Prefer (allowed) static assets to routes

[Rich-Harris]

#5066 happens because of #4974, which we need because otherwise files in the project root will shadow stuff in src/routes. As of that PR, we attempt to render requests with server.respond(...), and only defer to viteServeStaticMiddleware if that results in a 404.

In the case where you have rest routes, that's no good, because you can get a 200 response even when you're requesting a static asset.

I'm having a hard time figuring out what the correct fix for this is, so I'm just going to leave this failing test here for now.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: 1bce523

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[benmccann]

I think the correct fix is probably vitejs/vite#7363

[7antra]

@benmccann & @Rich-Harris , I think Vite doesn't take this seriously, but it's a real problem for sveltekit users. If you log url.pathname in the layout and hook in dev mode, you will see that all assets (imported like this) are now triggered like route, it causes a lot of troubles if you are using $page.stuff too.

[Rich-Harris]

In lieu of a fix in Vite itself, I think this is a reasonable solution — we mimic Vite's internal logic to determine if an extant file is allowed, and if so we defer to serve_static_middleware

[benmccann]

this seems surprising to me. I wouldn't expect you to be able to get the package.json, node_modules, etc. It will also make it available to everyone on your network. I'm not sure that's a huge risk, but I'm not really sure why we'd expose it either

[Rich-Harris]

It's not getting package.json. The test is there to check that it will serve a route called /package.json despite there being a package.json in the project directory outside the allow list. Check two lines further down.

node_modules on the other hand are on the allow list so that you can use node_modules!