Skip to content

Update dependency svelte to v5 [SECURITY]#67

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-svelte-vulnerability
Open

Update dependency svelte to v5 [SECURITY]#67
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-svelte-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Aug 31, 2024
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 3.52.05.53.5 age confidence

Svelte has a potential mXSS vulnerability due to improper HTML escaping

CVE-2024-45047 / GHSA-8266-84wp-wv5c

More information

Details

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

  • If the string is an attribute value:
    • " -> "
    • & -> &
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • & -> &amp;
    • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

svelte is vulnerable to XSS with textarea bind:value

GHSA-gw32-9rmw-qwww

More information

Details

Summary

A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.

Details

In SSR, <textarea bind:value={...}> does not have its value escaped when it is rendered into the HTML as <textarea>...</textarea>.

PoC

Put this in a server-side-rendered Svelte component:

<script>
  let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>

<textarea bind:value />
Impact
  • Only affects SSR
  • Needs a <textarea bind:value> filled by user content via two-way binding

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte affected by cross-site scripting via spread attributes in Svelte SSR

CVE-2026-27121 / GHSA-f7gr-6p89-r883

More information

Details

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR does not validate dynamic element tag names in <svelte:element>

CVE-2026-27122 / GHSA-m56q-vw4c-c2cp

More information

Details

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte SSR attribute spreading includes inherited properties from prototype chain

CVE-2026-27125 / GHSA-crpf-4hrx-3jrp

More information

Details

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent

CVE-2026-27901 / GHSA-phwv-c562-gvmh

More information

Details

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/svelte (svelte)

v5.53.5

Compare Source

Patch Changes

v5.53.4

Compare Source

Patch Changes

  • fix: set server context after async transformError (#​17799)

  • fix: hydrate if blocks correctly (#​17784)

  • fix: handle default parameters scope leaks (#​17788)

  • fix: prevent flushed effects from running again (#​17787)

v5.53.3

Compare Source

Patch Changes

  • fix: render :catch of #await block with correct key (#​17769)

  • chore: pin aria-query@​5.3.1 (#​17772)

  • fix: make string coercion consistent to toString (#​17774)

v5.53.2

Compare Source

Patch Changes

  • fix: update expressions on server deriveds (#​17767)

  • fix: further obfuscate node:crypto import from overzealous static analysis (#​17763)

v5.53.1

Compare Source

Patch Changes
  • fix: handle shadowed function names correctly (#​17753)

v5.53.0

Compare Source

Minor Changes

  • feat: allow comments in tags (#​17671)

  • feat: allow error boundaries to work on the server (#​17672)

Patch Changes

  • fix: use TrustedHTML to test for customizable <select> support, where necessary (#​17743)

  • fix: ensure head effects are kept in the effect tree (#​17746)

  • chore: deactivate current_batch by default in unset_context (#​17738)

v5.52.0

Compare Source

Minor Changes
  • feat: support TrustedHTML in {@&#8203;html} expressions (#​17701)
Patch Changes

  • fix: repair dynamic component truthy/falsy hydration mismatches (#​17737)

  • fix: re-run non-render-bound deriveds on the server (#​17674)

v5.51.5

Compare Source

Patch Changes

v5.51.4

Compare Source

Patch Changes

  • chore: proactively defer effects in pending boundary (#​17734)

  • fix: detect and error on non-idempotent each block keys in dev mode (#​17732)

v5.51.3

Compare Source

Patch Changes

  • fix: prevent event delegation logic conflicting between svelte instances (#​17728)

  • fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#​17712)

  • fix: locate Rollup annontaion friendly to JS downgraders (#​17724)

  • fix: run effects in pending snippets (#​17719)

v5.51.2

Compare Source

Patch Changes

  • fix: take async into consideration for dev delegated handlers (#​17710)

  • fix: emit state_referenced_locally warning for non-destructured props (#​17708)

v5.51.1

Compare Source

Patch Changes

  • fix: don't crash on undefined document.contentType (#​17707)

  • fix: use symbols for encapsulated event delegation (#​17703)

v5.51.0

Compare Source

Minor Changes
  • feat: Use TrustedTypes for HTML handling where supported (#​16271)
Patch Changes

  • fix: sanitize template-literal-special-characters in SSR attribute values (#​17692)

  • fix: follow-up formatting in print() — flush block-level elements into separate sequences (#​17699)

  • fix: preserve delegated event handlers as long as one or more root components are using them (#​17695)

v5.50.3

Compare Source

Patch Changes

  • fix: take into account nodeName case sensitivity on XHTML pages (#​17689)

  • fix: render multiple and selected attributes as empty strings for XHTML compliance (#​17689)

  • fix: always lowercase HTML elements, for XHTML compliance (#​17664)

  • fix: freeze effects-inside-deriveds when disconnecting, unfreeze on reconnect (#​17682)

  • fix: propagate $effect errors to <svelte:boundary> (#​17684)

v5.50.2

Compare Source

Patch Changes

  • fix: resolve effect_update_depth_exceeded when using bind:value on <select> with derived state in legacy mode (#​17645)

  • fix: don't swallow DOMException when media.play() fails in bind:paused (#​17656)

  • chore: provide proper public type for parseCss result (#​17654)

  • fix: robustify blocker calculation (#​17676)

  • fix: reduce if block nesting (#​17662)

v5.50.1

Compare Source

Patch Changes

  • fix: render boolean attribute values as empty strings for XHTML compliance (#​17648)

  • fix: prevent async render tag hydration mismatches (#​17652)

v5.50.0

Compare Source

Minor Changes
  • feat: allow use of createContext when instantiating components programmatically (#​17575)
Patch Changes

  • fix: ensure infinite effect loops are cleared after flushing (#​17601)

  • fix: allow {#key NaN} (#​17642)

  • fix: detect store in each block expression regardless of AST shape (#​17636)

  • fix: treat <menu> like <ul>/<ol> for a11y role checks (#​17638)

  • fix: add vite-ignore comment inside dynamic crypto import (#​17623)

  • chore: wrap JSDoc URLs in @see and @link tags (#​17617)

  • fix: properly hydrate already-resolved async blocks (#​17641)

  • fix: emit each_key_duplicate error in production (#​16724)

  • fix: exit resolved async blocks on correct node when hydrating (#​17640)

v5.49.2

Compare Source

Patch Changes

  • chore: remove SvelteKit data attributes from elements.d.ts (#​17613)

  • fix: avoid erroneous async derived expressions for blocks (#​17604)

  • fix: avoid Cloudflare warnings about not having the "node:crypto" module (#​17612)

  • fix: reschedule effects inside unskipped branches (#​17604)

v5.49.1

Compare Source

Patch Changes

  • fix: merge consecutive large text nodes (#​17587)

  • fix: only create async functions in SSR output when necessary (#​17593)

  • fix: properly separate multiline html blocks from each other in print() (#​17319)

  • fix: prevent unhandled exceptions arising from dangling promises in <script> (#​17591)

v5.49.0

Compare Source

Minor Changes
  • feat: allow passing ShadowRootInit object to custom element shadow option (#​17088)
Patch Changes

  • fix: throw for unset createContext get on the server (#​17580)

  • fix: reset effects inside skipped branches (#​17581)

  • fix: preserve old dependencies when updating reaction inside fork (#​17579)

  • fix: more conservative assignment_value_stale warnings (#​17574)

  • fix: disregard popover elements when determining whether an element has content (#​17367)

  • fix: fire introstart/outrostart events after delay, if specified (#​17567)

  • fix: increment signal versions when discarding forks (#​17577)

v5.48.5

Compare Source

Patch Changes

  • fix: run boundary onerror callbacks in a microtask, in case they result in the boundary's destruction (#​17561)

  • fix: prevent unintended exports from namespaces (#​17562)

  • fix: each block breaking with effects interspersed among items (#​17550)

v5.48.4

Compare Source

Patch Changes
  • fix: avoid duplicating escaped characters in CSS AST (#​17554)

v5.48.3

Compare Source

Patch Changes

  • fix: hydration failing with settled async blocks (#​17539)

  • fix: add pointer and touch events to a11y_no_static_element_interactions warning (#​17551)

  • fix: handle false dynamic components in SSR (#​17542)

  • fix: avoid unnecessary block effect re-runs after async work completes (#​17535)

  • fix: avoid using dev-mode array.includes wrapper on internal array checks (#​17536)

v5.48.2

Compare Source

Patch Changes
  • fix: export wait function from internal client index (#​17530)

v5.48.1

Compare Source

Patch Changes

  • fix: hoist snippets above const in same block (#​17516)

  • fix: properly hydrate await in {@&#8203;html} (#​17528)

  • fix: batch resolution of async work (#​17511)

  • fix: account for empty statements when visiting in transform async (#​17524)

  • fix: avoid async overhead for already settled promises (#​17461)

  • fix: better code generation for const tags with async dependencies (#​17518)

v5.48.0

Compare Source

Minor Changes
  • feat: export parseCss from svelte/compiler (#​17496)
Patch Changes

  • fix: handle non-string values in svelte:element this attribute (#​17499)

  • fix: faster deduplication of dependencies (#​17503)

v5.47.1

Compare Source

Patch Changes
  • fix: trigger selectedcontent reactivity (#​17486)

v5.47.0

Compare Source

Minor Changes
  • feat: customizable <select> elements (#​17429)
Patch Changes

  • fix: mark subtree of svelte boundary as dynamic (#​17468)

  • fix: don't reset static elements with debug/snippets (#​17477)

v5.46.4

Compare Source

Patch Changes

v5.46.3

Compare Source

Patch Changes

  • fix: reconnect clean deriveds when they are read in a reactive context (#​17362)

  • fix: don't transform references of function declarations in legacy mode (#​17431)

  • fix: notify deriveds of changes to sources inside forks (#​17437)

  • fix: always reconnect deriveds in get, when appropriate (#​17451)

  • fix: prevent derives without dependencies from ever re-running (286b40c4526ce9970cb81ddd5e65b93b722fe468)

  • fix: correctly update writable deriveds inside forks (#​17437)

  • fix: remove $inspect calls after await expressions when compiling for production server code (#​17407)

  • fix: clear batch between runs (#​17424)

  • fix: adjust loc property of Program nodes created from <script> elements (#​17428)

  • fix: don't revert source to UNINITIALIZED state when time travelling (#​17409)

v5.46.1

Compare Source

Patch Changes

  • fix: type currentTarget in on function (#​17370)

  • fix: skip static optimisation for stateless deriveds after await (#​17389)

  • fix: prevent infinite loop when HMRing a component with an await (#​17380)

v5.46.0

Compare Source

Minor Changes
  • feat: Add csp option to render(...), and emit hashes when using hydratable (#​17338)

v5.45.10

Compare Source

Patch Changes
  • fix: race condition when importing AsyncLocalStorage (#​17350)

v5.45.9

Compare Source

Patch Changes

  • fix: correctly reschedule deferred effects when reviving a batch after async work (#​17332)

  • fix: correctly print !doctype during print (#​17341)

v5.45.8

Compare Source

Patch Changes

  • fix: set AST root.start to 0 and root.end to template.length (#​17125)

  • fix: prevent erroneous state_referenced_locally warnings on prop fallbacks (#​17329)

v5.45.7

Compare Source

Patch Changes

  • fix: Add <textarea wrap="off"> as a valid attribute value (#​17326)

  • fix: add more css selectors to print() (#​17330)

  • fix: don't crash on hydratable serialization failure (#​17315)

v5.45.6

Compare Source

Patch Changes

  • fix: don't issue a11y warning for <video> without captions if it has no src (#​17311)

  • fix: add srcObject to permitted <audio>/<video> attributes (#​17310)

v5.45.5

Compare Source

Patch Changes

  • fix: correctly reconcile each blocks after outroing branches are resumed (#​17258)

  • fix: destroy each items after siblings are resumed (#​17258)

v5.45.4

Compare Source

Patch Changes

  • chore: move DOM-related effect properties to effect.nodes (#​17293)

  • fix: allow $props.id() to occur after an await (#​17285)

  • fix: keep reactions up to date even when read outside of effect (#​17295)

v5.45.3

Compare Source

Patch Changes

  • add props to state_referenced_locally (#​17266)

  • fix: preserve node locations for better sourcemaps (#​17269)

  • fix: handle cross-realm Promises in hydratable (#​17284)

v5.45.2

Compare Source

Patch Changes

  • fix: array destructuring after await (#​17254)

  • fix: throw on invalid {@&#8203;tag}s (#​17256)

v5.45.1

Compare Source

Patch Changes
  • fix: link offscreen items and last effect in each block correctly (#​17240)

v5.45.0

Compare Source

Minor Changes

v5.44.1

Compare Source

Patch Changes

  • fix: await blockers before initialising const (#​17226)

  • fix: link offscreen items and last effect in each block correctly (#​17244)

  • fix: generate correct code for simple destructurings (#​17237)

  • fix: ensure each block animations don't mess with transitions (#​17238)

v5.44.0

Compare Source

Minor Changes

v5.43.15

Compare Source

Patch Changes

  • fix: don't execute attachments and attribute effects eagerly (#​17208)

  • chore: lift "flushSync cannot be called in effects" restriction (#​17139)

  • fix: store forked derived values (#​17212)

v5.43.14

Compare Source

Patch Changes

  • fix: correctly migrate named self closing slots (#​17199)

  • fix: error at compile time instead of at runtime on await expressions inside bindings/transitions/animations/attachments (#​17198)

  • fix: take async blockers into account for bindings/transitions/animations/attachments (#​17198)

v5.43.13

Compare Source

Patch Changes
  • fix: don't set derived values during time traveling (#​17200)

v5.43.12

Compare Source

Patch Changes
  • fix: maintain correct linked list of effects when updating each blocks (#​17191)

v5.43.11

Compare Source

Patch Changes

  • perf: don't use tracing overeager during dev (#​17183)

  • fix: don't cancel transition of already outroing elements (#​17186)

v5.43.10

Compare Source

Patch Changes
  • fix: avoid other batches running with queued root effects of main batch (#​17145)

v5.43.9

Compare Source

Patch Changes

  • fix: correctly handle functions when determining async blockers (#​17137)

  • fix: keep deriveds reactive after their original parent effect was destroyed (#​17171)

  • fix: ensure eager effects don't break reactions chain (#​17138)

  • fix: ensure async @const in boundary hydrates correctly (#​17165)

  • fix: take blockers into account when creating #await blocks (#​17137)

  • fix: parallelize async @consts in the template (#​17165)

v5.43.8

Compare Source

Patch Changes
  • fix: each block losing reactivity when items removed while promise pending (#​17150)

v5.43.7

Compare Source

Patch Changes

  • fix: properly defer document title until async work is complete (#​17158)

  • fix: ensure deferred effects can be rescheduled later on (#​17147)

  • fix: take blockers of components into account (#​17153)

v5.43.6

Compare Source

Patch Changes
  • fix: don't deactivate other batches (#​17132)

v5.43.5

Compare Source

Patch Changes

  • fix: ensure async static props/attributes are awaited (#​17120)

  • fix: wait on dependencies of async bindings (#​17120)

  • fix: await dependencies of style directives (#​17120)

v5.43.4

Compare Source

Patch Changes

  • chore: simplify connection/disconnection logic (#​17105)

  • fix: reconnect deriveds to effect tree when time-travelling (#​17105)

v5.43.3

Compare Source

Patch Changes

  • fix: ensure fork always accesses correct values (#​17098)

  • fix: change title only after any pending work has completed (#​17061)

  • fix: preserve symbols when creating derived rest properties (#​17096)

v5.43.2

Compare Source

Patch Changes
  • fix: treat each blocks with async dependencies as uncontrolled (#​17077)

v5.43.1

Compare Source

Patch Changes
  • fix: transform $bindable after await expressions (#​17066)

v5.43.0

Compare Source

Minor Changes
Patch Changes
  • fix: settle batch after DOM updates (#​17054)

v5.42.3

Compare Source

Patch Changes

  • fix: handle <svelte:head> rendered asynchronously (#​17052)

  • fix: don't restore batch in #await (#​17051)

v5.42.2

Compare Source

Patch Changes

  • fix: better error message for global variable assignments (#​17036)

  • chore: tweak memoizer logic (#​17042)

v5.42.1

Compare Source

Patch Changes
  • fix: ignore fork discard() after commit() (#​17034)

v5.42.0

Compare Source

Minor Changes
Patch Changes

  • fix: always allow setContext before first await in component (#​17031)

  • fix: less confusing names for inspect errors (#​17026)

v5.41.4

Compare Source

Patch Changes

  • fix: take into account static blocks when determining transition locality (#​17018)

  • fix: coordinate mount of snippets with await expressions (#​17021)

  • fix: better optimization of await expressions (#​17025)

  • fix: flush pending changes after rendering failed snippet (#​16995)

v5.41.3

Compare Source

Patch Changes

  • chore: exclude vite optimized deps from stack traces (#​17008)

  • perf: skip repeatedly traversing the same derived (#​17016)

v5.41.2

Compare Source

Patch Changes

  • fix: keep batches alive until all async work is complete (#​16971)

  • fix: don't preserve reactivity context across function boundaries (#​17002)

  • fix: make $inspect logs come from the callsite (#​17001)

  • fix: ensure guards (eg. if, each, key) run before their contents (#​16930)

v5.41.1

Compare Source

Patch Changes

  • fix: place let: declarations before {@&#8203;const} declarations (#​16985)

  • fix: improve each_key_without_as error (#​16983)

  • chore: centralise branch management (#​16977)

v5.41.0

Compare Source

Minor Changes
  • feat: add $state.eager(value) rune (#​16849)
Patch Changes

  • fix: preserve <select> state while focused (#​16958)

  • chore: run boundary async effects in the context of the current batch (#​16968)

  • fix: error if each block has key but no as clause (#​16966)

v5.40.2

Compare Source

Patch Changes
  • fix: add hydration markers in pending branch of SSR boundary (#​16965)

v5.40.1

Compare Source

Patch Changes
  • chore: Remove sync-in-async warning for server rendering (#​16949)

v5.40.0

Compare Source

Minor Changes
  • feat: add createContext utility for type-safe context (#​16948)
Patch Changes

  • chore: simplify batch.apply() (#​16945)

  • fix: don't rerun async effects unnecessarily (#​16944)

v5.39.13

Compare Source

Patch Changes

  • fix: add missing type for fr attribute for radialGradient tags in svg (#​16943)

  • fix: unset context on stale promises (#​16935)

v5.39.12

Compare Source

Patch Changes

  • fix: better input cursor restoration for bind:value (#​16925)

  • fix: track the user's getter of bind:this ([#​16916]

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title Update dependency svelte to v4 [SECURITY] Update dependency svelte to v4 [SECURITY] - autoclosed Dec 8, 2024
@renovate renovate Bot closed this Dec 8, 2024
@renovate renovate Bot deleted the renovate/npm-svelte-vulnerability branch December 8, 2024 18:38
@renovate renovate Bot changed the title Update dependency svelte to v4 [SECURITY] - autoclosed Update dependency svelte to v4 [SECURITY] Dec 8, 2024
@renovate renovate Bot reopened this Dec 8, 2024
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from 8ead048 to 8dfa4ba Compare December 8, 2024 23:03
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from 8dfa4ba to 5a4bc6d Compare August 10, 2025 14:07
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from 5a4bc6d to d6462fb Compare November 10, 2025 14:58
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from d6462fb to 96936d7 Compare November 18, 2025 10:12
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from 96936d7 to 6cc4838 Compare January 17, 2026 00:55
@renovate renovate Bot changed the title Update dependency svelte to v4 [SECURITY] Update dependency svelte to v3.59.2 [SECURITY] Jan 17, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from e318ddd to c87d1ba Compare February 20, 2026 16:57
@renovate renovate Bot changed the title Update dependency svelte to v3.59.2 [SECURITY] Update dependency svelte to v5 [SECURITY] Feb 20, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Feb 20, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: frontend/package-lock.json
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: eslint-plugin-svelte@2.11.0
npm ERR! Found: svelte@5.53.5
npm ERR! node_modules/svelte
npm ERR!   dev svelte@"5.53.5" from the root project
npm ERR!   peer svelte@">=3.5.0" from rollup-plugin-svelte@7.1.0
npm ERR!   node_modules/rollup-plugin-svelte
npm ERR!     dev rollup-plugin-svelte@"7.1.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peerOptional svelte@"^3.37.0" from eslint-plugin-svelte@2.11.0
npm ERR! node_modules/eslint-plugin-svelte
npm ERR!   dev eslint-plugin-svelte@"2.11.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: svelte@3.59.2
npm ERR! node_modules/svelte
npm ERR!   peerOptional svelte@"^3.37.0" from eslint-plugin-svelte@2.11.0
npm ERR!   node_modules/eslint-plugin-svelte
npm ERR!     dev eslint-plugin-svelte@"2.11.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-04-27T23_32_55_219Z-debug-0.log

@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch from c87d1ba to f2265e9 Compare February 28, 2026 13:09
@renovate renovate Bot changed the title Update dependency svelte to v5 [SECURITY] Update dependency svelte to v5 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot changed the title Update dependency svelte to v5 [SECURITY] - autoclosed Update dependency svelte to v5 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from f2265e9 to 872e68c Compare March 30, 2026 21:53
@renovate renovate Bot changed the title Update dependency svelte to v5 [SECURITY] Update dependency svelte to v5 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency svelte to v5 [SECURITY] - autoclosed Update dependency svelte to v5 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from 872e68c to c413e3c Compare April 27, 2026 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants