Update dependency svelte to v3.49.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	3.44.1 -> 3.49.0

GitHub Vulnerability Alerts

CVE-2022-25875

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

---

Release Notes

sveltejs/svelte

v3.49.0

Compare Source

• Improve performance of string escaping during SSR (#​5701)
• Add ComponentType and ComponentProps convenience types (#​6770)
• Add support for CSS @layer (#​7504)
• Export CompileOptions from svelte/compiler (#​7658)
• Fix DOM-less components not being properly destroyed (#​7488)
• Fix class: directive updates with <svelte:element> (#​7521, #​7571)
• Harden attribute escaping during SSR (#​7530)

v3.48.0

Compare Source

• Allow creating cancelable custom events with createEventDispatcher (#​4623)
• Support {@​const} tag in {#if} blocks #​7241
• Return the context object in setContext #​7427
• Allow comments inside {#each} blocks when using animate: (#​3999)
• Fix |local transitions in {#key} blocks (#​5950)
• Support svg namespace for {@​html} (#​7002, #​7450)
• Fix {@​const} tag not working inside a component when there's no let: #​7189
• Remove extraneous leading newline inside <pre> and <textarea> (#​7264)
• Fix erroneous setting of textContent for <template> elements (#​7297)
• Fix value of let: bindings not updating in certain cases (#​7440)
• Fix handling of void tags in <svelte:element> (#​7449)
• Fix handling of boolean attributes in <svelte:element> (#​7478)
• Add special style scoping handling of [open] selectors on <dialog> elements (#​7495)

v3.47.0

Compare Source

• Add support for dynamic elements through <svelte:element> (#​2324)
• Miscellaneous variable context fixes in {@​const} (#​7222)
• Fix {#key} block not being reactive when the key variable is not otherwise used (#​7408)
• Add Symbol as a known global (#​7418)

v3.46.6

Compare Source

• Actually include action TypeScript interface in published package (#​7407)

v3.46.5

Compare Source

• Add TypeScript interfaces for typing actions (#​6538)
• Do not generate unused-export-let warning inside <script context="module"> blocks (#​7055)
• Do not collapse whitespace-only CSS vars (#​7152)
• Add aria-description to the list of allowed ARIA attributes (#​7301)
• Fix attribute escaping during SSR (#​7327)
• Prevent .innerHTML optimization from being used when style: directive is present (#​7386)

v3.46.4

Compare Source

• Avoid maximum call stack size exceeded errors on large components (#​4694)
• Preserve leading space with preserveWhitespace: true (#​4731)
• Preserve leading space in <pre> tags (#​6437)
• Improve error message when trying to use style: directives on inline components (#​7177)
• Add FormData as a known global (#​7199)
• Mark css/instance/module AST properties as optional in types (#​7204)

v3.46.3

Compare Source

• Ignore whitespace in {#each} blocks when containing elements with animate: (#​5477)
• Throw compiler error when variable in context="instance" collides with import in context="module" (#​7090)
• Fix compiler crash when {@​const} contains arrow functions (#​7134)

v3.46.2

Compare Source

• Export FlipParams interface from svelte/animate (#​7103)
• Fix style: directive reactivity inside {#each} block (#​7136)

v3.46.1

Compare Source

• Handle style:kebab-case directives (#​7122)
• Improve AST produced for style: directives (#​7127)

v3.46.0

Compare Source

• Implement {@​const} tag (RFC #​33, #​6413)
• Implement style: directive (RFC #​42, #​5923)
• Fix style manager conflicts when using multiple Svelte instances (#​7026)
• Fix hydration when using {@​html} (#​7115)

v3.45.0

Compare Source

• Fix non-boolean attribute rendering in SSR to render truthy values as-is (#​6121)
• Fix binding to a member expression also invalidating the member property (#​6921)
• Fix default values in {#each}/etc. destructurings not being considered references for the purposes of compiler warnings (#​6964)
• Fix {:else if} value incorrectly being cached (#​7043)
• Add a11y-no-redundant-roles warning (#​7067)
• Fix code generation error with arrow functions whose bodies are object destructuring assignments (#​7087)

v3.44.3

Compare Source

• Fix bind:this binding inside onMount for manually instantiated component (#​6760)
• Prevent cursor jumps with one-way binding for other type="text"-like <input>s (#​6941)
• Exclude async loops from loopGuardTimeout (#​6945)

v3.44.2

Compare Source

• Fix overly restrictive preprocessor types (#​6904)
• More specific typing for crossfade function - returns a tuple, not an array (#​6926)
• Add URLSearchParams as a known global (#​6938)
• Add types field to exports map (#​6939)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.