chore(deps): update dependency svelte to v5.55.7 [security]#2481
Conversation
E2E tests are runningAuthorization passed for this commit. See the E2E Tests workflow for results. |
Site previewPreview: https://60e293b6-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 8:26 AM UTC · Completed 8:33 AM UTC |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
Looks good to me Labels: Dependency lockfile update addressing 3 Svelte XSS CVEs. Previous runLooks good to me Labels: Dependency lockfile update addressing 3 Svelte XSS CVEs. |
![fullsend-ai-review[bot]](https://avatars.githubusercontent.com/in/3478501?s=60&v=4){kind=small}
fullsend-ai-review
Bot
added
ready-for-merge
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
rh-hemartin
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
5be0370 to
1e7551a
Compare
rh-hemartin
added
the
ok-to-test
|
🤖 Finished Review · ✅ Success · Started 11:36 AM UTC · Completed 11:42 AM UTC |
fullsend-ai-review
Bot
added
ready-for-merge
|
🤖 Finished Retro · ✅ Success · Started 11:58 AM UTC · Completed 12:03 PM UTC |
Retro: PR #2481 — Renovate svelte security updateThis was a straightforward Renovate bot PR updating Timeline
AssessmentThe workflow completed successfully with no rework. The review agent correctly identified this as a trivial lockfile-only dependency bump both times. Two areas of token waste were observed:
Existing coverageAll potential proposals are already tracked by open issues — no new proposals needed: |
1 participant
This PR contains the following updates:
5.55.3→5.55.7Svelte SSR vulnerable to cross-site scripting via spread attributes
CVE-2026-42599 / GHSA-pr6f-5x2q-rwfp
More information
Details
When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires.
This is similar to but different from CVE-2026-27121.
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
CVE-2026-42573 / GHSA-rcqx-6q8c-2c42
More information
Details
Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.
You are vulnerable if all of the following is true:
nameattribute on an input or button element within that formSeverity
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Svelte: SSR XSS via Insecure Promise Serialization in hydratable
GHSA-f3cj-j4f6-wq85
More information
Details
Contents of
hydratablepromises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:hydratable(an experimental feature at the time of this report)hydratable('someKey', () => [synchronousValue, promiseValue])Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
sveltejs/svelte (svelte)
v5.55.7Compare Source
Patch Changes
fix: prevent XSS on
hydratablefrom user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)chore: bump devalue (#18219)
fix: disallow empty attribute names during SSR (
547853e2406a2147ad7fb5ffeba95b01bd9642da)fix: harden regex (
d2375e2ebcab5c88feb5652f1a9d621b8f06b259)fix: move Svelte runtime properties to symbols (
e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)v5.55.6Compare Source
Patch Changes
fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)
fix: keep dependencies of
$state.eager/pending(#18218)fix: reapply context after transforming error during SSR (#18099)
fix: don't rebase just-created batches (#18117)
chore: allow
nullforpendingin typings (#18201)fix: flush eager effects in production (#18107)
fix: rethrow error of failed iterable after calling
return()(#18169)fix: account for proxified instance when updating
bind:this(#18147)fix: ensure scheduled batch is flushed if not obsolete (#18131)
fix: resolve stale deriveds with latest value (#18167)
chore: remove unnecessary
increment_pendingcalls (#18183)fix: correctly compile component member expressions for SSR (#18192)
fix: reset
source.updatedstack traces afterflush(#18196)fix: replacing async 'blocking' strategy with 'merging' (#18205)
fix: allow
@debugtags to reference awaited variables (#18138)fix: re-run fallback props if dependencies update (#18146)
fix: abort running obsolete async branches (#18118)
fix: ignore comments when reading CSS values (#18153)
fix: wrap
Promise.allinsaveduring SSR (#18178)fix: ignore false-positive errors of
$inspectdependencies (#18106)v5.55.5Compare Source
Patch Changes
fix: don't mark deriveds while an effect is updating (#18124)
fix: do not dispatch introstart event with animation of animate directive (#18122)
v5.55.4Compare Source
Patch Changes
fix: never mark a child effect root as inert (#18111)
fix: reset context after waiting on blockers of
@constexpressions (#18100)fix: keep flushing new eager effects (#18102)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.