Skip to content

Update dependency svelte to v5.55.7 [SECURITY]#48844

Merged
kraftbj merged 2 commits into
trunkfrom
renovate/npm-svelte-vulnerability
May 16, 2026
Merged

Update dependency svelte to v5.55.7 [SECURITY]#48844
kraftbj merged 2 commits into
trunkfrom
renovate/npm-svelte-vulnerability

Conversation

@matticbot
Copy link
Copy Markdown
Contributor

@matticbot matticbot commented May 14, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 5.53.125.55.7 age confidence

GitHub Vulnerability Alerts

CVE-2026-42599

When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires.

This is similar to but different from CVE-2026-27121.

CVE-2026-42567

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

CVE-2026-42573

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

  • you are using attribute spreading on a form element
  • you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
  • both of these are simultaneously user-controllable
<form {...spread1}>
  <input {...spread2}>
</form>

GHSA-f3cj-j4f6-wq85

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:

  • you are using hydratable (an experimental feature at the time of this report)
  • you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. hydratable('someKey', () => [synchronousValue, promiseValue])

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

CVE-2026-42573 / GHSA-rcqx-6q8c-2c42

More information

Details

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

  • you are using attribute spreading on a form element
  • you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
  • both of these are simultaneously user-controllable
<form {...spread1}>
  <input {...spread2}>
</form>

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Svelte: ReDoS in <svelte:element> Tag Validation

CVE-2026-42567 / GHSA-9rmh-mm8f-r9h6

More information

Details

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR vulnerable to cross-site scripting via spread attributes

CVE-2026-42599 / GHSA-pr6f-5x2q-rwfp

More information

Details

When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires.

This is similar to but different from CVE-2026-27121.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Svelte: SSR XSS via Insecure Promise Serialization in hydratable

GHSA-f3cj-j4f6-wq85

More information

Details

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:

  • you are using hydratable (an experimental feature at the time of this report)
  • you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. hydratable('someKey', () => [synchronousValue, promiseValue])

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/svelte (svelte)

v5.55.7

Compare Source

Patch Changes

v5.55.6

Compare Source

Patch Changes

  • fix: leave stale promises to wait for a later resolution, instead of rejecting (#​18180)

  • fix: keep dependencies of $state.eager/pending (#​18218)

  • fix: reapply context after transforming error during SSR (#​18099)

  • fix: don't rebase just-created batches (#​18117)

  • chore: allow null for pending in typings (#​18201)

  • fix: flush eager effects in production (#​18107)

  • fix: rethrow error of failed iterable after calling return() (#​18169)

  • fix: account for proxified instance when updating bind:this (#​18147)

  • fix: ensure scheduled batch is flushed if not obsolete (#​18131)

  • fix: resolve stale deriveds with latest value (#​18167)

  • chore: remove unnecessary increment_pending calls (#​18183)

  • fix: correctly compile component member expressions for SSR (#​18192)

  • fix: reset source.updated stack traces after flush (#​18196)

  • fix: replacing async 'blocking' strategy with 'merging' (#​18205)

  • fix: allow @debug tags to reference awaited variables (#​18138)

  • fix: re-run fallback props if dependencies update (#​18146)

  • fix: abort running obsolete async branches (#​18118)

  • fix: ignore comments when reading CSS values (#​18153)

  • fix: wrap Promise.all in save during SSR (#​18178)

  • fix: ignore false-positive errors of $inspect dependencies (#​18106)

v5.55.5

Compare Source

Patch Changes

  • fix: don't mark deriveds while an effect is updating (#​18124)

  • fix: do not dispatch introstart event with animation of animate directive (#​18122)

v5.55.4

Compare Source

Patch Changes

  • fix: never mark a child effect root as inert (#​18111)

  • fix: reset context after waiting on blockers of @const expressions (#​18100)

  • fix: keep flushing new eager effects (#​18102)

v5.55.3

Compare Source

Patch Changes

  • fix: ensure proper HMR updates for dynamic components (#​18079)

  • fix: correctly calculate @const blockers (#​18039)

  • fix: freeze deriveds once their containing effects are destroyed (#​17921)

  • fix: defer error boundary rendering in forks (#​18076)

  • fix: avoid false positives for reactivity loss warning (#​18088)

v5.55.2

Compare Source

Patch Changes

  • fix: invalidate @const tags based on visible references in legacy mode (#​18041)

  • fix: handle parens in template expressions more robustly (#​18075)

  • fix: disallow -- in idPrefix (#​18038)

  • fix: correct types for ontoggle on <details> elements (#​18063)

  • fix: don't override $destroy/set/on instance methods in dev mode (#​18034)

  • fix: unskip branches of earlier batches after commit (#​18048)

  • fix: never set derived.v inside fork (#​18037)

  • fix: skip rebase logic in non-async mode (#​18040)

  • fix: don't reset status of uninitialized deriveds (#​18054)

v5.55.1

Compare Source

Patch Changes

  • fix: correctly handle bindings on the server (#​18009)

  • fix: prevent hydration error on async {@&#8203;html ...} (#​17999)

  • fix: cleanup superTypeParameters in ClassDeclarations/ClassExpression (#​18015)

  • fix: improve duplicate module import error message (#​18016)

  • fix: reschedule new effects in prior batches (#​18021)

v5.55.0

Compare Source

Minor Changes
  • feat: export TweenOptions, SpringOptions, SpringUpdateOptions and Updater from svelte/motion (#​17967)
Patch Changes
  • fix: ensure HMR wrapper forwards correct start/end nodes to active effect (#​17985)

v5.54.1

Compare Source

Patch Changes

  • fix: hydration comments during hmr (#​17975)

  • fix: null out effect.b in destroy_effect (#​17980)

  • fix: group sync statements (#​17977)

  • fix: defer batch resolution until earlier intersecting batches have committed (#​17162)

  • fix: properly invoke iterator.return() during reactivity loss check (#​17966)

  • fix: remove trailing semicolon from {@​const} tag printer (#​17962)

v5.54.0

Compare Source

Minor Changes
  • feat: allow css, runes, customElement compiler options to be functions (#​17951)
Patch Changes
  • fix: reinstate reactivity loss tracking (#​17801)

v5.53.13

Compare Source

Patch Changes

  • fix: ensure $inspect after top level await doesn't break builds (#​17943)

  • fix: resume inert effects when they come from offscreen (#​17942)

  • fix: don't eagerly access not-yet-initialized functions in template (#​17938)

  • fix: discard batches made obsolete by commit (#​17934)

  • fix: ensure "is standalone child" is correctly reset (#​17944)

  • fix: remove nodes in boundary when work is pending and HMR is active (#​17932)

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@matticbot matticbot added [Status] Needs Review This PR is ready for review. Task labels May 14, 2026
@matticbot matticbot requested a review from a team as a code owner May 14, 2026 21:08
@matticbot matticbot force-pushed the renovate/npm-svelte-vulnerability branch from 9ee2c83 to fe0a8c6 Compare May 15, 2026 19:41
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 15, 2026
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the renovate/npm-svelte-vulnerability branch.
  • To test on Simple, run the following command on your sandbox:
bin/jetpack-downloader test jetpack renovate/npm-svelte-vulnerability

bin/jetpack-downloader test jetpack-mu-wpcom-plugin renovate/npm-svelte-vulnerability

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@tbradsha tbradsha requested a review from a team May 15, 2026 19:48
@jp-launch-control
Copy link
Copy Markdown

jp-launch-control Bot commented May 15, 2026
edited
Loading

Code Coverage Summary

This PR did not change code coverage!

That could be good or bad, depending on the situation. Everything covered before, and still is? Great! Nothing was covered before? Not so great. 🤷

Full summary · PHP report · JS report

@matticbot
Copy link
Copy Markdown
Contributor Author

matticbot commented May 15, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@tbradsha tbradsha self-assigned this May 16, 2026
@kraftbj kraftbj merged commit 8e659a5 into trunk May 16, 2026
92 checks passed
@kraftbj kraftbj deleted the renovate/npm-svelte-vulnerability branch May 16, 2026 01:46
@github-actions github-actions Bot removed the [Status] Needs Review This PR is ready for review. label May 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kraftbj kraftbj kraftbj approved these changes

Assignees

@tbradsha tbradsha

Labels

[JS Package] Image Guide [Plugin] Inspect RNA Task

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matticbot @kraftbj @tbradsha @renovate-bot