@sveltejs/kit 2.49.4 → 2.49.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "2.49.4",
+  "version": "2.49.5",
   "description": "SvelteKit is the fastest way to build Svelte apps",
   "keywords": [
     "framework",
@@ -23,7 +23,7 @@
     "@types/cookie": "^0.6.0",
     "acorn": "^8.14.1",
     "cookie": "^0.6.0",
-    "devalue": "^5.3.2",
+    "devalue": "^5.6.2",
     "esm-env": "^1.2.2",
     "kleur": "^4.1.5",
     "magic-string": "^0.30.5",
@@ -41,7 +41,7 @@
     "@types/set-cookie-parser": "^2.4.7",
     "dts-buddy": "^0.6.2",
     "rollup": "^4.14.2",
-    "svelte": "^5.42.1",
+    "svelte": "^5.46.4",
     "svelte-preprocess": "^6.0.0",
     "typescript": "^5.3.3",
     "vite": "^6.3.5",

package/src/exports/vite/build/utils.js

@@ -122,17 +122,6 @@ export function filter_fonts(assets) {
 	return assets.filter((asset) => /\.(woff2?|ttf|otf)$/.test(asset));
 }
 
-const method_names = new Set(['GET', 'HEAD', 'PUT', 'POST', 'DELETE', 'PATCH', 'OPTIONS']);
-
-// If we'd written this in TypeScript, it could be easy...
-/**
- * @param {string} str
- * @returns {str is import('types').HttpMethod}
- */
-export function is_http_method(str) {
-	return method_names.has(str);
-}
-
 /**
  * @param {import('types').ValidatedKitConfig} config
  * @returns {string}

package/src/exports/vite/index.js

@@ -803,6 +803,8 @@ async function kit({ svelte_config }) {
 			/** @type {import('vite').UserConfig} */
 			let new_config;
 
+			const kit_paths_base = kit.paths.base || '/';
+
 			if (is_build) {
 				const ssr = /** @type {boolean} */ (config.build?.ssr);
 				const prefix = `${kit.appDir}/immutable`;
@@ -884,7 +886,7 @@ async function kit({ svelte_config }) {
 				// That's larger and takes longer to run and also causes an HTML diff between SSR and client
 				// causing us to do a more expensive hydration check.
 				const client_base =
-					kit.paths.relative !== false || kit.paths.assets ? './' : kit.paths.base || '/';
+					kit.paths.relative !== false || kit.paths.assets ? './' : kit_paths_base;
 
 				const inline = !ssr && svelte_config.kit.output.bundleStrategy === 'inline';
 				const split = ssr || svelte_config.kit.output.bundleStrategy === 'split';
@@ -943,7 +945,7 @@ async function kit({ svelte_config }) {
 			} else {
 				new_config = {
 					appType: 'custom',
-					base: kit.paths.base,
+					base: kit_paths_base,
 					build: {
 						rollupOptions: {
 							// Vite dependency crawler needs an explicit JS entry point

package/src/runtime/form-utils.js

@@ -5,6 +5,7 @@
 import { DEV } from 'esm-env';
 import * as devalue from 'devalue';
 import { text_decoder, text_encoder } from './utils.js';
+import { SvelteKitError } from '@sveltejs/kit/internal';
 
 /**
  * Sets a value in a nested object using a path string, mutating the original object
@@ -64,7 +65,7 @@ export function convert_formdata(data) {
 
 export const BINARY_FORM_CONTENT_TYPE = 'application/x-sveltekit-formdata';
 const BINARY_FORM_VERSION = 0;
-
+const HEADER_BYTES = 1 + 4 + 2;
 /**
  * The binary format is as follows:
  * - 1 byte: Format version
@@ -144,7 +145,11 @@ export async function deserialize_binary_form(request) {
 		return { data: convert_formdata(form_data), meta: {}, form_data };
 	}
 	if (!request.body) {
-		throw new Error('Could not deserialize binary form: no body');
+		throw deserialize_error('no body');
+	}
+	const content_length = parseInt(request.headers.get('content-length') ?? '');
+	if (Number.isNaN(content_length)) {
+		throw deserialize_error('invalid Content-Length header');
 	}
 
 	const reader = request.body.getReader();
@@ -156,7 +161,7 @@ export async function deserialize_binary_form(request) {
 	 * @param {number} index
 	 * @returns {Promise<Uint8Array<ArrayBuffer> | undefined>}
 	 */
-	async function get_chunk(index) {
+	function get_chunk(index) {
 		if (index in chunks) return chunks[index];
 
 		let i = chunks.length;
@@ -195,8 +200,7 @@ export async function deserialize_binary_form(request) {
 			return start_chunk.subarray(offset - chunk_start, offset + length - chunk_start);
 		}
 		// Otherwise, copy the data into a new buffer
-		const buffer = new Uint8Array(length);
-		buffer.set(start_chunk.subarray(offset - chunk_start));
+		const chunks = [start_chunk.subarray(offset - chunk_start)];
 		let cursor = start_chunk.byteLength - offset + chunk_start;
 		while (cursor < length) {
 			chunk_index++;
@@ -205,6 +209,12 @@ export async function deserialize_binary_form(request) {
 			if (chunk.byteLength > length - cursor) {
 				chunk = chunk.subarray(0, length - cursor);
 			}
+			chunks.push(chunk);
+			cursor += chunk.byteLength;
+		}
+		const buffer = new Uint8Array(length);
+		cursor = 0;
+		for (const chunk of chunks) {
 			buffer.set(chunk, cursor);
 			cursor += chunk.byteLength;
 		}
@@ -212,21 +222,28 @@ export async function deserialize_binary_form(request) {
 		return buffer;
 	}
 
-	const header = await get_buffer(0, 1 + 4 + 2);
-	if (!header) throw new Error('Could not deserialize binary form: too short');
+	const header = await get_buffer(0, HEADER_BYTES);
+	if (!header) throw deserialize_error('too short');
 
 	if (header[0] !== BINARY_FORM_VERSION) {
-		throw new Error(
-			`Could not deserialize binary form: got version ${header[0]}, expected version ${BINARY_FORM_VERSION}`
-		);
+		throw deserialize_error(`got version ${header[0]}, expected version ${BINARY_FORM_VERSION}`);
 	}
 	const header_view = new DataView(header.buffer, header.byteOffset, header.byteLength);
 	const data_length = header_view.getUint32(1, true);
+
+	if (HEADER_BYTES + data_length > content_length) {
+		throw deserialize_error('data overflow');
+	}
+
 	const file_offsets_length = header_view.getUint16(5, true);
 
+	if (HEADER_BYTES + data_length + file_offsets_length > content_length) {
+		throw deserialize_error('file offset table overflow');
+	}
+
 	// Read the form data
-	const data_buffer = await get_buffer(1 + 4 + 2, data_length);
-	if (!data_buffer) throw new Error('Could not deserialize binary form: data too short');
+	const data_buffer = await get_buffer(HEADER_BYTES, data_length);
+	if (!data_buffer) throw deserialize_error('data too short');
 
 	/** @type {Array<number>} */
 	let file_offsets;
@@ -234,18 +251,20 @@ export async function deserialize_binary_form(request) {
 	let files_start_offset;
 	if (file_offsets_length > 0) {
 		// Read the file offset table
-		const file_offsets_buffer = await get_buffer(1 + 4 + 2 + data_length, file_offsets_length);
-		if (!file_offsets_buffer)
-			throw new Error('Could not deserialize binary form: file offset table too short');
+		const file_offsets_buffer = await get_buffer(HEADER_BYTES + data_length, file_offsets_length);
+		if (!file_offsets_buffer) throw deserialize_error('file offset table too short');
 
 		file_offsets = /** @type {Array<number>} */ (
 			JSON.parse(text_decoder.decode(file_offsets_buffer))
 		);
-		files_start_offset = 1 + 4 + 2 + data_length + file_offsets_length;
+		files_start_offset = HEADER_BYTES + data_length + file_offsets_length;
 	}
 
 	const [data, meta] = devalue.parse(text_decoder.decode(data_buffer), {
 		File: ([name, type, size, last_modified, index]) => {
+			if (files_start_offset + file_offsets[index] + size > content_length) {
+				throw deserialize_error('file data overflow');
+			}
 			return new Proxy(
 				new LazyFile(
 					name,
@@ -276,6 +295,12 @@ export async function deserialize_binary_form(request) {
 
 	return { data, meta, form_data: null };
 }
+/**
+ * @param {string} message
+ */
+function deserialize_error(message) {
+	return new SvelteKitError(400, 'Bad Request', `Could not deserialize binary form: ${message}`);
+}
 
 /** @implements {File} */
 class LazyFile {
@@ -380,7 +405,7 @@ class LazyFile {
 				chunk_index++;
 				let chunk = await this.#get_chunk(chunk_index);
 				if (!chunk) {
-					controller.error('Could not deserialize binary form: incomplete file data');
+					controller.error('incomplete file data');
 					controller.close();
 					return;
 				}

package/src/runtime/server/remote.js

@@ -294,6 +294,7 @@ async function handle_remote_form_post_internal(event, state, manifest, id) {
 		const fn = /** @type {RemoteInfo & { type: 'form' }} */ (/** @type {any} */ (form).__).fn;
 
 		const { data, meta, form_data } = await deserialize_binary_form(event.request);
+
 		if (action_id && !('id' in data)) {
 			data.id = JSON.parse(decodeURIComponent(action_id));
 		}

package/src/runtime/server/respond.js

@@ -247,8 +247,10 @@ export async function internal_respond(request, options, manifest, state) {
 		return text('Malformed URI', { status: 400 });
 	}
 
+	// try to serve the rerouted prerendered resource if it exists
 	if (
-		resolved_path !== url.pathname &&
+		// the resolved path has been decoded so it should be compared to the decoded url pathname
+		resolved_path !== decode_pathname(url.pathname) &&
 		!state.prerendering?.fallback &&
 		has_prerendered_path(manifest, resolved_path)
 	) {
@@ -259,20 +261,24 @@ export async function internal_respond(request, options, manifest, state) {
 				? add_resolution_suffix(resolved_path)
 				: resolved_path;
 
-		// `fetch` automatically decodes the body, so we need to delete the related headers to not break the response
-		// Also see https://github.com/sveltejs/kit/issues/12197 for more info (we should fix this more generally at some point)
-		const response = await fetch(url, request);
-		const headers = new Headers(response.headers);
-		if (headers.has('content-encoding')) {
-			headers.delete('content-encoding');
-			headers.delete('content-length');
-		}
+		try {
+			// `fetch` automatically decodes the body, so we need to delete the related headers to not break the response
+			// Also see https://github.com/sveltejs/kit/issues/12197 for more info (we should fix this more generally at some point)
+			const response = await fetch(url, request);
+			const headers = new Headers(response.headers);
+			if (headers.has('content-encoding')) {
+				headers.delete('content-encoding');
+				headers.delete('content-length');
+			}
 
-		return new Response(response.body, {
-			headers,
-			status: response.status,
-			statusText: response.statusText
-		});
+			return new Response(response.body, {
+				headers,
+				status: response.status,
+				statusText: response.statusText
+			});
+		} catch (error) {
+			return await handle_fatal_error(event, event_state, options, error);
+		}
 	}
 
 	/** @type {import('types').SSRRoute | null} */

package/src/version.js

@@ -1,4 +1,4 @@
 // generated during release, do not modify
 
 /** @type {string} */
-export const VERSION = '2.49.4';
+export const VERSION = '2.49.5';

package/types/index.d.ts

@@ -2769,7 +2769,7 @@ declare module '@sveltejs/kit' {
 	class Redirect_1 {
 		
 		constructor(status: 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308, location: string);
-		status: 301 | 302 | 303 | 307 | 308 | 300 | 304 | 305 | 306;
+		status: 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308;
 		location: string;
 	}