chore(deps): update dependency svelte to v5.55.7 [security]#3422
Conversation
Package Changes Through 7dcbfedNo changes. Add a change file through the GitHub UI by following this link. Read about change files or the docs at github.com/jbolda/covector |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
1 participant
This PR contains the following updates:
5.54.0→5.55.7Svelte: ReDoS in
<svelte:element>Tag ValidationCVE-2026-42567 / GHSA-9rmh-mm8f-r9h6
More information
Details
An internal regex in the Svelte runtime can take exponential time to test in
<svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them tosvelte:element, you are safe.Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Svelte: SSR XSS via Insecure Promise Serialization in hydratable
GHSA-f3cj-j4f6-wq85
More information
Details
Contents of
hydratablepromises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:hydratable(an experimental feature at the time of this report)hydratable('someKey', () => [synchronousValue, promiseValue])Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
sveltejs/svelte (svelte)
v5.55.7Compare Source
Patch Changes
fix: prevent XSS on
hydratablefrom user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)chore: bump devalue (#18219)
fix: disallow empty attribute names during SSR (
547853e2406a2147ad7fb5ffeba95b01bd9642da)fix: harden regex (
d2375e2ebcab5c88feb5652f1a9d621b8f06b259)fix: move Svelte runtime properties to symbols (
e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)v5.55.6Compare Source
Patch Changes
fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)
fix: keep dependencies of
$state.eager/pending(#18218)fix: reapply context after transforming error during SSR (#18099)
fix: don't rebase just-created batches (#18117)
chore: allow
nullforpendingin typings (#18201)fix: flush eager effects in production (#18107)
fix: rethrow error of failed iterable after calling
return()(#18169)fix: account for proxified instance when updating
bind:this(#18147)fix: ensure scheduled batch is flushed if not obsolete (#18131)
fix: resolve stale deriveds with latest value (#18167)
chore: remove unnecessary
increment_pendingcalls (#18183)fix: correctly compile component member expressions for SSR (#18192)
fix: reset
source.updatedstack traces afterflush(#18196)fix: replacing async 'blocking' strategy with 'merging' (#18205)
fix: allow
@debugtags to reference awaited variables (#18138)fix: re-run fallback props if dependencies update (#18146)
fix: abort running obsolete async branches (#18118)
fix: ignore comments when reading CSS values (#18153)
fix: wrap
Promise.allinsaveduring SSR (#18178)fix: ignore false-positive errors of
$inspectdependencies (#18106)v5.55.5Compare Source
Patch Changes
fix: don't mark deriveds while an effect is updating (#18124)
fix: do not dispatch introstart event with animation of animate directive (#18122)
v5.55.4Compare Source
Patch Changes
fix: never mark a child effect root as inert (#18111)
fix: reset context after waiting on blockers of
@constexpressions (#18100)fix: keep flushing new eager effects (#18102)
v5.55.3Compare Source
Patch Changes
fix: ensure proper HMR updates for dynamic components (#18079)
fix: correctly calculate
@constblockers (#18039)fix: freeze deriveds once their containing effects are destroyed (#17921)
fix: defer error boundary rendering in forks (#18076)
fix: avoid false positives for reactivity loss warning (#18088)
v5.55.2Compare Source
Patch Changes
fix: invalidate
@consttags based on visible references in legacy mode (#18041)fix: handle parens in template expressions more robustly (#18075)
fix: disallow
--inidPrefix(#18038)fix: correct types for
ontoggleon<details>elements (#18063)fix: don't override
$destroy/set/oninstance methods in dev mode (#18034)fix: unskip branches of earlier batches after commit (#18048)
fix: never set derived.v inside fork (#18037)
fix: skip rebase logic in non-async mode (#18040)
fix: don't reset status of uninitialized deriveds (#18054)
v5.55.1Compare Source
Patch Changes
fix: correctly handle bindings on the server (#18009)
fix: prevent hydration error on async
{@​html ...}(#17999)fix: cleanup
superTypeParametersinClassDeclarations/ClassExpression(#18015)fix: improve duplicate module import error message (#18016)
fix: reschedule new effects in prior batches (#18021)
v5.55.0Compare Source
Minor Changes
Patch Changes
v5.54.1Compare Source
Patch Changes
fix: hydration comments during hmr (#17975)
fix: null out
effect.bindestroy_effect(#17980)fix: group sync statements (#17977)
fix: defer batch resolution until earlier intersecting batches have committed (#17162)
fix: properly invoke
iterator.return()during reactivity loss check (#17966)fix: remove trailing semicolon from {@const} tag printer (#17962)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.