fix: resolve Svelte 5.55 navigation state propagation failure

[Mahaboobunnisa123]

Fixes #2838
The card-browser and mobile layout navigation was broken - clicking links would either skip multiple cards, lose the edition/version/language URL params after a few navigations, or sometimes end up on a 404 page entirely.
After digging into it, the root cause was a combination of things. Svelte 5.55.0–5.55.3 had a regression where reactive state stopped propagating correctly during client-side navigation, which is especially painful with adapter-static since there's no server fallback. Upgrading to 5.55.4 (which patches that regression) fixed the engine side.

Changes applied:

• Upgraded Svelte to 5.55.4 - resolves the core engine regression
• cardBrowser.svelte - fixed mouse click firing both onclick and href simultaneously, causing cards to skip multiple steps. Added event.preventDefault() and cleaned up getUrl
• +layout.svelte - fixed MutationObserver inside $effect never disconnecting on navigation, causing state corruption. Added return () => observer.disconnect() as cleanup
• Also replaced the legacy svelte/legacy run() + $state pattern in cardFound.svelte, companionCardTaxonomy.svelte, mobileAppCardTaxonomy.svelte, webAppCardTaxonomy.svelte, cards/+page.svelte with proper $derived - these were left over from the Svelte 4→5 migration and were the exact kind of fragile reactive patterns that made the state loss worse.

Testing results:

• Mouse click navigation moves one card at a time correctly
• Keyboard arrow navigation works as expected
• Full URL (edition/version/language params) preserved across all navigations
• No 404 errors observed
• No hydration errors in DevTools console
• pnpm run test - 13 test files, 139 tests, all passed. Coverage: 99.32% statements, 100% functions

Resolved issue: #2838
Screenshots are attached for reference:

AI Tool Disclosure

• My contribution does not include any AI-generated content
• My contribution includes AI-generated content, as disclosed below:
  • AI Tools: Perplexity AI, Claude AI
  • LLMs and versions: Claude Sonnet 4.6
  • Prompts: Used for guidance on implementation approach(to speedup) and debugging issues[errors]. All the final changes were written, reviewed, and adapted manually.

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[sydseter]

@Mahaboobunnisa123 Great! Looks good

[sydseter]

@Mahaboobunnisa123 Thank you for your help.

[Copilot]

Pull request overview

Fixes a SvelteKit (adapter-static) navigation/state propagation regression affecting card browsing and mobile layout behavior by upgrading Svelte and adjusting client-side navigation/reactivity patterns.

Changes:

• Upgraded svelte to 5.55.4 (and lockfile updates) to pick up the upstream fix.
• Updated card navigation handling (cardBrowser.svelte) to prevent double-navigation on click and rely on goto() + hrefs consistently.
• Reworked several components away from svelte/legacy run() and manual $state updates toward $derived-based reactivity; added cleanup for a MutationObserver in the root layout.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
cornucopia.owasp.org/src/routes/cards/+page.svelte	Updates card/mapping state derivation for the cards index page.
cornucopia.owasp.org/src/routes/+layout.svelte	Ensures MutationObserver is disconnected on navigation (avoids leaking observers/state).
cornucopia.owasp.org/src/lib/components/cardBrowser.svelte	Prevents click navigation from firing both default anchor navigation and JS navigation.
cornucopia.owasp.org/src/lib/components/cardFound.svelte	Adjusts component props usage and switches mapping/ASVS derivations to $derived.
cornucopia.owasp.org/src/lib/components/webAppCardTaxonomy.svelte	Removes svelte/legacy usage; derives mappings/attacks reactively.
cornucopia.owasp.org/src/lib/components/mobileAppCardTaxonomy.svelte	Removes svelte/legacy usage; derives mappings/attacks reactively.
cornucopia.owasp.org/src/lib/components/companionCardTaxonomy.svelte	Removes svelte/legacy usage; derives mappings/attacks reactively.
cornucopia.owasp.org/package.json	Bumps Svelte dependency version.
cornucopia.owasp.org/pnpm-lock.yaml	Lockfile updates for the Svelte upgrade and transitive deps.

Files not reviewed (1)

• cornucopia.owasp.org/pnpm-lock.yaml: Language not supported

Comments suppressed due to low confidence (1)

cornucopia.owasp.org/src/routes/+layout.svelte:36

• The $effect now checks if (document) and the file still imports browser without using it. Consider switching this guard to if (browser) (or typeof document !== 'undefined') and dropping the unused import, so the intent is clear and the code won’t risk document access in non-browser contexts.

    // add styles back in non-CSP violating way
    $effect(() => {
    if (document) {
        const observer = new MutationObserver((mutations) => {
        for (const mutation of mutations) {

[Mahaboobunnisa123]

@Mahaboobunnisa123 Great! Looks good

Thank you for your kind words.