Skip to content

chore(deps): update dependency svelte to v5.55.7 [security]#93

Merged
cheefbird merged 1 commit into
mainfrom
renovate/npm-svelte-vulnerability
May 14, 2026
Merged

chore(deps): update dependency svelte to v5.55.7 [security]#93
cheefbird merged 1 commit into
mainfrom
renovate/npm-svelte-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 14, 2026

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 5.55.55.55.7 age confidence

Svelte: SSR XSS via Insecure Promise Serialization in hydratable

GHSA-f3cj-j4f6-wq85

More information

Details

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:

  • you are using hydratable (an experimental feature at the time of this report)
  • you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. hydratable('someKey', () => [synchronousValue, promiseValue])

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/svelte (svelte)

v5.55.7

Compare Source

Patch Changes

v5.55.6

Compare Source

Patch Changes

  • fix: leave stale promises to wait for a later resolution, instead of rejecting (#​18180)

  • fix: keep dependencies of $state.eager/pending (#​18218)

  • fix: reapply context after transforming error during SSR (#​18099)

  • fix: don't rebase just-created batches (#​18117)

  • chore: allow null for pending in typings (#​18201)

  • fix: flush eager effects in production (#​18107)

  • fix: rethrow error of failed iterable after calling return() (#​18169)

  • fix: account for proxified instance when updating bind:this (#​18147)

  • fix: ensure scheduled batch is flushed if not obsolete (#​18131)

  • fix: resolve stale deriveds with latest value (#​18167)

  • chore: remove unnecessary increment_pending calls (#​18183)

  • fix: correctly compile component member expressions for SSR (#​18192)

  • fix: reset source.updated stack traces after flush (#​18196)

  • fix: replacing async 'blocking' strategy with 'merging' (#​18205)

  • fix: allow @debug tags to reference awaited variables (#​18138)

  • fix: re-run fallback props if dependencies update (#​18146)

  • fix: abort running obsolete async branches (#​18118)

  • fix: ignore comments when reading CSS values (#​18153)

  • fix: wrap Promise.all in save during SSR (#​18178)

  • fix: ignore false-positive errors of $inspect dependencies (#​18106)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label May 14, 2026
@cheefbird cheefbird merged commit 3784a28 into main May 14, 2026
1 check passed
@cheefbird cheefbird deleted the renovate/npm-svelte-vulnerability branch May 14, 2026 23:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheefbird cheefbird cheefbird approved these changes

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cheefbird