INTERNALS$2 = Symbol('Body internals');
 
 /**
@@ -4765,13 +4804,13 @@ class Body {
 			body = null;
 		} else if (isURLSearchParameters(body)) {
 			// Body is a URLSearchParams
-			body = Buffer.from(body.toString());
-		} else if (isBlob(body)) ; else if (Buffer.isBuffer(body)) ; else if (types.isAnyArrayBuffer(body)) {
+			body = Buffer$1.from(body.toString());
+		} else if (isBlob(body)) ; else if (Buffer$1.isBuffer(body)) ; else if (types.isAnyArrayBuffer(body)) {
 			// Body is ArrayBuffer
-			body = Buffer.from(body);
+			body = Buffer$1.from(body);
 		} else if (ArrayBuffer.isView(body)) {
 			// Body is ArrayBufferView
-			body = Buffer.from(body.buffer, body.byteOffset, body.byteLength);
+			body = Buffer$1.from(body.buffer, body.byteOffset, body.byteLength);
 		} else if (body instanceof Stream) ; else if (body instanceof FormData) {
 			// Body is FormData
 			body = formDataToBlob(body);
@@ -4779,12 +4818,12 @@ class Body {
 		} else {
 			// None of the above
 			// coerce to string then buffer
-			body = Buffer.from(String(body));
+			body = Buffer$1.from(String(body));
 		}
 
 		let stream = body;
 
-		if (Buffer.isBuffer(body)) {
+		if (Buffer$1.isBuffer(body)) {
 			stream = Stream.Readable.from(body);
 		} else if (isBlob(body)) {
 			stream = Stream.Readable.from(body.stream());
@@ -4852,7 +4891,7 @@ class Body {
 	 */
 	async blob() {
 		const ct = (this.headers && this.headers.get('content-type')) || (this[INTERNALS$2].body && this[INTERNALS$2].body.type) || '';
-		const buf = await this.buffer();
+		const buf = await this.arrayBuffer();
 
 		return new Blob$1([buf], {
 			type: ct
@@ -4865,8 +4904,8 @@ class Body {
 	 * @return  Promise
 	 */
 	async json() {
-		const buffer = await consumeBody(this);
-		return JSON.parse(buffer.toString());
+		const text = await this.text();
+		return JSON.parse(text);
 	}
 
 	/**
@@ -4876,7 +4915,7 @@ class Body {
 	 */
 	async text() {
 		const buffer = await consumeBody(this);
-		return buffer.toString();
+		return new TextDecoder().decode(buffer);
 	}
 
 	/**
@@ -4898,7 +4937,10 @@ Object.defineProperties(Body.prototype, {
 	arrayBuffer: {enumerable: true},
 	blob: {enumerable: true},
 	json: {enumerable: true},
-	text: {enumerable: true}
+	text: {enumerable: true},
+	data: {get: deprecate(() => {},
+		'data doesn\'t exist, use json(), text(), arrayBuffer(), or body instead',
+		'https://github.com/node-fetch/node-fetch/issues/1000 (response)')}
 });
 
 /**
@@ -4923,12 +4965,12 @@ async function consumeBody(data) {
 
 	// Body is null
 	if (body === null) {
-		return Buffer.alloc(0);
+		return Buffer$1.alloc(0);
 	}
 
 	/* c8 ignore next 3 */
 	if (!(body instanceof Stream)) {
-		return Buffer.alloc(0);
+		return Buffer$1.alloc(0);
 	}
 
 	// Body is stream
@@ -4955,10 +4997,10 @@ async function consumeBody(data) {
 	if (body.readableEnded === true || body._readableState.ended === true) {
 		try {
 			if (accum.every(c => typeof c === 'string')) {
-				return Buffer.from(accum.join(''));
+				return Buffer$1.from(accum.join(''));
 			}
 
-			return Buffer.concat(accum, accumBytes);
+			return Buffer$1.concat(accum, accumBytes);
 		} catch (error) {
 			throw new FetchError(`Could not create Buffer from response body for ${data.url}: ${error.message}`, 'system', error);
 		}
@@ -5038,7 +5080,7 @@ const extractContentType = (body, request) => {
 	}
 
 	// Body is a Buffer (Buffer, ArrayBuffer or ArrayBufferView)
-	if (Buffer.isBuffer(body) || types.isAnyArrayBuffer(body) || ArrayBuffer.isView(body)) {
+	if (Buffer$1.isBuffer(body) || types.isAnyArrayBuffer(body) || ArrayBuffer.isView(body)) {
 		return null;
 	}
 
@@ -5083,7 +5125,7 @@ const getTotalBytes = request => {
 	}
 
 	// Body is Buffer
-	if (Buffer.isBuffer(body)) {
+	if (Buffer$1.isBuffer(body)) {
 		return body.length;
 	}
 
@@ -5101,15 +5143,15 @@ const getTotalBytes = request => {
  *
  * @param {Stream.Writable} dest The stream to write to.
  * @param obj.body Body object from the Body instance.
- * @returns {void}
+ * @returns {Promise<void>}
  */
-const writeToStream = (dest, {body}) => {
+const writeToStream = async (dest, {body}) => {
 	if (body === null) {
 		// Body is null
 		dest.end();
 	} else {
 		// Body is stream
-		body.pipe(dest);
+		await pipeline(body, dest);
 	}
 };
 
@@ -5119,6 +5161,7 @@ const writeToStream = (dest, {body}) => {
  * Headers class offers convenient helpers
  */
 
+/* c8 ignore next 9 */
 const validateHeaderName = typeof http.validateHeaderName === 'function' ?
 	http.validateHeaderName :
 	name => {
@@ -5129,6 +5172,7 @@ const validateHeaderName = typeof http.validateHeaderName === 'function' ?
 		}
 	};
 
+/* c8 ignore next 9 */
 const validateHeaderValue = typeof http.validateHeaderValue === 'function' ?
 	http.validateHeaderValue :
 	(name, value) => {
@@ -5251,8 +5295,8 @@ class Headers extends URLSearchParams {
 						return Reflect.get(target, p, receiver);
 				}
 			}
-			/* c8 ignore next */
 		});
+		/* c8 ignore next */
 	}
 
 	get [Symbol.toStringTag]() {
@@ -5873,12 +5917,20 @@ function parseReferrerPolicyFromHeader(headers) {
 	return policy;
 }
 
+/**
+ * Request.js
+ *
+ * Request class contains server only options
+ *
+ * All spec algorithm step numbers are based on https://fetch.spec.whatwg.org/commit-snapshots/ae716822cb3a61843226cd090eefc6589446c1d2/.
+ */
+
 const INTERNALS = Symbol('Request internals');
 
 /**
  * Check if `obj` is an instance of Request.
  *
- * @param  {*} obj
+ * @param  {*} object
  * @return {boolean}
  */
 const isRequest = object => {
@@ -5888,6 +5940,10 @@ const isRequest = object => {
 	);
 };
 
+const doBadDataWarn = deprecate(() => {},
+	'.data is not a valid RequestInit property, use .body instead',
+	'https://github.com/node-fetch/node-fetch/issues/1000 (request)');
+
 /**
  * Request class
  *
@@ -5910,14 +5966,20 @@ class Request extends Body {
 		}
 
 		if (parsedURL.username !== '' || parsedURL.password !== '') {
-			throw new TypeError(`${parsedURL} is an url with embedded credentails.`);
+			throw new TypeError(`${parsedURL} is an url with embedded credentials.`);
 		}
 
 		let method = init.method || input.method || 'GET';
-		method = method.toUpperCase();
+		if (/^(delete|get|head|options|post|put)$/i.test(method)) {
+			method = method.toUpperCase();
+		}
+
+		if ('data' in init) {
+			doBadDataWarn();
+		}
 
 		// eslint-disable-next-line no-eq-null, eqeqeq
-		if (((init.body != null || isRequest(input)) && input.body !== null) &&
+		if ((init.body != null || (isRequest(input) && input.body !== null)) &&
 			(method === 'GET' || method === 'HEAD')) {
 			throw new TypeError('Request with GET/HEAD method cannot have body');
 		}
@@ -5990,14 +6052,17 @@ class Request extends Body {
 		this.referrerPolicy = init.referrerPolicy || input.referrerPolicy || '';
 	}
 
+	/** @returns {string} */
 	get method() {
 		return this[INTERNALS].method;
 	}
 
+	/** @returns {string} */
 	get url() {
 		return format(this[INTERNALS].parsedURL);
 	}
 
+	/** @returns {Headers} */
 	get headers() {
 		return this[INTERNALS].headers;
 	}
@@ -6006,6 +6071,7 @@ class Request extends Body {
 		return this[INTERNALS].redirect;
 	}
 
+	/** @returns {AbortSignal} */
 	get signal() {
 		return this[INTERNALS].signal;
 	}
@@ -6063,8 +6129,8 @@ Object.defineProperties(Request.prototype, {
 /**
  * Convert a Request to Node.js http request options.
  *
- * @param   Request  A Request instance
- * @return  Object   The options object to be passed to http.request
+ * @param {Request} request - A Request instance
+ * @return The options object to be passed to http.request
  */
 const getNodeRequestOptions = request => {
 	const {parsedURL} = request[INTERNALS];
@@ -6153,6 +6219,7 @@ const getNodeRequestOptions = request => {
 	};
 
 	return {
+		/** @type {URL} */
 		parsedURL,
 		options
 	};
@@ -6167,6 +6234,21 @@ class AbortError extends FetchBaseError {
 	}
 }
 
+/*! node-domexception. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
+
+if (!globalThis.DOMException) {
+  try {
+    const { MessageChannel } = require('worker_threads'),
+    port = new MessageChannel().port1,
+    ab = new ArrayBuffer();
+    port.postMessage(ab, [ab, ab]);
+  } catch (err) {
+    err.constructor.name === 'DOMException' && (
+      globalThis.DOMException = err.constructor
+    );
+  }
+}
+
 /**
  * Index.js
  *
@@ -6230,7 +6312,7 @@ async function fetch(url, options_) {
 		};
 
 		// Send request
-		const request_ = send(parsedURL, options);
+		const request_ = send(parsedURL.toString(), options);
 
 		if (signal) {
 			signal.addEventListener('abort', abortAndFinalize);
@@ -6282,7 +6364,19 @@ async function fetch(url, options_) {
 				const location = headers.get('Location');
 
 				// HTTP fetch step 5.3
-				const locationURL = location === null ? null : new URL(location, request.url);
+				let locationURL = null;
+				try {
+					locationURL = location === null ? null : new URL(location, request.url);
+				} catch {
+					// error here can only be invalid URL in Location: header
+					// do not throw when options.redirect == manual
+					// let the user extract the errorneous redirect URL
+					if (request.redirect !== 'manual') {
+						reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect'));
+						finalize();
+						return;
+					}
+				}
 
 				// HTTP fetch step 5.5
 				switch (request.redirect) {
@@ -6291,11 +6385,7 @@ async function fetch(url, options_) {
 						finalize();
 						return;
 					case 'manual':
-						// Node-fetch-specific step: make manual redirect a bit easier to use by setting the Location header value to the resolved URL.
-						if (locationURL !== null) {
-							headers.set('Location', locationURL);
-						}
-
+						// Nothing to do
 						break;
 					case 'follow': {
 						// HTTP-redirect fetch step 2
@@ -6326,6 +6416,18 @@ async function fetch(url, options_) {
 							referrerPolicy: request.referrerPolicy
 						};
 
+						// when forwarding sensitive headers like "Authorization",
+						// "WWW-Authenticate", and "Cookie" to untrusted targets,
+						// headers will be ignored when following a redirect to a domain
+						// that is not a subdomain match or exact match of the initial domain.
+						// For example, a redirect from "foo.com" to either "foo.com" or "sub.foo.com"
+						// will forward the sensitive headers, but a redirect to "bar.com" will not.
+						if (!isDomainOrSubdomain(request.url, locationURL)) {
+							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
+								requestOptions.headers.delete(name);
+							}
+						}
+
 						// HTTP-redirect fetch step 9
 						if (response_.statusCode !== 303 && request.body && options_.body instanceof Stream.Readable) {
 							reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect'));
@@ -6364,8 +6466,13 @@ async function fetch(url, options_) {
 				});
 			}
 
-			let body = pipeline(response_, new PassThrough(), reject);
+			let body = pipeline$1(response_, new PassThrough(), error => {
+				if (error) {
+					reject(error);
+				}
+			});
 			// see https://github.com/nodejs/node/pull/29376
+			/* c8 ignore next 3 */
 			if (process.version < 'v12.10') {
 				response_.on('aborted', abortAndFinalize);
 			}
@@ -6409,7 +6516,11 @@ async function fetch(url, options_) {
 
 			// For gzip
 			if (codings === 'gzip' || codings === 'x-gzip') {
-				body = pipeline(body, zlib.createGunzip(zlibOptions), reject);
+				body = pipeline$1(body, zlib.createGunzip(zlibOptions), error => {
+					if (error) {
+						reject(error);
+					}
+				});
 				response = new Response(body, responseOptions);
 				resolve(response);
 				return;
@@ -6419,20 +6530,48 @@ async function fetch(url, options_) {
 			if (codings === 'deflate' || codings === 'x-deflate') {
 				// Handle the infamous raw deflate response from old servers
 				// a hack for old IIS and Apache servers
-				const raw = pipeline(response_, new PassThrough(), reject);
+				const raw = pipeline$1(response_, new PassThrough(), error => {
+					if (error) {
+						reject(error);
+					}
+				});
 				raw.once('data', chunk => {
 					// See http://stackoverflow.com/questions/37519828
-					body = (chunk[0] & 0x0F) === 0x08 ? pipeline(body, zlib.createInflate(), reject) : pipeline(body, zlib.createInflateRaw(), reject);
+					if ((chunk[0] & 0x0F) === 0x08) {
+						body = pipeline$1(body, zlib.createInflate(), error => {
+							if (error) {
+								reject(error);
+							}
+						});
+					} else {
+						body = pipeline$1(body, zlib.createInflateRaw(), error => {
+							if (error) {
+								reject(error);
+							}
+						});
+					}
 
 					response = new Response(body, responseOptions);
 					resolve(response);
 				});
+				raw.once('end', () => {
+					// Some old IIS servers return zero-length OK deflate responses, so
+					// 'data' is never emitted. See https://github.com/node-fetch/node-fetch/pull/903
+					if (!response) {
+						response = new Response(body, responseOptions);
+						resolve(response);
+					}
+				});
 				return;
 			}
 
 			// For br
 			if (codings === 'br') {
-				body = pipeline(body, zlib.createBrotliDecompress(), reject);
+				body = pipeline$1(body, zlib.createBrotliDecompress(), error => {
+					if (error) {
+						reject(error);
+					}
+				});
 				response = new Response(body, responseOptions);
 				resolve(response);
 				return;
@@ -6443,12 +6582,13 @@ async function fetch(url, options_) {
 			resolve(response);
 		});
 
-		writeToStream(request_, request);
+		// eslint-disable-next-line promise/prefer-await-to-then
+		writeToStream(request_, request).catch(reject);
 	});
 }
 
 function fixResponseChunkedTransferBadEnding(request, errorCallback) {
-	const LAST_CHUNK = Buffer.from('0\r\n\r\n');
+	const LAST_CHUNK = Buffer$1.from('0\r\n\r\n');
 
 	let isChunkedTransfer = false;
 	let properLastChunkReceived = false;
@@ -6475,13 +6615,13 @@ function fixResponseChunkedTransferBadEnding(request, errorCallback) {
 		});
 
 		socket.on('data', buf => {
-			properLastChunkReceived = Buffer.compare(buf.slice(-5), LAST_CHUNK) === 0;
+			properLastChunkReceived = Buffer$1.compare(buf.slice(-5), LAST_CHUNK) === 0;
 
 			// Sometimes final 0-length chunk and end of message code are in separate packets
 			if (!properLastChunkReceived && previousChunk) {
 				properLastChunkReceived = (
-					Buffer.compare(previousChunk.slice(-3), LAST_CHUNK.slice(0, 3)) === 0 &&
-					Buffer.compare(buf.slice(-2), LAST_CHUNK.slice(3)) === 0
+					Buffer$1.compare(previousChunk.slice(-3), LAST_CHUNK.slice(0, 3)) === 0 &&
+					Buffer$1.compare(buf.slice(-2), LAST_CHUNK.slice(3)) === 0
 				);
 			}
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "1.0.0-next.346",
+  "version": "1.0.0-next.347",
   "repository": {
     "type": "git",
     "url": "https://github.com/sveltejs/kit",
@@ -12,25 +12,40 @@
   "dependencies": {
     "@sveltejs/vite-plugin-svelte": "^1.0.0-next.46",
     "chokidar": "^3.5.3",
-    "sade": "^1.7.4",
+    "sade": "^1.8.1",
     "vite": "^2.9.9"
   },
   "devDependencies": {
+    "@playwright/test": "^1.22.2",
+    "@rollup/plugin-replace": "^4.0.0",
     "@types/connect": "^3.4.35",
-    "@types/cookie": "^0.5.0",
-    "@types/marked": "^4.0.1",
+    "@types/cookie": "^0.5.1",
+    "@types/marked": "^4.0.3",
     "@types/mime": "^2.0.3",
-    "@types/sade": "^1.7.3",
+    "@types/node": "^16.11.36",
+    "@types/sade": "^1.7.4",
     "@types/set-cookie-parser": "^2.4.2",
     "cookie": "^0.5.0",
+    "cross-env": "^7.0.3",
     "devalue": "^2.0.1",
+    "eslint": "^8.16.0",
     "kleur": "^4.1.4",
     "locate-character": "^2.0.5",
+    "marked": "^4.0.16",
     "mime": "^3.0.0",
-    "node-fetch": "^3.1.0",
-    "selfsigned": "^2.0.0",
+    "node-fetch": "^3.2.4",
+    "port-authority": "^1.2.0",
+    "rollup": "^2.75.3",
+    "selfsigned": "^2.0.1",
     "set-cookie-parser": "^2.4.8",
-    "svelte": "^3.48.0"
+    "sirv": "^2.0.2",
+    "svelte": "^3.48.0",
+    "svelte-check": "^2.7.1",
+    "svelte-preprocess": "^4.10.6",
+    "svelte2tsx": "~0.5.10",
+    "tiny-glob": "^0.2.9",
+    "typescript": "^4.7.2",
+    "uvu": "^0.5.3"
   },
   "peerDependencies": {
     "svelte": "^3.44.0"