Skip to content

chore(deps): update dependency svelte to v5.55.7 [security]#53

Merged
insertish merged 1 commit into
mainfrom
renovate/npm-svelte-vulnerability
Jun 2, 2026
Merged

chore(deps): update dependency svelte to v5.55.7 [security]#53
insertish merged 1 commit into
mainfrom
renovate/npm-svelte-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 1, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 5.49.25.55.7 age confidence

Svelte affected by XSS in SSR <option> element

CVE-2026-27119 / GHSA-h7h7-mm68-gmrc

More information

Details

In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte affected by cross-site scripting via spread attributes in Svelte SSR

CVE-2026-27121 / GHSA-f7gr-6p89-r883

More information

Details

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR does not validate dynamic element tag names in <svelte:element>

CVE-2026-27122 / GHSA-m56q-vw4c-c2cp

More information

Details

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR attribute spreading includes inherited properties from prototype chain

CVE-2026-27125 / GHSA-crpf-4hrx-3jrp

More information

Details

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent

CVE-2026-27901 / GHSA-phwv-c562-gvmh

More information

Details

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte: SSR XSS via Insecure Promise Serialization in hydratable

GHSA-f3cj-j4f6-wq85

More information

Details

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:

  • you are using hydratable (an experimental feature at the time of this report)
  • you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. hydratable('someKey', () => [synchronousValue, promiseValue])

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/svelte (svelte)

v5.55.7

Compare Source

Patch Changes

v5.55.6

Compare Source

Patch Changes

  • fix: leave stale promises to wait for a later resolution, instead of rejecting (#​18180)

  • fix: keep dependencies of $state.eager/pending (#​18218)

  • fix: reapply context after transforming error during SSR (#​18099)

  • fix: don't rebase just-created batches (#​18117)

  • chore: allow null for pending in typings (#​18201)

  • fix: flush eager effects in production (#​18107)

  • fix: rethrow error of failed iterable after calling return() (#​18169)

  • fix: account for proxified instance when updating bind:this (#​18147)

  • fix: ensure scheduled batch is flushed if not obsolete (#​18131)

  • fix: resolve stale deriveds with latest value (#​18167)

  • chore: remove unnecessary increment_pending calls (#​18183)

  • fix: correctly compile component member expressions for SSR (#​18192)

  • fix: reset source.updated stack traces after flush (#​18196)

  • fix: replacing async 'blocking' strategy with 'merging' (#​18205)

  • fix: allow @debug tags to reference awaited variables (#​18138)

  • fix: re-run fallback props if dependencies update (#​18146)

  • fix: abort running obsolete async branches (#​18118)

  • fix: ignore comments when reading CSS values (#​18153)

  • fix: wrap Promise.all in save during SSR (#​18178)

  • fix: ignore false-positive errors of $inspect dependencies (#​18106)

v5.55.5

Compare Source

Patch Changes

  • fix: don't mark deriveds while an effect is updating (#​18124)

  • fix: do not dispatch introstart event with animation of animate directive (#​18122)

v5.55.4

Compare Source

Patch Changes

  • fix: never mark a child effect root as inert (#​18111)

  • fix: reset context after waiting on blockers of @const expressions (#​18100)

  • fix: keep flushing new eager effects (#​18102)

v5.55.3

Compare Source

Patch Changes

  • fix: ensure proper HMR updates for dynamic components (#​18079)

  • fix: correctly calculate @const blockers (#​18039)

  • fix: freeze deriveds once their containing effects are destroyed (#​17921)

  • fix: defer error boundary rendering in forks (#​18076)

  • fix: avoid false positives for reactivity loss warning (#​18088)

v5.55.2

Compare Source

Patch Changes

  • fix: invalidate @const tags based on visible references in legacy mode (#​18041)

  • fix: handle parens in template expressions more robustly (#​18075)

  • fix: disallow -- in idPrefix (#​18038)

  • fix: correct types for ontoggle on <details> elements (#​18063)

  • fix: don't override $destroy/set/on instance methods in dev mode (#​18034)

  • fix: unskip branches of earlier batches after commit (#​18048)

  • fix: never set derived.v inside fork (#​18037)

  • fix: skip rebase logic in non-async mode (#​18040)

  • fix: don't reset status of uninitialized deriveds (#​18054)

v5.55.1

Compare Source

Patch Changes

  • fix: correctly handle bindings on the server (#​18009)

  • fix: prevent hydration error on async {@&#8203;html ...} (#​17999)

  • fix: cleanup superTypeParameters in ClassDeclarations/ClassExpression (#​18015)

  • fix: improve duplicate module import error message (#​18016)

  • fix: reschedule new effects in prior batches (#​18021)

v5.55.0

Compare Source

Minor Changes
  • feat: export TweenOptions, SpringOptions, SpringUpdateOptions and Updater from svelte/motion (#​17967)
Patch Changes
  • fix: ensure HMR wrapper forwards correct start/end nodes to active effect (#​17985)

v5.54.1

Compare Source

Patch Changes

  • fix: hydration comments during hmr (#​17975)

  • fix: null out effect.b in destroy_effect (#​17980)

  • fix: group sync statements (#​17977)

  • fix: defer batch resolution until earlier intersecting batches have committed (#​17162)

  • fix: properly invoke iterator.return() during reactivity loss check (#​17966)

  • fix: remove trailing semicolon from {@​const} tag printer (#​17962)

v5.54.0

Compare Source

Minor Changes
  • feat: allow css, runes, customElement compiler options to be functions (#​17951)
Patch Changes
  • fix: reinstate reactivity loss tracking (#​17801)

v5.53.13

Compare Source

Patch Changes

  • fix: ensure $inspect after top level await doesn't break builds (#​17943)

  • fix: resume inert effects when they come from offscreen (#​17942)

  • fix: don't eagerly access not-yet-initialized functions in template (#​17938)

  • fix: discard batches made obsolete by commit (#​17934)

  • fix: ensure "is standalone child" is correctly reset (#​17944)

  • fix: remove nodes in boundary when work is pending and HMR is active (#​17932)

v5.53.12

Compare Source

Patch Changes

  • fix: update select.__value on change (#​17745)

  • chore: add invariant helper for debugging (#​17929)

  • fix: ensure deriveds values are correct across batches (#​17917)

  • fix: handle async RHS in assignment_value_stale (#​17925)

  • fix: avoid traversing clean roots (#​17928)

v5.53.11

Compare Source

Patch Changes

  • fix: remove untrack circular dependency (#​17910)

  • fix: recover from errors that leave a corrupted effect tree (#​17888)

  • fix: properly lazily evaluate RHS when checking for assignment_value_stale (#​17906)

  • fix: resolve boundary in correct batch when hydrating (#​17914)

  • chore: rebase batches after process, not during (#​17900)

v5.53.10

Compare Source

Patch Changes
  • fix: re-process batch if new root effects were scheduled (#​17895)

v5.53.9

Compare Source

Patch Changes
  • fix: better bind:this cleanup timing (#​17885)

v5.53.8

Compare Source

Patch Changes

  • fix: {@&#8203;html} no longer duplicates content inside contenteditable elements (#​17853)

  • fix: don't access inert block effects (#​17882)

  • fix: handle asnyc updates within pending boundary (#​17873)

  • perf: avoid re-traversing the effect tree after $: assignments (#​17848)

  • chore: simplify scheduling logic (#​17805)

v5.53.7

Compare Source

Patch Changes

  • fix: correctly add __svelte_meta after else-if chains (#​17830)

  • perf: cache element interactivity and source line splitting in compiler (#​17839)

  • chore: avoid rescheduling effects during branch commit (#​17837)

  • perf: optimize CSS selector pruning (#​17846)

  • fix: preserve original boundary errors when keyed each rows are removed during async updates (#​17843)

  • perf: avoid O(n²) name scanning in scope generate and unique (#​17844)

  • fix: preserve each items that are needed by pending batches (#​17819)

v5.53.6

Compare Source

Patch Changes

  • perf: optimize parser hot paths for faster compilation (#​17811)

  • fix: SvelteMap incorrectly handles keys with undefined values (#​17826)

  • fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#​17828)

  • fix: visit synthetic value node during ssr (#​17824)

  • fix: always case insensitive event handlers during ssr (#​17822)

  • chore: more efficient effect scheduling (#​17808)

  • perf: optimize compiler analysis phase (#​17823)

  • fix: skip redundant batch.apply (#​17816)

  • chore: null out current_batch before committing branches (#​17809)

v5.53.5

Compare Source

Patch Changes

v5.53.4

Compare Source

Patch Changes

  • fix: set server context after async transformError (#​17799)

  • fix: hydrate if blocks correctly (#​17784)

  • fix: handle default parameters scope leaks (#​17788)

  • fix: prevent flushed effects from running again (#​17787)

v5.53.3

Compare Source

Patch Changes

  • fix: render :catch of #await block with correct key (#​17769)

  • chore: pin aria-query@​5.3.1 (#​17772)

  • fix: make string coercion consistent to toString (#​17774)

v5.53.2

Compare Source

Patch Changes

  • fix: update expressions on server deriveds (#​17767)

  • fix: further obfuscate node:crypto import from overzealous static analysis (#​17763)

v5.53.1

Compare Source

Patch Changes
  • fix: handle shadowed function names correctly (#​17753)

v5.53.0

Compare Source

Minor Changes

  • feat: allow comments in tags (#​17671)

  • feat: allow error boundaries to work on the server (#​17672)

Patch Changes

  • fix: use TrustedHTML to test for customizable <select> support, where necessary (#​17743)

  • fix: ensure head effects are kept in the effect tree (#​17746)

  • chore: deactivate current_batch by default in unset_context (#​17738)

v5.52.0

Compare Source

Minor Changes
  • feat: support TrustedHTML in {@&#8203;html} expressions (#​17701)
Patch Changes

  • fix: repair dynamic component truthy/falsy hydration mismatches (#​17737)

  • fix: re-run non-render-bound deriveds on the server (#​17674)

v5.51.5

Compare Source

Patch Changes

v5.51.4

Compare Source

Patch Changes

  • chore: proactively defer effects in pending boundary (#​17734)

  • fix: detect and error on non-idempotent each block keys in dev mode (#​17732)

v5.51.3

Compare Source

Patch Changes

  • fix: prevent event delegation logic conflicting between svelte instances (#​17728)

  • fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#​17712)

  • fix: locate Rollup annontaion friendly to JS downgraders (#​17724)

  • fix: run effects in pending snippets (#​17719)

v5.51.2

Compare Source

Patch Changes

  • fix: take async into consideration for dev delegated handlers (#​17710)

  • fix: emit state_referenced_locally warning for non-destructured props (#​17708)

v5.51.1

Compare Source

Patch Changes

  • fix: don't crash on undefined document.contentType (#​17707)

  • fix: use symbols for encapsulated event delegation (#​17703)

v5.51.0

Compare Source

Minor Changes
  • feat: Use TrustedTypes for HTML handling where supported (#​16271)
Patch Changes

  • fix: sanitize template-literal-special-characters in SSR attribute values (#​17692)

  • fix: follow-up formatting in print() — flush block-level elements into separate sequences (#​17699)

  • fix: preserve delegated event handlers as long as one or more root components are using them (#​17695)

v5.50.3

Compare Source

Patch Changes

  • fix: take into account nodeName case sensitivity on XHTML pages (#​17689)

  • fix: render multiple and selected attributes as empty strings for XHTML compliance (#​17689)

  • fix: always lowercase HTML elements, for XHTML compliance (#​17664)

  • fix: freeze effects-inside-deriveds when disconnecting, unfreeze on reconnect (#​17682)

  • fix: propagate $effect errors to <svelte:boundary> (#​17684)

v5.50.2

Compare Source

Patch Changes

  • fix: resolve effect_update_depth_exceeded when using bind:value on <select> with derived state in legacy mode (#​17645)

  • fix: don't swallow DOMException when media.play() fails in bind:paused (#​17656)

  • chore: provide proper public type for parseCss result (#​17654)

  • fix: robustify blocker calculation (#​17676)

  • fix: reduce if block nesting (#​17662)

v5.50.1

Compare Source

Patch Changes

  • fix: render boolean attribute values as empty strings for XHTML compliance (#​17648)

  • fix: prevent async render tag hydration mismatches (#​17652)

v5.50.0

Compare Source

Minor Changes
  • feat: allow use of createContext when instantiating components programmatically (#​17575)
Patch Changes

  • fix: ensure infinite effect loops are cleared after flushing (#​17601)

  • fix: allow {#key NaN} (#​17642)

  • fix: detect store in each block expression regardless of AST shape (#​17636)

  • fix: treat <menu> like <ul>/<ol> for a11y role checks (#​17638)

  • fix: add vite-ignore comment inside dynamic crypto import (#​17623)

  • chore: wrap JSDoc URLs in @see and @link tags (#​17617)

  • fix: properly hydrate already-resolved async blocks (#​17641)

  • fix: emit each_key_duplicate error in production (#​16724)

  • fix: exit resolved async blocks on correct node when hydrating (#​17640)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from 23de620 to e280922 Compare March 13, 2026 20:50
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.53.5 [security] chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed Mar 30, 2026
@renovate renovate Bot closed this Mar 30, 2026
@renovate renovate Bot deleted the renovate/npm-svelte-vulnerability branch March 30, 2026 09:38
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed chore(deps): update dependency svelte to v5.53.5 [security] Mar 31, 2026
@renovate renovate Bot reopened this Mar 31, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from e280922 to 6bd7d3b Compare March 31, 2026 11:53
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 6 times, most recently from d925957 to 96a101a Compare April 9, 2026 18:14
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.53.5 [security] chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed chore(deps): update dependency svelte to v5.53.5 [security] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from 96a101a to 0078154 Compare April 28, 2026 12:23
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 3 times, most recently from 6a692d9 to eaf76af Compare May 14, 2026 12:15
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from c4c399c to f1d9ebe Compare May 18, 2026 14:15
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from 56cfa82 to f5fc4ae Compare May 29, 2026 13:39
@renovate renovate Bot changed the title chore(deps): update dependency svelte to v5.53.5 [security] chore(deps): update dependency svelte to v5.55.7 [security] Jun 2, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from f5fc4ae to d885c4c Compare June 2, 2026 15:09
@insertish insertish enabled auto-merge (squash) June 2, 2026 15:28
@insertish insertish merged commit 6aaccb6 into main Jun 2, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@insertish insertish insertish approved these changes

Assignees

No one assigned

Labels

changelog:skip dependencies renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@insertish