chore(deps): update dependency @sveltejs/kit to v2.53.3 [security]#366
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
chore(deps): update dependency @sveltejs/kit to v2.53.3 [security]#366renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
✅ Deploy Preview for sheepdog ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
commit: |
renovate
bot
force-pushed
the
renovate/npm-sveltejs-kit-vulnerability
branch
from
b86d49e to
2d146fe
Compare
renovate
bot
force-pushed
the
renovate/npm-sveltejs-kit-vulnerability
branch
from
2d146fe to
0481487
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.49.5→2.53.3GitHub Vulnerability Alerts
GHSA-vrhm-gvg7-fpcf
Versions of
@sveltejs/kitprior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service.Only applications using both
experimental.remoteFunctionsandformare vulnerable.GHSA-88qp-p4qg-rqm6
Versions of
@sveltejs/kitprior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.Only applications using both
experimental.remoteFunctionsandformare vulnerable.GHSA-fpg4-jhqr-589c
Some relatively small inputs can cause very large files arrays in
formhandlers. If the SvelteKit application code doesn't checkfiles.lengthor individual files' sizes and performs expensive processing with them, it can result in Denial of Service.Only users with
experimental.remoteFunctions: truewho are using theformfunction and are processing thefilesarray without validation are vulnerable.Release Notes
sveltejs/kit (@sveltejs/kit)
v2.53.3Compare Source
Patch Changes
form(faba869)v2.53.2Compare Source
Patch Changes
fix: server-render nested form value sets (#15378)
fix: use deep partial types for form remote functions
.value()and.set(...)(#14837)fix: provide correct url info to remote functions (#15418)
fix: allow optional types for remote query/command/prerender functions (#15293)
fix: allow commands in more places (#15288)
v2.53.1Compare Source
Patch Changes
inlineDynamicImportswhen using Vite 8 (#15403)v2.53.0Compare Source
Minor Changes
Patch Changes
fix: remove event listeners on form attachment cleanup (#15286)
fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)
v2.52.2Compare Source
Patch Changes
fix: validate
formfile information to prevent amplification attacks (3e607b3)chore: upgrade
devalueandsvelte(#15339)fix: parse file offset table more strictly (
f47c01b)v2.52.0Compare Source
Minor Changes
matchfunction to map a path back to a route id and params (#14997)Patch Changes
fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)
fix:
resolvewill narrow types to follow trailing slash page settings (#15027)v2.51.0Compare Source
Minor Changes
feat: add
scrollproperty toNavigationTargetin navigation callbacks (#15248)Navigation callbacks (
beforeNavigate,onNavigate, andafterNavigate) now include scroll position information via thescrollproperty onfromandtotargets:from.scroll: The scroll position at the moment navigation was triggeredto.scroll: InbeforeNavigateandonNavigate, this is populated forpopstatenavigations (back/forward) with the scroll position that will be restored, andnullfor other navigation types. InafterNavigate, this is always the final scroll position after navigation completed.This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.
feat:
hydratable's injected script now works with CSP (#15048)Patch Changes
fix: put preloads before styles (#15232)
fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#15269)
fix:
fetchnot working when URL is same host but different thanpaths.base(#15291)fix: navigate to hash link when base element is present (#15236)
fix: avoid triggering
handleErrorwhen redirecting in a remote function (#15222)fix: include
testdirectory in generatedtsconfig.jsonalongside existingtestsentry (#15254)fix: generate
tsconfig.jsonusing the value ofkit.files.src(#15253)v2.50.2Compare Source
Patch Changes
fix: ensure inlined CSS follows
paths.assetsandpaths.relativesettings (#15153)fix: emit script CSP nonces when
unsafe-inlineis present ifstrict-dynamicis also present (#15221)fix: re-export browser/dev from esm-env (#15206)
fix: use validated args in batch resolver in both csr and ssr (#15215)
fix: ensure CSS inlining includes components that are conditionally rendered (#15153)
fix: only match rest params with matchers when the matcher matches (#15216)
fix: properly handle percent-encoded anchors (e.g.
<a href="#sparkles-%E2%9C%A8">) during prerendering. (#15231)v2.50.1Compare Source
Patch Changes
fix: include
hooks.serverandhooks.universalas explicit Vite build inputs to ensure assets imported by hooks files are correctly discovered (#15178)fix: improves fields type for generic components (#14974)
fix: preload links if href changes (#15191)
v2.50.0Compare Source
Minor Changes
buttonPropsfrom experimental remote form functions; use e.g.<button {...myForm.fields.action.as('submit', 'register')}>Register</button>button instead (#15144)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.