fix(deps): update dependency svelte to v5.46.4 [security] #15220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into main from renovate/npm-svelte-vulnerability

+3 −3

Contributor

renovate bot commented Jan 15, 2026

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	`^4.2.20` → `^5.0.0`
svelte (source)	`5.46.1` → `5.46.4`

GitHub Vulnerability Alerts

CVE-2025-15265

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

Impact: Arbitrary JS execution in the client’s browser.
Exploitability: Remote, single-request if key is attacker-controlled.
Typical Outcomes:
- Session/token theft
- DOM defacement
- CSRF bypass via injected JS
- Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.

Release Notes

sveltejs/svelte (svelte)

`v5.46.4`

Patch Changes

fix: use devalue.uneval to serialize hydratable keys (ef81048e238844b729942441541d6dcfe6c8ccca)

`v5.46.3`

Patch Changes

fix: reconnect clean deriveds when they are read in a reactive context (#17362)

`v5.46.1`

Patch Changes

fix: type currentTarget in on function (#17370)
fix: skip static optimisation for stateless deriveds after await (#17389)
fix: prevent infinite loop when HMRing a component with an await (#17380)

`v5.46.0`

Minor Changes

feat: Add csp option to render(...), and emit hashes when using hydratable (#17338)

`v5.45.10`

Patch Changes

fix: race condition when importing AsyncLocalStorage (#17350)

`v5.45.9`

Patch Changes

fix: correctly reschedule deferred effects when reviving a batch after async work (#17332)
fix: correctly print !doctype during print (#17341)

`v5.45.8`

Patch Changes

fix: set AST root.start to 0 and root.end to template.length (#17125)
fix: prevent erroneous state_referenced_locally warnings on prop fallbacks (#17329)

`v5.45.7`

Patch Changes

fix: Add <textarea wrap="off"> as a valid attribute value (#17326)
fix: add more css selectors to print() (#17330)
fix: don't crash on hydratable serialization failure (#17315)

`v5.45.6`

Patch Changes

fix: don't issue a11y warning for <video> without captions if it has no src (#17311)
fix: add srcObject to permitted <audio>/<video> attributes (#17310)

`v5.45.5`

Patch Changes

fix: correctly reconcile each blocks after outroing branches are resumed (#17258)
fix: destroy each items after siblings are resumed (#17258)

`v5.45.4`

Patch Changes

chore: move DOM-related effect properties to effect.nodes (#17293)
fix: allow $props.id() to occur after an await (#17285)
fix: keep reactions up to date even when read outside of effect (#17295)

`v5.45.3`

Patch Changes

add props to state_referenced_locally (#17266)
fix: preserve node locations for better sourcemaps (#17269)
fix: handle cross-realm Promises in hydratable (#17284)

`v5.45.2`

Patch Changes

fix: array destructuring after await (#17254)
fix: throw on invalid {@tag}s (#17256)

`v5.45.1`

Patch Changes

fix: link offscreen items and last effect in each block correctly (#17240)

`v5.45.0`

Minor Changes

feat: add print(...) function (#16188)

`v5.44.1`

Patch Changes

fix: await blockers before initialising const (#17226)
fix: link offscreen items and last effect in each block correctly (#17244)
fix: generate correct code for simple destructurings (#17237)
fix: ensure each block animations don't mess with transitions (#17238)

`v5.44.0`

Minor Changes

feat: hydratable API (#17154)

`v5.43.15`

Patch Changes

fix: don't execute attachments and attribute effects eagerly (#17208)
chore: lift "flushSync cannot be called in effects" restriction (#17139)
fix: store forked derived values (#17212)

`v5.43.14`

Patch Changes

fix: correctly migrate named self closing slots (#17199)
fix: error at compile time instead of at runtime on await expressions inside bindings/transitions/animations/attachments (#17198)
fix: take async blockers into account for bindings/transitions/animations/attachments (#17198)

`v5.43.13`

Patch Changes

fix: don't set derived values during time traveling (#17200)

`v5.43.12`

Patch Changes

fix: maintain correct linked list of effects when updating each blocks (#17191)

`v5.43.11`

Patch Changes

perf: don't use tracing overeager during dev (#17183)
fix: don't cancel transition of already outroing elements (#17186)

`v5.43.10`

Patch Changes

fix: avoid other batches running with queued root effects of main batch (#17145)

`v5.43.9`

Patch Changes

fix: correctly handle functions when determining async blockers (#17137)
fix: keep deriveds reactive after their original parent effect was destroyed (#17171)
fix: ensure eager effects don't break reactions chain (#17138)
fix: ensure async @const in boundary hydrates correctly (#17165)
fix: take blockers into account when creating #await blocks (#17137)
fix: parallelize async @consts in the template (#17165)

`v5.43.8`

Patch Changes

fix: each block losing reactivity when items removed while promise pending (#17150)

`v5.43.7`

Patch Changes

fix: properly defer document title until async work is complete (#17158)
fix: ensure deferred effects can be rescheduled later on (#17147)
fix: take blockers of components into account (#17153)

`v5.43.6`

Patch Changes

fix: don't deactivate other batches (#17132)

`v5.43.5`

Patch Changes

fix: ensure async static props/attributes are awaited (#17120)
fix: wait on dependencies of async bindings (#17120)
fix: await dependencies of style directives (#17120)

`v5.43.4`

Patch Changes

chore: simplify connection/disconnection logic (#17105)
fix: reconnect deriveds to effect tree when time-travelling (#17105)

`v5.43.3`

Patch Changes

fix: ensure fork always accesses correct values (#17098)
fix: change title only after any pending work has completed (#17061)
fix: preserve symbols when creating derived rest properties (#17096)

`v5.43.2`

Patch Changes

fix: treat each blocks with async dependencies as uncontrolled (#17077)

`v5.43.1`

Patch Changes

fix: transform $bindable after await expressions (#17066)

`v5.43.0`

Minor Changes

feat: out-of-order rendering (#17038)

Patch Changes

fix: settle batch after DOM updates (#17054)

`v5.42.3`

Patch Changes

fix: handle <svelte:head> rendered asynchronously (#17052)
fix: don't restore batch in #await (#17051)

`v5.42.2`

Patch Changes

fix: better error message for global variable assignments (#17036)
chore: tweak memoizer logic (#17042)

`v5.42.1`

Patch Changes

fix: ignore fork discard() after commit() (#17034)

`v5.42.0`

Minor Changes

feat: experimental fork API (#17004)

Patch Changes

fix: always allow setContext before first await in component (#17031)
fix: less confusing names for inspect errors (#17026)

`v5.41.4`

Patch Changes

fix: take into account static blocks when determining transition locality (#17018)
fix: coordinate mount of snippets with await expressions (#17021)
fix: better optimization of await expressions (#17025)
fix: flush pending changes after rendering failed snippet (#16995)

`v5.41.3`

Patch Changes

chore: exclude vite optimized deps from stack traces (#17008)
perf: skip repeatedly traversing the same derived (#17016)

`v5.41.2`

Patch Changes

fix: keep batches alive until all async work is complete (#16971)
fix: don't preserve reactivity context across function boundaries (#17002)
fix: make $inspect logs come from the callsite (#17001)
fix: ensure guards (eg. if, each, key) run before their contents (#16930)

`v5.41.1`

Patch Changes

fix: place let: declarations before {@const} declarations (#16985)
fix: improve each_key_without_as error (#16983)
chore: centralise branch management (#16977)

`v5.41.0`

Minor Changes

feat: add $state.eager(value) rune (#16849)

Patch Changes

fix: preserve <select> state while focused (#16958)
chore: run boundary async effects in the context of the current batch (#16968)
fix: error if each block has key but no as clause (#16966)

`v5.40.2`

Patch Changes

fix: add hydration markers in pending branch of SSR boundary (#16965)

`v5.40.1`

Patch Changes

chore: Remove sync-in-async warning for server rendering (#16949)

`v5.40.0`

Minor Changes

feat: add createContext utility for type-safe context (#16948)

Patch Changes

chore: simplify batch.apply() (#16945)
fix: don't rerun async effects unnecessarily (#16944)

`v5.39.13`

Patch Changes

fix: add missing type for fr attribute for radialGradient tags in svg (#16943)
fix: unset context on stale promises (#16935)

`v5.39.12`

Patch Changes

fix: better input cursor restoration for bind:value (#16925)
fix: track the user's getter of bind:this (#16916)
fix: generate correct SSR code for the case where pending is an attribute (#16919)
fix: generate correct code for each blocks with async body (#16923)

`v5.39.11`

Patch Changes

fix: flush batches whenever an async value resolves (#16912)

`v5.39.10`

Patch Changes

fix: hydrate each blocks inside element correctly (#16908)
fix: allow await in if block consequent and alternate (#16890)
fix: don't replace rest props with $$props for excluded props (#16898)
fix: correctly transform $derived private fields on server (#16894)
fix: add UNKNOWN evaluation value before breaking for binding.initial===SnippetBlock (#16910)

`v5.39.9`

Patch Changes

fix: flush when pending boundaries resolve (#16897)

`v5.39.8`

Patch Changes

fix: check boundary pending attribute at runtime on server (#16855)
fix: preserve tuple type in $state.snapshot (#16864)
fix: allow await in svelte:boundary without pending (#16857)
fix: update bind:checked error message to clarify usage with radio inputs (#16874)

`v5.39.7`

Patch Changes

chore: simplify batch logic (#16847)
fix: rebase pending batches when other batches are committed (#16866)
fix: wrap async children in $$renderer.async (#16862)
fix: silence label warning for buttons and anchor tags with title attributes (#16872)
fix: coerce nullish <title> to empty string (#16863)

`v5.39.6`

Patch Changes

fix: depend on reads of deriveds created within reaction (async mode) (#16823)
fix: SSR regression of processing attributes of <select> and <option> (#16821)
fix: async class: + spread attributes were compiled into sync server-side code (#16834)
fix: ensure tick resolves within a macrotask (#16825)

`v5.39.5`

Patch Changes

fix: allow {@html await ...} and snippets with async content on the server (#16817)
fix: use nginx SSI-compatible comments for $props.id() (#16820)

`v5.39.4`

Patch Changes

fix: restore hydration state after await in <script> (#16806)

`v5.39.3`

Patch Changes

fix: remove outer hydration markers (#16800)
fix: async hydration (#16797)

`v5.39.2`

Patch Changes

fix: preserve SSR context when block expressions contain await (#16791)
chore: bump some devDependencies (#16787)

`v5.39.1`

Patch Changes

fix: add missing type for fr attribute for radialGradient tags in svg (#16943)
fix: unset context on stale promises (#16935)

`v5.39.0`

Minor Changes

feat: experimental async SSR (#16748)

Patch Changes

fix: correctly SSR hidden="until-found" (#16773)

`v5.38.10`

Patch Changes

fix: flush effects scheduled during boundary's pending phase (#16738)

`v5.38.9`

Patch Changes

chore: generate CSS hash using the filename (#16740)
fix: correctly analyze <object.property> components (#16711)
fix: clean up scheduling system (#16741)
fix: transform input defaults from spread (#16481)
fix: don't destroy contents of svelte:boundary unless the boundary is an error boundary (#16746)

`v5.38.8`

Patch Changes

fix: send $effect.pending count to the correct boundary (#16732)

`v5.38.7`

Patch Changes

fix: replace undefined with void(0) in CallExpressions (#16693)
fix: ensure batch exists when resetting a failed boundary (#16698)
fix: place store setup inside async body (#16687)

`v5.38.6`

Patch Changes

fix: don't fail on flushSync while flushing effects (#16674)

`v5.38.5`

Patch Changes

fix: ensure async deriveds always get dependencies from thennable (#16672)

`v5.38.3`

Patch Changes

fix: ensure correct order of template effect values (#16655)
fix: allow async {@const} in more places (#16643)
fix: properly catch top level await errors (#16619)
perf: prune effects without dependencies (#16625)
fix: only emit for_await_track_reactivity_loss in async mode (#16644)

`v5.38.2`

Patch Changes

perf: run blocks eagerly during flush instead of aborting (#16631)
fix: don't clone non-proxies in $inspect (#16617)
fix: avoid recursion error when tagging circular references (#16622)

`v5.38.1`

Patch Changes

fix: flush effects scheduled during boundary's pending phase (#16738)

`v5.38.0`

Minor Changes

feat: allow await inside @const declarations (#16542)

Patch Changes

fix: remount at any hydration error (#16248)
chore: emit await_reactivity_loss in for await loops (#16521)
fix: emit snippet_invalid_export instead of undefined_export for exported snippets (#16539)

`v5.37.3`

Patch Changes

fix: reset attribute cache after setting corresponding property (#16543)

`v5.37.2`

Patch Changes

fix: double event processing in firefox due to event object being garbage collected (#16527)
fix: add bindable dimension attributes types to SVG and MathML elements (#16525)
fix: correctly differentiate static fields before emitting duplicate_class_field (#16526)
fix: prevent last_propagated_event from being DCE'd (#16538)

`v5.37.1`

Patch Changes

chore: remove some todos (#16515)
fix: allow await expressions inside {#await ...} argument (#16514)
fix: append_styles in an effect to make them available on mount (#16509)
chore: remove parser.template_untrimmed (#16511)
fix: always inject styles when compiling as a custom element (#16509)

`v5.37.0`

Minor Changes

feat: ignore component options in compileModule (#16362)

Patch Changes

fix: always mark props as stateful (#16504)

`v5.36.17`

Patch Changes

fix: throw on duplicate class field declarations (#16502)
fix: add types for part attribute to svg attributes (#16499)

`v5.36.16`

Patch Changes

fix: don't update a focused input with values from its own past (#16491)
fix: don't destroy effect roots created inside of deriveds (#16492)

`v5.36.15`

Patch Changes

fix: preserve dirty status of deferred effects (#16487)

`v5.36.14`

Patch Changes

fix: keep input in sync when binding updated via effect (#16482)
fix: rename form accept-charset attribute (#16478)
fix: prevent infinite async loop (#16482)
fix: exclude derived writes from effect abort and rescheduling (#16482)

`v5.36.13`

Patch Changes

fix: ensure subscriptions are picked up correctly by deriveds (#16466)

`v5.36.12`

Patch Changes

chore: move capture_signals to legacy module (#16456)

`v5.36.10`

Patch Changes

fix: prevent batches from getting intertwined (#16446)

`v5.36.9`

Patch Changes

fix: don't reexecute derived with no dependencies on teardown (#16438)
fix: disallow export { foo as default } in <script module> (#16447)
fix: move ownership validation into async component body (#16449)
fix: allow async destructured deriveds (#16444)
fix: move store setup/cleanup outside of async component body (#16443)

`v5.36.8`

Patch Changes

fix: keep effect in the graph if it has an abort controller (#16430)
chore: Switch payload.out to an array (#16428)

`v5.36.7`

Patch Changes

fix: allow instrinsic <svelte:...> elements to inherit from SvelteHTMLElements (#16424)

`v5.36.6`

Patch Changes

fix: delegate functions with shadowed variables if declared locally (#16417)
fix: handle error in correct boundary after reset (#16171)
fix: make <svelte:boundary> reset function a noop after the first call (#16171)

`v5.36.5`

Patch Changes

fix: silence $inspect errors when the effect is about to be destroyed (#16391)
fix: more informative error when effects run in an infinite loop (#16405)

`v5.36.4`

Patch Changes

fix: avoid microtask in flushSync (#16394)
fix: ensure compiler state is reset before compilation (#16396)

`v5.36.3`

Patch Changes

fix: don't log await_reactivity_loss warning when signal is read in untrack (#16385)
fix: better handle $inspect on array mutations (#16389)
fix: leave proxied array length untouched when deleting properties (#16389)
fix: update $effect.pending() immediately after a batch is removed (#16382)

`v5.36.2`

Patch Changes

fix: add $effect.pending() to types (#16376)
fix: add pending snippet to <svelte:boundary> types (#16379)

`v5.36.1`

Patch Changes

fix: throw on duplicate class field declarations (#16502)
fix: add types for part attribute to svg attributes (#16499)

`v5.36.0`

Minor Changes

feat: support await in components when using the experimental.async compiler option (#15844)

Patch Changes

fix: silence a11y warning for inert elements (#16339)
chore: clean up a11y analysis code (#16345)

`v5.35.7`

Patch Changes

fix: silence autofocus a11y warning inside <dialog> (#16341)
fix: don't show adjusted error messages in boundaries (#16360)
chore: replace inline regex with variable (#16340)

`v5.35.6`

Patch Changes

chore: simplify reaction/source ownership tracking (#16333)
chore: simplify internal component pop() (#16331)

`v5.35.5`

Patch Changes

fix: associate sources in Spring/Tween/SvelteMap/SvelteSet with correct reaction (#16325)
fix: re-evaluate derived props during teardown (#16278)

`v5.35.4`

Patch Changes

fix: abort and reschedule effect processing after state change in user effect (#16280)

`v5.35.3`

Patch Changes

fix: account for mounting when select_option in attribute_effect (#16309)
fix: do not proxify the value assigned to a derived (#16302)

`v5.35.2`

Patch Changes

fix: bump esrap (#16295)

`v5.35.1`

Patch Changes

feat: add parent hierarchy to __svelte_meta objects (#16255)

`v5.35.0`

Minor Changes

feat: add getAbortSignal() (#16266)

Patch Changes

chore: simplify props (#16270)

`v5.34.9`

Patch Changes

fix: ensure unowned deriveds can add themselves as reactions while connected (#16249)

`v5.34.8`

Patch Changes

fix: untrack $inspect.with and add check for unsafe mutation (#16209)
fix: use fine grained for template if the component is not explicitly in legacy mode (#16232)
lift unsafe_state_mutation constraints for SvelteSet, SvelteMap, SvelteDate, SvelteURL and SvelteURLSearchParams created inside the derived (#16221)

`v5.34.7`

Patch Changes

fix: address css class matching regression (#16204)

`v5.34.6`

Patch Changes

fix: match class and style directives against attribute selector (#16179)

`v5.34.5`

Patch Changes

fix: keep spread non-delegated event handlers up to date (#16180)
fix: remove undefined attributes on hydration (#16178)
fix: ensure sources within nested effects still register correctly (#16193)
fix: avoid shadowing a variable in dynamic components ([#16185](https://redirect.githu

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the dependencies label

Contributor Author

renovate bot commented Jan 15, 2026 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 566 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 23, reused 0, downloaded 0, added 0
Progress: resolved 29, reused 0, downloaded 0, added 0
Progress: resolved 35, reused 0, downloaded 0, added 0
Progress: resolved 36, reused 0, downloaded 0, added 0
Progress: resolved 63, reused 0, downloaded 0, added 0
Progress: resolved 74, reused 0, downloaded 0, added 0
Progress: resolved 129, reused 0, downloaded 0, added 0
Progress: resolved 133, reused 0, downloaded 0, added 0
Progress: resolved 146, reused 0, downloaded 0, added 0
 WARN  Request took 12204ms: https://registry.npmjs.org/typescript
Progress: resolved 148, reused 0, downloaded 0, added 0
Progress: resolved 154, reused 0, downloaded 0, added 0
packages/db                              |  WARN  deprecated [email protected]
Progress: resolved 168, reused 0, downloaded 0, added 0
 WARN  Request took 10600ms: https://registry.npmjs.org/@playwright%2Ftest
Progress: resolved 171, reused 0, downloaded 0, added 0
 WARN  Request took 11644ms: https://registry.npmjs.org/tailwindcss
Progress: resolved 174, reused 0, downloaded 0, added 0
Progress: resolved 195, reused 0, downloaded 0, added 0
Progress: resolved 206, reused 0, downloaded 0, added 0
Progress: resolved 211, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/withastro/astro/packages/integrations/svelte/test/fixtures/async-rendering:
 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for [email protected] published by Wed Jan 14 2026 13:36:31 GMT+0000 (Coordinated Universal Time) while fetching it from https://registry.npmjs.org/. Version 5.46.4 satisfies the specs but was released at Thu Jan 15 2026 16:24:28 GMT+0000 (Coordinated Universal Time)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/withastro/astro/packages/integrations/svelte/test/fixtures/async-rendering

The latest release of svelte is "5.46.4". Published at 1/15/2026

Other releases are:
  * next: 5.0.0-next.272 published at 10/19/2024

If you need the full list of all 1030 published versions run "$ pnpm view svelte versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude

changeset-bot bot commented Jan 15, 2026 •

edited

Loading

⚠️ No Changeset found

Latest commit: 116cf3a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

github-actions bot added pkg: svelte pkg: integration labels


          fix(deps): update dependency svelte to v5.46.4 [security]

116cf3a

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 922bf0d to 116cf3a Compare

January 17, 2026 13:37

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies pkg: integration pkg: svelte