Security vulnerabilities (fix first)
vite (8.0.14 → 8.1.0): two advisories — server.fs.deny bypass on Windows alternate paths (high, CWE-22/200) and NTLMv2 hash disclosure via UNC paths (moderate, CWE-73/522). Direct dependency.
esbuild (transitive): arbitrary file read via dev server on Windows (low, CWE-22). Fixed by upgrading vite (esbuild is pulled in transitively via svelte-i18n override).
Outdated packages
| Package |
Current |
Latest |
Bump type |
Notes |
| vite |
8.0.14 |
8.1.0 |
patch |
CVE fix — priority |
| @sveltejs/kit |
2.61.1 |
2.68.0 |
minor |
Core framework |
| svelte |
5.55.9 |
5.56.4 |
patch |
Core framework |
| svelte-check |
4.4.8 |
4.7.1 |
minor |
|
| @sveltejs/adapter-node |
5.5.4 |
5.5.7 |
patch |
|
| @sveltejs/vite-plugin-svelte |
not installed / indirect |
latest |
— |
check if needed |
| eslint |
10.4.0 |
10.6.0 |
minor |
|
| eslint-plugin-svelte |
3.17.1 |
3.20.0 |
minor |
|
| typescript-eslint |
8.59.4 |
8.62.1 |
minor |
|
| @playwright/test |
1.60.0 |
1.61.1 |
minor |
|
| prettier |
3.8.3 |
3.9.3 |
minor |
|
| prettier-plugin-svelte |
4.0.1 |
4.1.1 |
minor |
|
| @iconify/svelte |
5.2.1 |
5.2.2 |
patch |
|
| @privacybydesign/yivi-web |
1.0.1 |
1.0.2 |
patch |
|
| sass |
1.100.0 |
1.101.0 |
patch |
|
| @types/node |
25.9.1 |
26.0.1 |
major |
Node typings |
| globals |
17.6.0 |
17.7.0 |
patch |
|
| tsx |
4.22.3 |
4.22.4 |
patch |
|
| vitest |
4.1.7 |
4.1.9 |
patch |
|
Worker instructions
-
CVEs first (all in one PR, severity order):
- Upgrade
vite to ^8.1.0 — fixes both vite advisories and the transitive esbuild advisory.
- Run
npm audit to confirm zero remaining vulnerabilities.
-
Minor/patch batch (one PR): upgrade all minor and patch packages together — @sveltejs/kit, svelte, svelte-check, @sveltejs/adapter-node, eslint, eslint-plugin-svelte, typescript-eslint, @playwright/test, prettier, prettier-plugin-svelte, @iconify/svelte, @privacybydesign/yivi-web, sass, globals, tsx, vitest.
-
Major individually: @types/node 25 → 26 in its own PR (review for API-breaking changes).
-
After each batch: run npm run build and npx vitest run (unit tests). Fix any failures before opening the PR.
-
Open a DRAFT PR titled chore: update dependencies, assign reviewer rubenhensen, include Closes #<this issue number> on its own line in the PR body.
-
Monitor CI. Once all checks are green, mark the PR ready for review with gh pr ready.
Security vulnerabilities (fix first)
vite (8.0.14 → 8.1.0): two advisories —
server.fs.denybypass on Windows alternate paths (high, CWE-22/200) and NTLMv2 hash disclosure via UNC paths (moderate, CWE-73/522). Direct dependency.esbuild (transitive): arbitrary file read via dev server on Windows (low, CWE-22). Fixed by upgrading vite (esbuild is pulled in transitively via svelte-i18n override).
Outdated packages
Worker instructions
CVEs first (all in one PR, severity order):
viteto^8.1.0— fixes both vite advisories and the transitive esbuild advisory.npm auditto confirm zero remaining vulnerabilities.Minor/patch batch (one PR): upgrade all minor and patch packages together — @sveltejs/kit, svelte, svelte-check, @sveltejs/adapter-node, eslint, eslint-plugin-svelte, typescript-eslint, @playwright/test, prettier, prettier-plugin-svelte, @iconify/svelte, @privacybydesign/yivi-web, sass, globals, tsx, vitest.
Major individually:
@types/node25 → 26 in its own PR (review for API-breaking changes).After each batch: run
npm run buildandnpx vitest run(unit tests). Fix any failures before opening the PR.Open a DRAFT PR titled
chore: update dependencies, assign reviewerrubenhensen, includeCloses #<this issue number>on its own line in the PR body.Monitor CI. Once all checks are green, mark the PR ready for review with
gh pr ready.