npm audit reports two open advisories on main:
High — devalue 5.6.3–5.8.0 (transitive via @sveltejs/kit)
- GHSA-77vg-94rm-hx3p — Svelte devalue: DoS via sparse array deserialization
- Fix available; resolved by bumping the SvelteKit/svelte stack so a patched devalue resolves.
Moderate — svelte ≤5.55.6
- GHSA-pr6f-5x2q-rwfp — SSR XSS via spread attributes
- GHSA-f3cj-j4f6-wq85 — SSR XSS via insecure Promise serialization in hydratable
- GHSA-rcqx-6q8c-2c42 — XSS via DOM Clobbering of internal framework state
package.json declares "svelte": "^5.55.5". Bumping to the latest 5.x within the caret range pulls the patched version.
What to do
- Run
npm audit to reproduce.
npm update svelte @sveltejs/kit (or bump the caret if needed) until npm audit reports 0 advisories.
- Build + run the full test suite + Playwright check on the dev server (see
rules/workspace-preinstalled-tooling.md).
- Open a draft PR; if CI passes, mark ready with
gh pr ready.
- Assign
@rubenhensen as reviewer.
No npm outdated entries are pending — the only changes needed are the security-driven bumps above.
npm auditreports two open advisories onmain:High — devalue 5.6.3–5.8.0 (transitive via @sveltejs/kit)
Moderate — svelte ≤5.55.6
package.jsondeclares"svelte": "^5.55.5". Bumping to the latest 5.x within the caret range pulls the patched version.What to do
npm auditto reproduce.npm update svelte @sveltejs/kit(or bump the caret if needed) untilnpm auditreports 0 advisories.rules/workspace-preinstalled-tooling.md).gh pr ready.@rubenhensenas reviewer.No
npm outdatedentries are pending — the only changes needed are the security-driven bumps above.