chore(deps): update dependency svelte to v5.53.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.46.1 → 5.53.5
svelte (source)	5.2.8 → 5.53.5

GitHub Vulnerability Alerts

CVE-2025-15265

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

• Impact: Arbitrary JS execution in the client’s browser.
• Exploitability: Remote, single-request if key is attacker-controlled.
• Typical Outcomes:
  • Session/token theft
  • DOM defacement
  • CSRF bypass via injected JS
  • Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CVE-2026-27119

In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

CVE-2026-27121

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

CVE-2026-27122

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

CVE-2026-27125

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

CVE-2026-27901

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

---

Release Notes

sveltejs/svelte (svelte)

v5.53.5

Compare Source

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

v5.53.4

Compare Source

Patch Changes

• fix: set server context after async transformError (#​17799)

• fix: hydrate if blocks correctly (#​17784)

• fix: handle default parameters scope leaks (#​17788)

• fix: prevent flushed effects from running again (#​17787)

v5.53.3

Compare Source

Patch Changes

• fix: render :catch of #await block with correct key (#​17769)

• chore: pin aria-query@​5.3.1 (#​17772)

• fix: make string coercion consistent to toString (#​17774)

v5.53.2

Compare Source

Patch Changes

• fix: update expressions on server deriveds (#​17767)

• fix: further obfuscate node:crypto import from overzealous static analysis (#​17763)

v5.53.1

Compare Source

Patch Changes

• fix: handle shadowed function names correctly (#​17753)

v5.53.0

Compare Source

Minor Changes

• feat: allow comments in tags (#​17671)

• feat: allow error boundaries to work on the server (#​17672)

Patch Changes

• fix: use TrustedHTML to test for customizable <select> support, where necessary (#​17743)

• fix: ensure head effects are kept in the effect tree (#​17746)

• chore: deactivate current_batch by default in unset_context (#​17738)

v5.52.0

Compare Source

Minor Changes

• feat: support TrustedHTML in {@​html} expressions (#​17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#​17737)

• fix: re-run non-render-bound deriveds on the server (#​17674)

v5.51.5

Compare Source

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#​17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#​17739)

v5.51.4

Compare Source

Patch Changes

• chore: proactively defer effects in pending boundary (#​17734)

• fix: detect and error on non-idempotent each block keys in dev mode (#​17732)

v5.51.3

Compare Source

Patch Changes

• fix: prevent event delegation logic conflicting between svelte instances (#​17728)

• fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#​17712)

• fix: locate Rollup annontaion friendly to JS downgraders (#​17724)

• fix: run effects in pending snippets (#​17719)

v5.51.2

Compare Source

Patch Changes

• fix: take async into consideration for dev delegated handlers (#​17710)

• fix: emit state_referenced_locally warning for non-destructured props (#​17708)

v5.51.1

Compare Source

Patch Changes

• fix: don't crash on undefined document.contentType (#​17707)

• fix: use symbols for encapsulated event delegation (#​17703)

v5.51.0

Compare Source

Minor Changes

• feat: Use TrustedTypes for HTML handling where supported (#​16271)

Patch Changes

• fix: sanitize template-literal-special-characters in SSR attribute values (#​17692)

• fix: follow-up formatting in print() — flush block-level elements into separate sequences (#​17699)

• fix: preserve delegated event handlers as long as one or more root components are using them (#​17695)

v5.50.3

Compare Source

Patch Changes

• fix: take into account nodeName case sensitivity on XHTML pages (#​17689)

• fix: render multiple and selected attributes as empty strings for XHTML compliance (#​17689)

• fix: always lowercase HTML elements, for XHTML compliance (#​17664)

• fix: freeze effects-inside-deriveds when disconnecting, unfreeze on reconnect (#​17682)

• fix: propagate $effect errors to <svelte:boundary> (#​17684)

v5.50.2

Compare Source

Patch Changes

• fix: resolve effect_update_depth_exceeded when using bind:value on <select> with derived state in legacy mode (#​17645)

• fix: don't swallow DOMException when media.play() fails in bind:paused (#​17656)

• chore: provide proper public type for parseCss result (#​17654)

• fix: robustify blocker calculation (#​17676)

• fix: reduce if block nesting (#​17662)

v5.50.1

Compare Source

Patch Changes

• fix: render boolean attribute values as empty strings for XHTML compliance (#​17648)

• fix: prevent async render tag hydration mismatches (#​17652)

v5.50.0

Compare Source

Minor Changes

• feat: allow use of createContext when instantiating components programmatically (#​17575)

Patch Changes

• fix: ensure infinite effect loops are cleared after flushing (#​17601)

• fix: allow {#key NaN} (#​17642)

• fix: detect store in each block expression regardless of AST shape (#​17636)

• fix: treat <menu> like <ul>/<ol> for a11y role checks (#​17638)

• fix: add vite-ignore comment inside dynamic crypto import (#​17623)

• chore: wrap JSDoc URLs in @see and @link tags (#​17617)

• fix: properly hydrate already-resolved async blocks (#​17641)

• fix: emit each_key_duplicate error in production (#​16724)

• fix: exit resolved async blocks on correct node when hydrating (#​17640)

v5.49.2

Compare Source

Patch Changes

• chore: remove SvelteKit data attributes from elements.d.ts (#​17613)

• fix: avoid erroneous async derived expressions for blocks (#​17604)

• fix: avoid Cloudflare warnings about not having the "node:crypto" module (#​17612)

• fix: reschedule effects inside unskipped branches (#​17604)

v5.49.1

Compare Source

Patch Changes

• fix: merge consecutive large text nodes (#​17587)

• fix: only create async functions in SSR output when necessary (#​17593)

• fix: properly separate multiline html blocks from each other in print() (#​17319)

• fix: prevent unhandled exceptions arising from dangling promises in <script> (#​17591)

v5.49.0

Compare Source

Minor Changes

• feat: allow passing ShadowRootInit object to custom element shadow option (#​17088)

Patch Changes

• fix: throw for unset createContext get on the server (#​17580)

• fix: reset effects inside skipped branches (#​17581)

• fix: preserve old dependencies when updating reaction inside fork (#​17579)

• fix: more conservative assignment_value_stale warnings (#​17574)

• fix: disregard popover elements when determining whether an element has content (#​17367)

• fix: fire introstart/outrostart events after delay, if specified (#​17567)

• fix: increment signal versions when discarding forks (#​17577)

v5.48.5

Compare Source

Patch Changes

• fix: run boundary onerror callbacks in a microtask, in case they result in the boundary's destruction (#​17561)

• fix: prevent unintended exports from namespaces (#​17562)

• fix: each block breaking with effects interspersed among items (#​17550)

v5.48.4

Compare Source

Patch Changes

• fix: avoid duplicating escaped characters in CSS AST (#​17554)

v5.48.3

Compare Source

Patch Changes

• fix: hydration failing with settled async blocks (#​17539)

• fix: add pointer and touch events to a11y_no_static_element_interactions warning (#​17551)

• fix: handle false dynamic components in SSR (#​17542)

• fix: avoid unnecessary block effect re-runs after async work completes (#​17535)

• fix: avoid using dev-mode array.includes wrapper on internal array checks (#​17536)

v5.48.2

Compare Source

Patch Changes

• fix: export wait function from internal client index (#​17530)

v5.48.1

Compare Source

Patch Changes

• fix: hoist snippets above const in same block (#​17516)

• fix: properly hydrate await in {@​html} (#​17528)

• fix: batch resolution of async work (#​17511)

• fix: account for empty statements when visiting in transform async (#​17524)

• fix: avoid async overhead for already settled promises (#​17461)

• fix: better code generation for const tags with async dependencies (#​17518)

v5.48.0

Compare Source

Minor Changes

• feat: export parseCss from svelte/compiler (#​17496)

Patch Changes

• fix: handle non-string values in svelte:element this attribute (#​17499)

• fix: faster deduplication of dependencies (#​17503)

v5.47.1

Compare Source

Patch Changes

• fix: trigger selectedcontent reactivity (#​17486)

v5.47.0

Compare Source

Minor Changes

• feat: customizable <select> elements (#​17429)

Patch Changes

• fix: mark subtree of svelte boundary as dynamic (#​17468)

• fix: don't reset static elements with debug/snippets (#​17477)

v5.46.4

Compare Source

Patch Changes

• fix: use devalue.uneval to serialize hydratable keys (ef81048e238844b729942441541d6dcfe6c8ccca)

v5.46.3

Compare Source

Patch Changes

• fix: reconnect clean deriveds when they are read in a reactive context (#​17362)

• fix: don't transform references of function declarations in legacy mode (#​17431)

• fix: notify deriveds of changes to sources inside forks (#​17437)

• fix: always reconnect deriveds in get, when appropriate (#​17451)

• fix: prevent derives without dependencies from ever re-running (286b40c4526ce9970cb81ddd5e65b93b722fe468)

• fix: correctly update writable deriveds inside forks (#​17437)

• fix: remove $inspect calls after await expressions when compiling for production server code (#​17407)

• fix: clear batch between runs (#​17424)

• fix: adjust loc property of Program nodes created from <script> elements (#​17428)

• fix: don't revert source to UNINITIALIZED state when time travelling (#​17409)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.