From 553e14c8320ad9c6ebb3c554c35f1482755c9555 Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Thu, 11 Jan 2024 15:21:46 -0500
Subject: [PATCH] fix: return plaintext 404 for anything under appDir (#11597)

Co-authored-by: Rich Harris <rich.harris@vercel.com>
---
 .changeset/clever-clocks-drop.md           | 5 +++++
 packages/kit/src/runtime/server/respond.js | 4 ++++
 2 files changed, 9 insertions(+)
 create mode 100644 .changeset/clever-clocks-drop.md

diff --git a/.changeset/clever-clocks-drop.md b/.changeset/clever-clocks-drop.md
new file mode 100644
index 000000000000..6240eca59eaf
--- /dev/null
+++ b/.changeset/clever-clocks-drop.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: return plaintext 404 for anything under appDir
diff --git a/packages/kit/src/runtime/server/respond.js b/packages/kit/src/runtime/server/respond.js
index 7347ef650dba..f80eca2dea5f 100644
--- a/packages/kit/src/runtime/server/respond.js
+++ b/packages/kit/src/runtime/server/respond.js
@@ -113,6 +113,10 @@ export async function respond(request, options, manifest, state) {
 		return get_public_env(request);
 	}
 
+	if (decoded.startsWith(`/${options.app_dir}`)) {
+		return text('Not found', { status: 404 });
+	}
+
 	const is_data_request = has_data_suffix(decoded);
 	/** @type {boolean[] | undefined} */
 	let invalidated_data_nodes;