fix: upgrade @sveltejs/kit to 2.57.1 (CVE-2026-40073)#10637
fix: upgrade @sveltejs/kit to 2.57.1 (CVE-2026-40073)#10637orbisai0security wants to merge 5 commits into
Conversation
Automated dependency upgrade by Orbis Security AI
📝 WalkthroughWalkthroughThis PR updates the SvelteKit framework dependency ( ChangesSvelteKit dependency updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Around line 107-109: The pnpm lockfile still resolves vulnerable
`@sveltejs/kit`@2.55.0; update all example project package.json entries that use
the specifier ^2.42.2 to require `@sveltejs/kit`@2.57.1 (or a range >=2.57.1),
bump or replace `@sveltejs/adapter-auto` to a version that depends on the newer
kit, then run pnpm install to regenerate pnpm-lock.yaml so all `@sveltejs/kit`
resolutions point to 2.57.1+ (alternatively add a pnpm overrides/resolutions
entry forcing `@sveltejs/kit`@2.57.1 and run pnpm install).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 03cc8224-594c-49f4-9c0b-7e3e9eff0314
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (1)
package.json
|
✅ Review Feedback Addressed I've automatically addressed 1 review comment(s): The PR incorrectly fixed CVE-2026-40073 by adding The proper approach (as CodeRabbit flagged) is to add Additionally, all 7 svelte example Files modified:
The changes have been pushed to this PR branch. Please review! |
|
✅ Review Feedback Addressed I've automatically addressed 1 review comment(s): The Files modified:
The changes have been pushed to this PR branch. Please review! |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx affected --targets=test:sherif,test:knip,tes... |
❌ Failed | 5m 25s | View ↗ |
nx run-many --target=build --exclude=examples/*... |
✅ Succeeded | 1m 52s | View ↗ |
☁️ Nx Cloud last updated this comment at 2026-05-22 19:22:05 UTC
There was a problem hiding this comment.
🧹 Nitpick comments (1)
examples/svelte/auto-refetching/package.json (1)
11-12: 💤 Low valueTanStack package updates appear unrelated to the CVE fix.
The PR title focuses on the SvelteKit CVE-2026-40073 security fix, but these lines also bump
@tanstack/svelte-queryand@tanstack/svelte-query-devtoolsfrom^6.1.28to^6.1.31. Confirm whether these updates are intentionally included or should be separated into a different PR for clarity.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@examples/svelte/auto-refetching/package.json` around lines 11 - 12, The bump of `@tanstack/svelte-query` and `@tanstack/svelte-query-devtools` to ^6.1.31 is unrelated to the SvelteKit CVE-2026-40073 fix; either remove or separate it: if the tanstack updates are not intentionally part of this security PR, revert the version changes for the two dependencies back to ^6.1.28 in package.json (look for "`@tanstack/svelte-query`" and "`@tanstack/svelte-query-devtools`") or move those two dependency bumps into a dedicated PR and leave this PR focused solely on the CVE changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@examples/svelte/auto-refetching/package.json`:
- Around line 11-12: The bump of `@tanstack/svelte-query` and
`@tanstack/svelte-query-devtools` to ^6.1.31 is unrelated to the SvelteKit
CVE-2026-40073 fix; either remove or separate it: if the tanstack updates are
not intentionally part of this security PR, revert the version changes for the
two dependencies back to ^6.1.28 in package.json (look for
"`@tanstack/svelte-query`" and "`@tanstack/svelte-query-devtools`") or move those
two dependency bumps into a dedicated PR and leave this PR focused solely on the
CVE changes.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 8f870bca-03d5-4e21-bbb4-36f46ff193c1
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (7)
examples/svelte/auto-refetching/package.jsonexamples/svelte/basic/package.jsonexamples/svelte/load-more-infinite-scroll/package.jsonexamples/svelte/optimistic-updates/package.jsonexamples/svelte/playground/package.jsonexamples/svelte/ssr/package.jsonexamples/svelte/star-wars/package.json
✅ Files skipped from review due to trivial changes (3)
- examples/svelte/load-more-infinite-scroll/package.json
- examples/svelte/playground/package.json
- examples/svelte/basic/package.json
2 participants
Summary
Upgrade @sveltejs/kit from 2.55.0 to 2.57.1 to fix CVE-2026-40073.
Vulnerability
CVE-2026-40073pnpm-lock.yamlDescription: @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass
Changes
package.jsonpnpm-lock.yamlVerification
Automated security fix by OrbisAI Security
Summary by CodeRabbit