chore(deps): update devdependency devalue to v5.6.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
devalue	5.6.3 → 5.6.4

GitHub Vulnerability Alerts

CVE-2025-57820

1. devalue.parse allows __proto__ to be set

A string passed to devalue.parse could represent an object with a __proto__ property, which would assign a prototype to an object while allowing properties to be overwritten:

class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5

2. devalue.parse allows array prototype methods to be assigned to object

In a payload constructed with devalue.stringify, values are represented as array indices, where the array contains the 'hydrated' values:

devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]

devalue.parse does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0

This could be used by a creative attacker to bypass server-side validation.

GHSA-8qm3-746x-r74r

Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.

GHSA-33hq-fvwr-56pm

Under certain circumstances, serializing sparse arrays using uneval or stringify could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS. This is extremely difficult to take advantage of in practice, as an attacker would have to manage to create a sparse array on the server — which is impossible in every mainstream wire format — and then that sparse array would have to be run through uneval or stringify.

CVE-2026-30226

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

GHSA-mwv9-gp5h-frr4

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted

---

Release Notes

sveltejs/devalue (devalue)

v5.6.4

Compare Source

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/bridge@1754

npm i https://pkg.pr.new/@nuxt/bridge-schema@1754

commit: 1804f49