Skip to content

chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#365

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sveltejs-kit-vulnerability
Open

chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#365
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-sveltejs-kit-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jan 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@sveltejs/kit (source) 2.46.52.60.1 age confidence

SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering

CVE-2025-67647 / GHSA-j62c-4x62-9r35

More information

Details

Summary

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Details

Affected versions from 2.44.0 onwards are vulnerable to DoS if:

  • your app has at least one prerendered route (export const prerender = true)

Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:

  • your app has at least one prerendered route (export const prerender = true)
  • AND you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation
Impact

The DoS causes the running server process to end.

The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.

It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).

Credits

Severity

  • CVSS Score: 8.4 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


@​sveltejs/kit: query.batch cross-talk

GHSA-hgv7-v322-mmgr

More information

Details

query.batch() could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.60.1

Compare Source

Patch Changes
  • chore: bump svelte and devalue (#​15836)

  • fix: prevent query.batch cross-talk (dadaefc)

v2.60.0

Compare Source

Minor Changes
  • feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#​15802)

  • feat: warn on unread form remote function validation issues (#​15653)

Patch Changes
  • fix: abort navigation after async rendering if obsolete (#​15811)

  • fix: skip refreshing queries on full-page reload form submissions (#​15803)

v2.59.1

Compare Source

Patch Changes
  • fix: resolve paths to route files with the letter drive on Windows (#​15793)

v2.59.0

Compare Source

Minor Changes
  • feat: support query.batch in requested(...) (#​15751)

  • breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#​15705)

  • feat: experimental query.live function (#​15705)

Patch Changes
  • fix: unwrap Promise in RemoteCommand output type (#​15771)

  • fix: empty call to .updates() on a command/form invocation means "don't update anything" (#​15705)

  • fix: form.fields.foo.as('checkbox', default_value) now works (#​15752)

  • fix: remote forms with default values defined by field.as('text', defaultValue) now correctly reset to the provided default values once submitted (#​15753)

  • fix: make sure queries always get started correctly (#​15705)

  • fix: allow plain functions as overrides in updates (#​15705)

v2.58.0

Compare Source

Minor Changes
  • breaking: require limit in requested (as originally intended) (#​15739)

  • feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#​15739)

  • breaking: requested now yields { arg, query } entries instead of the validated argument (#​15739)

Patch Changes
  • fix: allow query().current, .error, .loading, and .ready to work in non-reactive contexts (#​15699)

  • fix: prevent deep_set crash on nullish nested values (#​15600)

  • fix: restore correct RemoteFormFields typing for nullable array fields (e.g. when a schema uses .default([])), so .as('checkbox') and friends work again (#​15723)

  • fix: don't warn about removed SSI comments in transformPageChunk (#​15695)

    Server-side include (SSI) directives like <!--#include virtual="..." --> are HTML comments that are replaced by servers such as nginx. Previously, removing them in transformPageChunk would trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with <!--# and Svelte's hydration comments never do, they can be safely excluded from the check.

  • Change enhance function return type from void to MaybePromise. (#​15710)

  • fix: throw an error when resolve is called with an external URL (#​15733)

  • fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#​15718)

  • fix: reset form result on redirect (#​15724)

v2.57.1

Compare Source

Patch Changes
  • fix: better validation for redirect inputs (10d7b44)

  • fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

  • fix: use default values as fallbacks (#​15680)

  • fix: relax form typings for union types (#​15687)

v2.57.0

Compare Source

Minor Changes
  • feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#​15530)
Patch Changes
  • fix: use array type for select fields that accept multiple values (#​15591)

  • fix: silently 404 Chrome DevTools workspaces request in dev and preview (#​15656)

  • fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#​15323)

  • fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#​15647)

  • fix: reimplement treeshaking non-dynamic prerendered remote functions (#​15447)

v2.56.1

Compare Source

Patch Changes

v2.56.0

Compare Source

Minor Changes
  • breaking: rework client-driven refreshes (#​15562)

  • breaking: stabilize remote function caching by sorting object keys (#​15570)

  • breaking: add run() method to queries, disallow awaiting queries outside render (#​15533)

  • feat: support TypeScript 6.0 (#​15595)

  • breaking: isolate command-triggered query refresh failures per-query (#​15562)

  • feat: use hydratable for remote function transport (#​15533)

  • feat: allow form fields to specify a default value (field.as(type, value)) (#​15577)

Patch Changes
  • fix: don't request new data when .refresh is called on a query with no cache entry (#​15533)

  • fix: allow using multiple remote functions within one async derived (#​15561)

  • fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#​15623)

  • fix: manage queries in their own $effect.root (#​15533)

  • fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#​15550)

  • fix: correctly escape backticks when precomputing CSS (#​15593)

  • fix: discard obsolete forks before finishing navigation (#​15634)

  • chore: tighten up override implementation (#​15562)

  • fix: ensure the default Svelte 5 error.svelte file uses runes mode (#​15609)

  • fix: deduplicate same-cache-key batch calls during SSR (#​15533)

  • fix: decrement pending_count when form callback doesn't call submit() (#​15520)

v2.55.0

Compare Source

Minor Changes
  • feat: page and layout params with matchers are now type narrowed in $app/types, leading to better type safety when working with params in $app/types, $app/state, and hooks. (#​15502)

v2.54.0

Compare Source

Minor Changes
  • feat: allow error boundaries to catch errors on the server (#​15308)
Patch Changes
  • chore: upgrade devalue (#​15535)

  • fix: don't wait for remote functions that are not awaited in the template (#​15280)

  • feat: allow resolve() to accept pathnames with a search string and/or hash (#​15458)

  • chore: remove deprecation warnings for config.kit.files.* options when validating the Svelte config file (#​15482)

  • fix: handles form target attribute in remote form redirects (#​15457)

v2.53.4

Compare Source

Patch Changes
  • fix: avoid Vite warning about unknown codeSplitting option (#​15451)

v2.53.3

Compare Source

Patch Changes
  • fix: prevent overlapping file metadata in remote functions form (faba869)

v2.53.2

Compare Source

Patch Changes
  • fix: server-render nested form value sets (#​15378)

  • fix: use deep partial types for form remote functions .value() and .set(...) (#​14837)

  • fix: provide correct url info to remote functions (#​15418)

  • fix: allow optional types for remote query/command/prerender functions (#​15293)

  • fix: allow commands in more places (#​15288)

v2.53.1

Compare Source

Patch Changes
  • fix: address warning about inlineDynamicImports when using Vite 8 (#​15403)

v2.53.0

Compare Source

Minor Changes
Patch Changes
  • fix: remove event listeners on form attachment cleanup (#​15286)

  • fix: apply queries refreshed in a form remote function when a redirect is thrown (#​15362)

v2.52.2

Compare Source

Patch Changes
  • fix: validate form file information to prevent amplification attacks (3e607b3)

  • chore: upgrade devalue and svelte (#​15339)

  • fix: parse file offset table more strictly (f47c01b)

v2.52.0

Compare Source

Minor Changes
  • feat: match function to map a path back to a route id and params (#​14997)
Patch Changes
  • fix: respect scroll-margin when navigating to a url-supplied anchor (#​15246)

  • fix: resolve will narrow types to follow trailing slash page settings (#​15027)

v2.51.0

Compare Source

Minor Changes
  • feat: add scroll property to NavigationTarget in navigation callbacks (#​15248)

    Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

    • from.scroll: The scroll position at the moment navigation was triggered
    • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

    This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

  • feat: hydratable's injected script now works with CSP (#​15048)

Patch Changes
  • fix: put preloads before styles (#​15232)

  • fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#​15269)

  • fix: fetch not working when URL is same host but different than paths.base (#​15291)

  • fix: navigate to hash link when base element is present (#​15236)

  • fix: avoid triggering handleError when redirecting in a remote function (#​15222)

  • fix: include test directory in generated tsconfig.json alongside existing tests entry (#​15254)

  • fix: generate tsconfig.json using the value of kit.files.src (#​15253)

v2.50.2

Compare Source

Patch Changes
  • fix: ensure inlined CSS follows paths.assets and paths.relative settings (#​15153)

  • fix: emit script CSP nonces when unsafe-inline is present if strict-dynamic is also present (#​15221)

  • fix: re-export browser/dev from esm-env (#​15206)

  • fix: use validated args in batch resolver in both csr and ssr (#​15215)

  • fix: ensure CSS inlining includes components that are conditionally rendered (#​15153)

  • fix: only match rest params with matchers when the matcher matches (#​15216)

  • fix: properly handle percent-encoded anchors (e.g. <a href="#sparkles-%E2%9C%A8">) during prerendering. (#​15231)

v2.50.1

Compare Source

Patch Changes
  • fix: include hooks.server and hooks.universal as explicit Vite build inputs to ensure assets imported by hooks files are correctly discovered (#​15178)

  • fix: improves fields type for generic components (#​14974)

  • fix: preload links if href changes (#​15191)

v2.50.0

Compare Source

Minor Changes
  • breaking: remove buttonProps from experimental remote form functions; use e.g. <button {...myForm.fields.action.as('submit', 'register')}>Register</button> button instead (#​15144)

v2.49.5

Compare Source

Patch Changes
  • fix: avoid overriding Vite default base when running Vitest 4 (#​14866)

  • fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

  • fix: add length checks to remote forms (8ed8155)

v2.49.4

Compare Source

Patch Changes
  • fix: support instrumentation for vite preview (#​15105)

  • fix: support for URLSearchParams.has(name, value) overload (#​15076)

  • fix: put forking behind experimental.forkPreloads (#​15135)

v2.49.3

Compare Source

Patch Changes
  • fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#​15121)

  • fix: add typescript as an optional peer dependency (#​15074)

  • fix: use hasOwn check when deep-setting object properties (#​15127)

v2.49.2

Compare Source

Patch Changes
  • fix: Stop re-loading already-loaded CSS during server-side route resolution (#​15014)

  • fix: posixify the instrumentation file import on Windows (#​14993)

  • fix: Correctly handle shared memory when decoding binary form data (#​15028)

v2.49.1

Compare Source

Patch Changes
  • fix: suppress state_referenced_locally warnings in .svelte-kit/generated/root.svelte (#​15013)

  • fix: TypeError when doing response.clone() in page load (#​15005)

v2.49.0

Compare Source

Minor Changes
  • feat: stream file uploads inside form remote functions allowing form data to be accessed before large files finish uploading (#​14775)

v2.48.8

Compare Source

Patch Changes
  • breaking: invalid now must be imported from @sveltejs/kit (#​14768)

  • breaking: remove submitter option from experimental form validate() method, always provide default submitter (#​14762)

v2.48.7

Compare Source

Patch Changes
  • fix: allow multiple server-timing headers (#​14700)

  • fix: allow access to root-level issues in schema-less forms (#​14893)

  • fix: allow hosting hash-based apps from non-index.html files (#​14825)

v2.48.6

Compare Source

Patch Changes
  • fix: clear issues upon passing validation (#​14683)

  • fix: don't use fork of unrelated route (#​14947)

  • fix: prevent type errors when optional @opentelemetry/api dependency isn't installed (#​14949)

  • fix: preserve this when invoking standard validator (#​14943)

  • fix: treat client/universal hooks as entrypoints for illegal server import detection (#​14876)

  • fix: correct query .set and .refresh behavior in commands (#​14877)

  • fix: improved the accuracy of the types of the output of field.as('...') (#​14908)

v2.48.5

Compare Source

Patch Changes
  • fix: wait an extra microtask in dev before calling $_init_$ (#​14799)

  • fix: discard preload fork before creating a new one (#​14865)

  • fix: delete RemoteFormAllIssue, add path to RemoteFormIssue (#​14864)

v2.48.4

Compare Source

Patch Changes
  • fix: adjust query's promise implementation to properly allow chaining (#​14859)

  • fix: make prerender cache work, including in development (#​14860)

v2.48.3

Compare Source

Patch Changes
  • fix: include hash when using resolve with hash routing enabled (#​14786)

  • fix: afterNavigate callback not running after hydration when experimental async is enabled (#​14644)
    fix: Snapshot restore method not called after reload when experimental async is enabled

  • fix: expose issue.path in .allIssues() (#​14784)

v2.48.2

Compare Source

Patch Changes
  • fix: update DOM before running navigate callbacks (#​14829)

v2.48.1

Compare Source

Patch Changes
  • fix: wait for commit promise instead of settled (#​14818)

v2.48.0

Compare Source

Minor Changes
  • feat: use experimental fork API when available (#​14793)
Patch Changes
  • fix: await for settled instead of tick in navigate (#​14800)

v2.47.3

Compare Source

Patch Changes
  • fix: avoid hanging when error() is used while streaming promises from a server load function (#​14722)

  • chore: treeshake load function code if we know it's unused (#​14764)

  • fix: RecursiveFormFields type for recursive or unknown schemas (#​14734)

  • fix: rework internal representation of form value to be $state (#​14771)

v2.47.2

Compare Source

Patch Changes
  • fix: streamed promise not resolving when another load function returns a fast resolving promise (#​14753)

  • chore: allow to run preflight validation only (#​14744)

  • fix: update overload to set invalid type to schema input (#​14748)

v2.47.1

Compare Source

Patch Changes
  • fix: allow read to be used at the top-level of remote function files (#​14672)

  • fix: more robust remote files generation (#​14682)

v2.47.0

Compare Source

Minor Changes
Patch Changes
  • fix: resolve remote module syntax errors with trailing expressions (#​14728)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jan 15, 2026

Copy link
Copy Markdown

Deploying vim-jp-radio-lp with  Cloudflare Pages  Cloudflare Pages

Latest commit: 77071f9
Status:🚫  Build failed.

View logs

@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 2 times, most recently from d3a16a7 to 737d10c Compare January 21, 2026 08:16
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 737d10c to 6813d1e Compare February 2, 2026 18:29
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 6813d1e to 97b735e Compare February 12, 2026 10:38
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 97b735e to 82a1308 Compare March 5, 2026 14:54
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 82a1308 to 47afb5d Compare March 13, 2026 12:06
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.49.5 [security] chore(deps): update dependency @sveltejs/kit to v2.49.5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-sveltejs-kit-vulnerability branch March 27, 2026 01:28
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.49.5 [security] - autoclosed chore(deps): update dependency @sveltejs/kit to v2.49.5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 2 times, most recently from 47afb5d to 63c334c Compare March 30, 2026 21:25
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 2 times, most recently from 08c5b0e to d26a192 Compare April 10, 2026 21:35
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.49.5 [security] chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] Apr 10, 2026
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] - autoclosed chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 3 times, most recently from c2bed4d to dadc3e4 Compare April 29, 2026 19:36
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from dadc3e4 to 5f9d2fe Compare May 9, 2026 13:51
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] chore(deps): update dependency @sveltejs/kit to v2.49.5 [security] May 9, 2026
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 2 times, most recently from 67ad903 to e5c3020 Compare May 9, 2026 14:18
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 2 times, most recently from 33483af to a500b3b Compare May 21, 2026 20:55
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.49.5 [security] chore(deps): update dependency @sveltejs/kit to v2.60.1 [security] May 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 2 times, most recently from 87346cf to 2530db4 Compare June 1, 2026 17:53
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 2530db4 to 77071f9 Compare July 12, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants