Skip to content

chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#126

Merged
spah-soptim merged 2 commits into
mainfrom
renovate/npm-sveltejs-kit-vulnerability
Jun 2, 2026
Merged

chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#126
spah-soptim merged 2 commits into
mainfrom
renovate/npm-sveltejs-kit-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@sveltejs/kit (source) 2.57.12.60.1 age confidence

@​sveltejs/kit: query.batch cross-talk

GHSA-hgv7-v322-mmgr

More information

Details

query.batch() could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.60.1

Compare Source

Patch Changes
  • chore: bump svelte and devalue (#​15836)

  • fix: prevent query.batch cross-talk (dadaefc)

v2.60.0

Compare Source

Minor Changes
  • feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#​15802)

  • feat: warn on unread form remote function validation issues (#​15653)

Patch Changes
  • fix: abort navigation after async rendering if obsolete (#​15811)

  • fix: skip refreshing queries on full-page reload form submissions (#​15803)

v2.59.1

Compare Source

Patch Changes
  • fix: resolve paths to route files with the letter drive on Windows (#​15793)

v2.59.0

Compare Source

Minor Changes
  • feat: support query.batch in requested(...) (#​15751)

  • breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#​15705)

  • feat: experimental query.live function (#​15705)

Patch Changes
  • fix: unwrap Promise in RemoteCommand output type (#​15771)

  • fix: empty call to .updates() on a command/form invocation means "don't update anything" (#​15705)

  • fix: form.fields.foo.as('checkbox', default_value) now works (#​15752)

  • fix: remote forms with default values defined by field.as('text', defaultValue) now correctly reset to the provided default values once submitted (#​15753)

  • fix: make sure queries always get started correctly (#​15705)

  • fix: allow plain functions as overrides in updates (#​15705)

v2.58.0

Compare Source

Minor Changes
  • breaking: require limit in requested (as originally intended) (#​15739)

  • feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#​15739)

  • breaking: requested now yields { arg, query } entries instead of the validated argument (#​15739)

Patch Changes
  • fix: allow query().current, .error, .loading, and .ready to work in non-reactive contexts (#​15699)

  • fix: prevent deep_set crash on nullish nested values (#​15600)

  • fix: restore correct RemoteFormFields typing for nullable array fields (e.g. when a schema uses .default([])), so .as('checkbox') and friends work again (#​15723)

  • fix: don't warn about removed SSI comments in transformPageChunk (#​15695)

    Server-side include (SSI) directives like <!--#include virtual="..." --> are HTML comments that are replaced by servers such as nginx. Previously, removing them in transformPageChunk would trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with <!--# and Svelte's hydration comments never do, they can be safely excluded from the check.

  • Change enhance function return type from void to MaybePromise. (#​15710)

  • fix: throw an error when resolve is called with an external URL (#​15733)

  • fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#​15718)

  • fix: reset form result on redirect (#​15724)


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 18 times, most recently from 691c11e to 0aa9c17 Compare May 28, 2026 15:28
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 0aa9c17 to 5fb0327 Compare June 1, 2026 14:14
@spah-soptim spah-soptim self-assigned this Jun 2, 2026
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 5fb0327 to eac6f0e Compare June 2, 2026 12:26
Signed-off-by: Jan-Hendrik Spahn <jan-hendrik.spahn@soptim.de>
@spah-soptim spah-soptim enabled auto-merge (squash) June 2, 2026 12:27
@renovate

renovate Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@spah-soptim spah-soptim merged commit ad9f4b0 into main Jun 2, 2026
10 of 11 checks passed
@spah-soptim spah-soptim deleted the renovate/npm-sveltejs-kit-vulnerability branch June 2, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants