Skip to content

chore(deps): update dependency @sveltejs/kit to v2.57.1 [security]#10505

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sveltejs-kit-vulnerability
Open

chore(deps): update dependency @sveltejs/kit to v2.57.1 [security]#10505
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sveltejs-kit-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 16, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@sveltejs/kit (source) 2.55.02.57.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

@​sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass

CVE-2026-40073 / GHSA-2crg-3p73-43xp

More information

Details

Under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

@​sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service

CVE-2026-40074 / GHSA-3f6h-2hrp-w5wx

More information

Details

redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.57.1

Compare Source

Patch Changes

  • fix: better validation for redirect inputs (10d7b44)

  • fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

  • fix: use default values as fallbacks (#​15680)

  • fix: relax form typings for union types (#​15687)

v2.57.0

Compare Source

Minor Changes
  • feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#​15530)
Patch Changes

  • fix: use array type for select fields that accept multiple values (#​15591)

  • fix: silently 404 Chrome DevTools workspaces request in dev and preview (#​15656)

  • fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#​15323)

  • fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#​15647)

  • fix: reimplement treeshaking non-dynamic prerendered remote functions (#​15447)

v2.56.1

Compare Source

Patch Changes

v2.56.0

Compare Source

Minor Changes

  • breaking: rework client-driven refreshes (#​15562)

  • breaking: stabilize remote function caching by sorting object keys (#​15570)

  • breaking: add run() method to queries, disallow awaiting queries outside render (#​15533)

  • feat: support TypeScript 6.0 (#​15595)

  • breaking: isolate command-triggered query refresh failures per-query (#​15562)

  • feat: use hydratable for remote function transport (#​15533)

  • feat: allow form fields to specify a default value (field.as(type, value)) (#​15577)

Patch Changes

  • fix: don't request new data when .refresh is called on a query with no cache entry (#​15533)

  • fix: allow using multiple remote functions within one async derived (#​15561)

  • fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#​15623)

  • fix: manage queries in their own $effect.root (#​15533)

  • fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#​15550)

  • fix: correctly escape backticks when precomputing CSS (#​15593)

  • fix: discard obsolete forks before finishing navigation (#​15634)

  • chore: tighten up override implementation (#​15562)

  • fix: ensure the default Svelte 5 error.svelte file uses runes mode (#​15609)

  • fix: deduplicate same-cache-key batch calls during SSR (#​15533)

  • fix: decrement pending_count when form callback doesn't call submit() (#​15520)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Apr 16, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 16, 2026
edited
Loading

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a0d03da3-1a07-45f8-b42f-9d76de755c93

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/npm-sveltejs-kit-vulnerability

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added the automated PR author detected as automated label Apr 16, 2026
@nx-cloud
Copy link
Copy Markdown

nx-cloud Bot commented Apr 16, 2026
edited
Loading

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

To disable these notifications, a workspace admin can disable them in workspace settings.

View your CI Pipeline Execution ↗ for commit 29a0508

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ❌ Failed 1m 5s View ↗
nx run-many --target=build --exclude=examples/*... ❌ Failed 4s View ↗

☁️ Nx Cloud last updated this comment at 2026-05-14 06:11:38 UTC

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 16, 2026
edited
Loading

🚀 Changeset Version Preview

2 package(s) bumped directly, 23 bumped as dependents.

🟩 Patch bumps

Package Version Reason
@tanstack/vue-query 5.100.10 → 5.100.11 Changeset
@tanstack/vue-query-devtools 6.1.29 → 6.1.30 Changeset
@tanstack/angular-query-experimental 5.100.10 → 5.100.11 Dependent
@tanstack/angular-query-persist-client 5.100.10 → 5.100.11 Dependent
@tanstack/eslint-plugin-query 5.100.10 → 5.100.11 Dependent
@tanstack/lit-query 0.2.1 → 0.2.2 Dependent
@tanstack/preact-query 5.100.10 → 5.100.11 Dependent
@tanstack/preact-query-devtools 5.100.10 → 5.100.11 Dependent
@tanstack/preact-query-persist-client 5.100.10 → 5.100.11 Dependent
@tanstack/query-async-storage-persister 5.100.10 → 5.100.11 Dependent
@tanstack/query-broadcast-client-experimental 5.100.10 → 5.100.11 Dependent
@tanstack/query-core 5.100.10 → 5.100.11 Dependent
@tanstack/query-devtools 5.100.10 → 5.100.11 Dependent
@tanstack/query-persist-client-core 5.100.10 → 5.100.11 Dependent
@tanstack/query-sync-storage-persister 5.100.10 → 5.100.11 Dependent
@tanstack/react-query 5.100.10 → 5.100.11 Dependent
@tanstack/react-query-devtools 5.100.10 → 5.100.11 Dependent
@tanstack/react-query-next-experimental 5.100.10 → 5.100.11 Dependent
@tanstack/react-query-persist-client 5.100.10 → 5.100.11 Dependent
@tanstack/solid-query 5.100.10 → 5.100.11 Dependent
@tanstack/solid-query-devtools 5.100.10 → 5.100.11 Dependent
@tanstack/solid-query-persist-client 5.100.10 → 5.100.11 Dependent
@tanstack/svelte-query 6.1.29 → 6.1.30 Dependent
@tanstack/svelte-query-devtools 6.1.29 → 6.1.30 Dependent
@tanstack/svelte-query-persist-client 6.1.29 → 6.1.30 Dependent

@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 25 times, most recently from 11c3e37 to 81bb0c2 Compare April 21, 2026 17:29
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 28 times, most recently from c1896b5 to 47875f0 Compare April 29, 2026 14:49
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 13, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​node@​22.19.191001008196100
Addedreact@​19.2.61001008497100
Addedreact-dom@​19.2.61001009298100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated PR author detected as automated dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants