Skip to content

chore(deps): update dependency devalue@>=5.3.0 <=5.6.1 to >=5.6.4 [security]#3135

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-devalue-=5.3.0-=5.6.1-vulnerability
Open

chore(deps): update dependency devalue@>=5.3.0 <=5.6.1 to >=5.6.4 [security]#3135
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-devalue-=5.3.0-=5.6.1-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 12, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
devalue@>=5.3.0 <=5.6.1 [>=5.6.3>=5.6.4](https://renovatebot.com/diffs/npm/devalue@&gt;&#x3D;5.3.0 <=5.6.1/5.6.3/5.6.4) age confidence

GitHub Vulnerability Alerts

CVE-2026-30226

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

GHSA-mwv9-gp5h-frr4

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted

devalue has prototype pollution in devalue.parse and devalue.unflatten

CVE-2026-30226 / GHSA-cfw5-2vxh-hr84

More information

Details

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Sveltejs devalue's devalue.parse and devalue.unflatten emit objects with __proto__ own properties

GHSA-mwv9-gp5h-frr4

More information

Details

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/devalue (devalue@>=5.3.0 <=5.6.1)

v5.6.4

Compare Source

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - Monday through Friday ( * * * * 1-5 ) in timezone America/New_York.

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file renovate-bot labels Mar 12, 2026
@renovate renovate bot added dependencies Pull requests that update a dependency file renovate-bot labels Mar 12, 2026
@renovate renovate bot enabled auto-merge (squash) March 12, 2026 19:54
@netlify
Copy link

netlify bot commented Mar 12, 2026
edited
Loading

Deploy Preview for kongponents-sandbox ready!

Name Link
🔨 Latest commit 13de26d
🔍 Latest deploy log https://app.netlify.com/projects/kongponents-sandbox/deploys/69b422ed3f5bcf0008b36e5d
😎 Deploy Preview https://deploy-preview-3135--kongponents-sandbox.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Mar 12, 2026
edited
Loading

Deploy Preview for kongponents ready!

Name Link
🔨 Latest commit 13de26d
🔍 Latest deploy log https://app.netlify.com/projects/kongponents/deploys/69b422ed56ca9e00082e6915
😎 Deploy Preview https://deploy-preview-3135--kongponents.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate bot force-pushed the renovate/npm-devalue-=5.3.0-=5.6.1-vulnerability branch 3 times, most recently from bec128b to 7b14209 Compare March 13, 2026 14:35
@renovate
chore(deps): update dependency devalue@&gt;&#x3d;5.3.0 &lt;&#x3d;5.6.…
13de26d 
…1 to >=5.6.4 [security]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-devalue-=5.3.0-=5.6.1-vulnerability branch from 7b14209 to 13de26d Compare March 13, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kongponents-bot kongponents-bot Awaiting requested review from kongponents-bot kongponents-bot is a code owner

@adamdehaven adamdehaven Awaiting requested review from adamdehaven adamdehaven is a code owner

@jillztom jillztom Awaiting requested review from jillztom jillztom is a code owner

@kaiarrowood kaiarrowood Awaiting requested review from kaiarrowood kaiarrowood is a code owner

@Justineo Justineo Awaiting requested review from Justineo Justineo is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file renovate-bot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants