@sveltejs/kit - npm Package Compare versions

Comparing version 2.8.0 to 2.8.1

package.json

		{
		"name": "@sveltejs/kit",
		"version": "2.8.0",
		"version": "2.8.1",
		"description": "SvelteKit is the fastest way to build Svelte apps",
		@@ -5,0 +5,0 @@ "keywords": [

src/exports/node/index.js

		@@ -109,2 +109,16 @@ import { createReadStream } from 'node:fs';
		export async function getRequest({ request, base, bodySizeLimit }) {
		let headers = /** @type {Record<string, string>} */ (request.headers);
		if (request.httpVersionMajor >= 2) {
		// the Request constructor rejects headers with ':' in the name
		headers = Object.assign({}, headers);
		// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.3.5
		if (headers[':authority']) {
		headers.host = headers[':authority'];
		}
		delete headers[':authority'];
		delete headers[':method'];
		delete headers[':path'];
		delete headers[':scheme'];
		}

		return new Request(base + request.url, {
		@@ -114,3 +128,3 @@ // @ts-expect-error
		method: request.method,
		headers: /** @type {Record<string, string>} */ (request.headers),
		headers: Object.entries(headers),
		body:
		@@ -117,0 +131,0 @@ request.method === 'GET' \|\| request.method === 'HEAD'

src/exports/vite/index.js

		@@ -352,18 +352,2 @@ import fs from 'node:fs';
		configResolved(config) {
		// we search for this plugin by name because we can't detect it
		// since it doesn't directly modify the https config unlike the mkcert plugin
		const vite_basic_ssl = config.plugins.find(({ name }) => name === 'vite:basic-ssl');

		// by default, when enabling HTTPS in Vite, it also enables HTTP/2
		// however, undici has not yet enabled HTTP/2 by default: https://github.com/nodejs/undici/issues/2750
		// we set a no-op proxy config to force Vite to downgrade to TLS-only
		// see https://vitejs.dev/config/#server-https
		if ((config.server.https \|\| vite_basic_ssl) && !config.server.proxy) {
		config.server.proxy = {};
		}

		if ((config.preview.https \|\| vite_basic_ssl) && !config.preview.proxy) {
		config.preview.proxy = {};
		}

		vite_config = config;
		@@ -370,0 +354,0 @@ }

src/exports/vite/preview/index.js

		@@ -188,3 +188,3 @@ import fs from 'node:fs';
		vite.middlewares.use(async (req, res) => {
		const host = req.headers['host'];
		const host = req.headers[':authority'] \|\| req.headers.host;

		@@ -191,0 +191,0 @@ const request = await getRequest({

126

src/runtime/server/page/csp.js

		@@ -35,4 +35,19 @@ import { escape_html_attr } from '../../../utils/escape.js';
		/** @type {boolean} */
		#script_src_needs_csp;

		/** @type {boolean} */
		#script_src_elem_needs_csp;

		/** @type {boolean} */
		#style_needs_csp;

		/** @type {boolean} */
		#style_src_needs_csp;

		/** @type {boolean} */
		#style_src_attr_needs_csp;

		/** @type {boolean} */
		#style_src_elem_needs_csp;

		/** @type {import('types').CspDirectives} */
		@@ -125,19 +140,22 @@ #directives;

		this.#script_needs_csp =
		(!!effective_script_src &&
		effective_script_src.filter((value) => value !== 'unsafe-inline').length > 0) \|\|
		(!!script_src_elem &&
		script_src_elem.filter((value) => value !== 'unsafe-inline').length > 0);
		/** @param {(import('types').Csp.Source \| import('types').Csp.ActionSource)[] \| undefined} directive */
		const needs_csp = (directive) =>
		!!directive && !directive.some((value) => value === 'unsafe-inline');

		this.#script_src_needs_csp = needs_csp(effective_script_src);
		this.#script_src_elem_needs_csp = needs_csp(script_src_elem);
		this.#style_src_needs_csp = needs_csp(effective_style_src);
		this.#style_src_attr_needs_csp = needs_csp(style_src_attr);
		this.#style_src_elem_needs_csp = needs_csp(style_src_elem);

		this.#script_needs_csp = this.#script_src_needs_csp \|\| this.#script_src_elem_needs_csp;
		this.#style_needs_csp =
		!__SVELTEKIT_DEV__ &&
		((!!effective_style_src &&
		effective_style_src.filter((value) => value !== 'unsafe-inline').length > 0) \|\|
		(!!style_src_attr &&
		style_src_attr.filter((value) => value !== 'unsafe-inline').length > 0) \|\|
		(!!style_src_elem &&
		style_src_elem.filter((value) => value !== 'unsafe-inline').length > 0));
		(this.#style_src_needs_csp \|\|
		this.#style_src_attr_needs_csp \|\|
		this.#style_src_elem_needs_csp);

		this.script_needs_nonce = this.#script_needs_csp && !this.#use_hashes;
		this.style_needs_nonce = this.#style_needs_csp && !this.#use_hashes;

		this.#nonce = nonce;
		@@ -148,21 +166,13 @@ }
		add_script(content) {
		if (this.#script_needs_csp) {
		const d = this.#directives;
		if (!this.#script_needs_csp) return;

		if (this.#use_hashes) {
		const hash = sha256(content);
		/** @type {`nonce-${string}` \| `sha256-${string}`} */
		const source = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;

		this.#script_src.push(`sha256-${hash}`);
		if (this.#script_src_needs_csp) {
		this.#script_src.push(source);
		}

		if (d['script-src-elem']?.length) {
		this.#script_src_elem.push(`sha256-${hash}`);
		}
		} else {
		if (this.#script_src.length === 0) {
		this.#script_src.push(`nonce-${this.#nonce}`);
		}
		if (d['script-src-elem']?.length) {
		this.#script_src_elem.push(`nonce-${this.#nonce}`);
		}
		}
		if (this.#script_src_elem_needs_csp) {
		this.#script_src_elem.push(source);
		}
		@@ -173,43 +183,37 @@ }
		add_style(content) {
		if (this.#style_needs_csp) {
		// this is the hash for "/* empty */"
		// adding it so that svelte does not break csp
		// see https://github.com/sveltejs/svelte/pull/7800
		const empty_comment_hash = '9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=';
		if (!this.#style_needs_csp) return;

		const d = this.#directives;
		/** @type {`nonce-${string}` \| `sha256-${string}`} */
		const source = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;

		if (this.#use_hashes) {
		const hash = sha256(content);
		if (this.#style_src_needs_csp) {
		this.#style_src.push(source);
		}

		this.#style_src.push(`sha256-${hash}`);
		if (this.#style_src_needs_csp) {
		this.#style_src.push(source);
		}

		if (d['style-src-attr']?.length) {
		this.#style_src_attr.push(`sha256-${hash}`);
		}
		if (d['style-src-elem']?.length) {
		if (
		hash !== empty_comment_hash &&
		!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`)
		) {
		this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
		}
		if (this.#style_src_attr_needs_csp) {
		this.#style_src_attr.push(source);
		}

		this.#style_src_elem.push(`sha256-${hash}`);
		}
		} else {
		if (this.#style_src.length === 0 && !d['style-src']?.includes('unsafe-inline')) {
		this.#style_src.push(`nonce-${this.#nonce}`);
		}
		if (d['style-src-attr']?.length) {
		this.#style_src_attr.push(`nonce-${this.#nonce}`);
		}
		if (d['style-src-elem']?.length) {
		if (!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`)) {
		this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
		}
		if (this.#style_src_elem_needs_csp) {
		// this is the sha256 hash for the string "/* empty */"
		// adding it so that svelte does not break csp
		// see https://github.com/sveltejs/svelte/pull/7800
		const sha256_empty_comment_hash = 'sha256-9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=';
		const d = this.#directives;

		this.#style_src_elem.push(`nonce-${this.#nonce}`);
		}
		if (
		d['style-src-elem'] &&
		!d['style-src-elem'].includes(sha256_empty_comment_hash) &&
		!this.#style_src_elem.includes(sha256_empty_comment_hash)
		) {
		this.#style_src_elem.push(sha256_empty_comment_hash);
		}

		if (source !== sha256_empty_comment_hash) {
		this.#style_src_elem.push(source);
		}
		}
		@@ -216,0 +220,0 @@ }

src/version.js

		// generated during release, do not modify

		/** @type {string} */
		export const VERSION = '2.8.0';
		export const VERSION = '2.8.1';

types/index.d.ts.map

Sorry, the diff of this file is not supported yet

@sveltejs/kit - npm Package Compare versions

New alerts

Fixed alerts

Worsened metrics