task(deps): update dependency svelte to v5.51.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.46.4 → 5.51.5

GitHub Vulnerability Alerts

CVE-2026-27119

In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27121

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

CVE-2026-27122

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27125

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

---

Release Notes

sveltejs/svelte (svelte)

v5.51.5

Compare Source

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#​17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#​17739)

v5.51.4

Compare Source

Patch Changes

• chore: proactively defer effects in pending boundary (#​17734)

• fix: detect and error on non-idempotent each block keys in dev mode (#​17732)

v5.51.3

Compare Source

Patch Changes

• fix: prevent event delegation logic conflicting between svelte instances (#​17728)

• fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#​17712)

• fix: locate Rollup annontaion friendly to JS downgraders (#​17724)

• fix: run effects in pending snippets (#​17719)

v5.51.2

Compare Source

Patch Changes

• fix: take async into consideration for dev delegated handlers (#​17710)

• fix: emit state_referenced_locally warning for non-destructured props (#​17708)

v5.51.1

Compare Source

Patch Changes

• fix: don't crash on undefined document.contentType (#​17707)

• fix: use symbols for encapsulated event delegation (#​17703)

v5.51.0

Compare Source

Minor Changes

• feat: Use TrustedTypes for HTML handling where supported (#​16271)

Patch Changes

• fix: sanitize template-literal-special-characters in SSR attribute values (#​17692)

• fix: follow-up formatting in print() — flush block-level elements into separate sequences (#​17699)

• fix: preserve delegated event handlers as long as one or more root components are using them (#​17695)

v5.50.3

Compare Source

Patch Changes

• fix: take into account nodeName case sensitivity on XHTML pages (#​17689)

• fix: render multiple and selected attributes as empty strings for XHTML compliance (#​17689)

• fix: always lowercase HTML elements, for XHTML compliance (#​17664)

• fix: freeze effects-inside-deriveds when disconnecting, unfreeze on reconnect (#​17682)

• fix: propagate $effect errors to <svelte:boundary> (#​17684)

v5.50.2

Compare Source

Patch Changes

• fix: resolve effect_update_depth_exceeded when using bind:value on <select> with derived state in legacy mode (#​17645)

• fix: don't swallow DOMException when media.play() fails in bind:paused (#​17656)

• chore: provide proper public type for parseCss result (#​17654)

• fix: robustify blocker calculation (#​17676)

• fix: reduce if block nesting (#​17662)

v5.50.1

Compare Source

Patch Changes

• fix: render boolean attribute values as empty strings for XHTML compliance (#​17648)

• fix: prevent async render tag hydration mismatches (#​17652)

v5.50.0

Compare Source

Minor Changes

• feat: allow use of createContext when instantiating components programmatically (#​17575)

Patch Changes

• fix: ensure infinite effect loops are cleared after flushing (#​17601)

• fix: allow {#key NaN} (#​17642)

• fix: detect store in each block expression regardless of AST shape (#​17636)

• fix: treat <menu> like <ul>/<ol> for a11y role checks (#​17638)

• fix: add vite-ignore comment inside dynamic crypto import (#​17623)

• chore: wrap JSDoc URLs in @see and @link tags (#​17617)

• fix: properly hydrate already-resolved async blocks (#​17641)

• fix: emit each_key_duplicate error in production (#​16724)

• fix: exit resolved async blocks on correct node when hydrating (#​17640)

v5.49.2

Compare Source

Patch Changes

• chore: remove SvelteKit data attributes from elements.d.ts (#​17613)

• fix: avoid erroneous async derived expressions for blocks (#​17604)

• fix: avoid Cloudflare warnings about not having the "node:crypto" module (#​17612)

• fix: reschedule effects inside unskipped branches (#​17604)

v5.49.1

Compare Source

Patch Changes

• fix: merge consecutive large text nodes (#​17587)

• fix: only create async functions in SSR output when necessary (#​17593)

• fix: properly separate multiline html blocks from each other in print() (#​17319)

• fix: prevent unhandled exceptions arising from dangling promises in <script> (#​17591)

v5.49.0

Compare Source

Minor Changes

• feat: allow passing ShadowRootInit object to custom element shadow option (#​17088)

Patch Changes

• fix: throw for unset createContext get on the server (#​17580)

• fix: reset effects inside skipped branches (#​17581)

• fix: preserve old dependencies when updating reaction inside fork (#​17579)

• fix: more conservative assignment_value_stale warnings (#​17574)

• fix: disregard popover elements when determining whether an element has content (#​17367)

• fix: fire introstart/outrostart events after delay, if specified (#​17567)

• fix: increment signal versions when discarding forks (#​17577)

v5.48.5

Compare Source

Patch Changes

• fix: run boundary onerror callbacks in a microtask, in case they result in the boundary's destruction (#​17561)

• fix: prevent unintended exports from namespaces (#​17562)

• fix: each block breaking with effects interspersed among items (#​17550)

v5.48.4

Compare Source

Patch Changes

• fix: avoid duplicating escaped characters in CSS AST (#​17554)

v5.48.3

Compare Source

Patch Changes

• fix: hydration failing with settled async blocks (#​17539)

• fix: add pointer and touch events to a11y_no_static_element_interactions warning (#​17551)

• fix: handle false dynamic components in SSR (#​17542)

• fix: avoid unnecessary block effect re-runs after async work completes (#​17535)

• fix: avoid using dev-mode array.includes wrapper on internal array checks (#​17536)

v5.48.2

Compare Source

Patch Changes

• fix: export wait function from internal client index (#​17530)

v5.48.1

Compare Source

Patch Changes

• fix: hoist snippets above const in same block (#​17516)

• fix: properly hydrate await in {@​html} (#​17528)

• fix: batch resolution of async work (#​17511)

• fix: account for empty statements when visiting in transform async (#​17524)

• fix: avoid async overhead for already settled promises (#​17461)

• fix: better code generation for const tags with async dependencies (#​17518)

v5.48.0

Compare Source

Minor Changes

• feat: export parseCss from svelte/compiler (#​17496)

Patch Changes

• fix: handle non-string values in svelte:element this attribute (#​17499)

• fix: faster deduplication of dependencies (#​17503)

v5.47.1

Compare Source

Patch Changes

• fix: trigger selectedcontent reactivity (#​17486)

v5.47.0

Compare Source

Minor Changes

• feat: customizable <select> elements (#​17429)

Patch Changes

• fix: mark subtree of svelte boundary as dynamic (#​17468)

• fix: don't reset static elements with debug/snippets (#​17477)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
themes.skeleton.dev	Building	Preview	Feb 25, 2026 1:35pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
www.skeleton.dev	Ignored	Preview	Feb 25, 2026 1:35pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9d59997

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR