Skip to content

chore: update dependencies (svelte/devalue security advisories) #220

Description

@dobby-coder

npm audit reports two open advisories on main:

High — devalue 5.6.3–5.8.0 (transitive via @sveltejs/kit)

  • GHSA-77vg-94rm-hx3p — Svelte devalue: DoS via sparse array deserialization
  • Fix available; resolved by bumping the SvelteKit/svelte stack so a patched devalue resolves.

Moderate — svelte ≤5.55.6

  • GHSA-pr6f-5x2q-rwfp — SSR XSS via spread attributes
  • GHSA-f3cj-j4f6-wq85 — SSR XSS via insecure Promise serialization in hydratable
  • GHSA-rcqx-6q8c-2c42 — XSS via DOM Clobbering of internal framework state
  • package.json declares "svelte": "^5.55.5". Bumping to the latest 5.x within the caret range pulls the patched version.

What to do

  1. Run npm audit to reproduce.
  2. npm update svelte @sveltejs/kit (or bump the caret if needed) until npm audit reports 0 advisories.
  3. Build + run the full test suite + Playwright check on the dev server (see rules/workspace-preinstalled-tooling.md).
  4. Open a draft PR; if CI passes, mark ready with gh pr ready.
  5. Assign @rubenhensen as reviewer.

No npm outdated entries are pending — the only changes needed are the security-driven bumps above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions