chore(deps): bump svelte and @sveltejs/kit to patch security advisories#221
Conversation
- svelte 5.55.5 -> 5.55.7 (XSS via spread attrs, hydratable Promise, DOM clobbering, <svelte:element> ReDoS) - @sveltejs/kit 2.59.1 -> 2.60.1 (pulls patched devalue 5.8.1 — DoS via sparse array deserialization) `npm audit` reports 0 vulnerabilities after the bump. Closes #220
|
Rule compliance check: added @rubenhensen as reviewer (the PR was missing one, per the |
There was a problem hiding this comment.
Self-review (cannot approve own PR): minimal lockfile + package.json change, patch-level bumps within existing caret ranges. CI green (build amd64/arm64, lint, svelte-check, conventional-commit). Addresses the four svelte advisories and the devalue high-sev DoS via the kit transitive bump. @types/node already in place so no regression on the kit 2.59+ tsconfig quirk. Ready for @rubenhensen.
Summary
Bumps two direct devDependencies inside their existing caret ranges to clear the open
npm auditadvisories tracked in #220.svelte@sveltejs/kitdevalue5.8.1, resolving high-severity GHSA-77vg-94rm-hx3p (DoS via sparse array deserialization)npm auditreports 0 vulnerabilities on this branch.Verification
npm install --legacy-peer-deps(per repo convention)npm audit→ 0 vulnerabilitiesnpm run check→ 0 errors, 0 warnings, 477 filesnpm run lint→ cleannpm run build→ success, adapter-static output writtenRisk
Patch-level bumps within existing carets. Lockfile diff is small (26 lines). No
.sveltesource files changed.Reviewer quickstart
Closes #220