Skip to content

chore(deps): bump svelte and @sveltejs/kit to patch security advisories#221

Merged
rubenhensen merged 1 commit into
mainfrom
chore/deps-svelte-security
May 16, 2026
Merged

chore(deps): bump svelte and @sveltejs/kit to patch security advisories#221
rubenhensen merged 1 commit into
mainfrom
chore/deps-svelte-security

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented May 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps two direct devDependencies inside their existing caret ranges to clear the open npm audit advisories tracked in #220.

Package From To Why
svelte ^5.55.5 → installed 5.55.6 ^5.55.7 Patches 4 moderate XSS/ReDoS advisories (GHSA-pr6f-5x2q-rwfp, GHSA-f3cj-j4f6-wq85, GHSA-rcqx-6q8c-2c42, GHSA-9rmh-mm8f-r9h6)
@sveltejs/kit ^2.59.1 ^2.60.1 Pulls patched devalue 5.8.1, resolving high-severity GHSA-77vg-94rm-hx3p (DoS via sparse array deserialization)

npm audit reports 0 vulnerabilities on this branch.

Verification

  • npm install --legacy-peer-deps (per repo convention)
  • npm audit → 0 vulnerabilities
  • npm run check → 0 errors, 0 warnings, 477 files
  • npm run lint → clean
  • npm run build → success, adapter-static output written

Risk

Patch-level bumps within existing carets. Lockfile diff is small (26 lines). No .svelte source files changed.

Reviewer quickstart

git fetch origin && git checkout chore/deps-svelte-security && npm ci --legacy-peer-deps && npm run check && npm run build

Closes #220

- svelte 5.55.5 -> 5.55.7 (XSS via spread attrs, hydratable Promise, DOM
  clobbering, <svelte:element> ReDoS)
- @sveltejs/kit 2.59.1 -> 2.60.1 (pulls patched devalue 5.8.1 — DoS via
  sparse array deserialization)

`npm audit` reports 0 vulnerabilities after the bump.

Closes #220
@dobby-coder dobby-coder Bot marked this pull request as ready for review May 15, 2026 22:19
@dobby-coder dobby-coder Bot requested a review from rubenhensen May 15, 2026 22:22
@dobby-coder

dobby-coder Bot commented May 15, 2026

Copy link
Copy Markdown
Contributor Author

Rule compliance check: added @rubenhensen as reviewer (the PR was missing one, per the pr-review-assignments rule). All other rules pass — title is conventional-commit, body uses Closes #220, no trigger keywords, repo-specific dep-bump gotchas honored (@types/node already present, --legacy-peer-deps documented), and CI is green.

@dobby-coder dobby-coder Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Self-review (cannot approve own PR): minimal lockfile + package.json change, patch-level bumps within existing caret ranges. CI green (build amd64/arm64, lint, svelte-check, conventional-commit). Addresses the four svelte advisories and the devalue high-sev DoS via the kit transitive bump. @types/node already in place so no regression on the kit 2.59+ tsconfig quirk. Ready for @rubenhensen.

@rubenhensen rubenhensen merged commit 7e69b9d into main May 16, 2026
7 checks passed
@rubenhensen rubenhensen deleted the chore/deps-svelte-security branch May 16, 2026 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: update dependencies (svelte/devalue security advisories)

1 participant