use pull method

[Rich-Harris]

Closes #5412.

I'm not 100% sure this is correct — in particular, I'm not sure what's supposed to happen if someone tries to upload a huge file and you early-exit with a 413; the response doesn't seem to get acknowledged while the request is still pending (which never stops being true, if you don't buffer it or create a reader).

But it does fix the vulnerability — data is only buffered if you ask for it to be buffered.

No test because I'm not really sure how you'd go about testing such a thing.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: 37f99ea

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[AlessioGr]

data is only buffered if you ask for it to be buffered.

How can I do that? How do I ask for it to be buffered?

How can I customize or disable this size limit for some POST listeners?