fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

• . (pnpm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
storybook	8.6.15	8.6.18	patch	Direct	2 HIGH
lodash	4.17.21	4.18.1	minor	Direct	1 HIGH, 3 MODERATE
@sveltejs/kit	2.53.0	2.59.1	minor	Direct	1 HIGH, 1 MODERATE, 1 LOW
vite	6.4.1	6.4.2	patch	Direct	1 HIGH, 1 MODERATE
svelte	5.53.3	5.53.13	patch	Direct	4 MODERATE
postcss	8.5.6	8.5.14	patch	Direct	1 MODERATE

---

Security Details

🚨 Critical & High Severity (5 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@sveltejs/kit	GHSA-2crg-3p73-43xp	HIGH	@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass	2.53.0	2.57.1
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.21	4.18.0
storybook	GHSA-mjf5-7g4m-gx5w	HIGH	Storybook Dev Server is Vulnerable to WebSocket Hijacking	8.6.15	8.6.17
storybook	CVE-2026-27148	HIGH	Storybook Dev Server Vulnerable to WebSocket Hijacking	8.6.15	-
vite	GHSA-p9ff-h696-f583	HIGH	Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket	6.4.1	8.0.5

ℹ️ Other Vulnerabilities (11)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@sveltejs/kit	GHSA-3f6h-2hrp-w5wx	MODERATE	@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service	2.53.0	2.57.1
lodash	CVE-2025-13465	MODERATE	-	4.17.21	-
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.21	4.18.0
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.21	4.17.23
postcss	GHSA-qx2v-qp2m-jg93	MODERATE	PostCSS has XSS via Unescaped </style> in its CSS Stringify Output	8.5.6	8.5.10
svelte	GHSA-qgvg-pr8v-6rr3	MODERATE	Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers	5.53.3	5.53.5
svelte	CVE-2026-27902	MODERATE	Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers	5.53.3	-
svelte	GHSA-phwv-c562-gvmh	MODERATE	Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent	5.53.3	5.53.5
svelte	CVE-2026-27901	MODERATE	Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent	5.53.3	-
vite	GHSA-4w7w-66w2-5vf9	MODERATE	Vite Vulnerable to Path Traversal in Optimized Deps .map Handling	6.4.1	8.0.5
@sveltejs/kit	GHSA-fpg4-jhqr-589c	LOW	SvelteKit has deserialization expansion in unvalidated form remote function leading to Denial of Service (experimental only)	2.53.0	2.53.3

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System