chore(deps): update dependency @sveltejs/kit to v2.52.2 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	2.8.4 → 2.52.2
@sveltejs/kit (source)	2.49.4 → 2.52.2

GitHub Vulnerability Alerts

CVE-2025-32388

Summary

Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.

Details

SvelteKit tracks which parameters in event.url.searchParams are read inside server load functions. If the application iterates over the these parameters, the uses.search_params array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form.

packages/kit/src/runtime/server/utils.js:150 has the stringify_uses(node) function which prints these out.

Reproduction

In a +page.server.js or +layout.server.js:

/** @​type {import('@​sveltejs/kit').Load} */
export function load(event) {
  const values = {};

  for (const key of event.url.searchParams.keys()) {
    values[key] = event.url.searchParams.get(key);
  }
}

If a user visits the page in question via a link containing ?</script/><script>window.pwned%3D1</script/>, the </script> will be included verbatim in the payload, causing the embedded script to be executed.

It is not necessary to return the parameter value from load or render it in the page, only to read it (which causes it to be tracked as a dependency) while load is running.

Impact

Any application that iterates over all values in event.url.searchParams in a load function in +page.server.js or +layout.server.js (directly or indirectly) is vulnerable to XSS.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE-2026-22803

Summary

The experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion.

Details

When a form is submitted to a remote function endpoint, the SvelteKit client encodes the data using a custom format, and POSTs it to the endpoint as a request with an application/x-sveltekit-formdata content type.

The first few bytes of the request body encode the length of the data. SvelteKit will attempt to read the request body up until the specified offset, but if the body is not yet available then an array buffer of that size will be created eagerly to accommodate it as it arrives.

An attacker can force this code path by sending a small payload that specifies a large data length, then stalling the connection. The resulting array buffer will be held in memory, potentially causing memory exhaustion.

Impact

• Vulnerability type: Availability / memory exhaustion (memory amplification).
• Who is impacted: SvelteKit apps with experimental.remoteFunctions enabled, and that expose a reachable Remote Form endpoint.
• Attack: an unauthenticated attacker can repeatedly open connections, send only the 8-byte header/prefix (with large data_length), and stall the body to hold large allocations, exhausting memory.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2025-67647

Summary

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Details

Affected versions from 2.44.0 onwards are vulnerable to DoS if:

• your app has at least one prerendered route (export const prerender = true)

Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:

• your app has at least one prerendered route (export const prerender = true)
• AND you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation

Impact

The DoS causes the running server process to end.

The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.

It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo)
• d-xuan (wednesday)

Severity

• CVSS Score: 8.4 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N

GHSA-88qp-p4qg-rqm6

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.52.2

Compare Source

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#​15339)

• fix: parse file offset table more strictly (f47c01b)

v2.52.0

Compare Source

Minor Changes

• feat: match function to map a path back to a route id and params (#​14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#​15246)

• fix: resolve will narrow types to follow trailing slash page settings (#​15027)

v2.51.0

Compare Source

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#​15248)

  Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

  • from.scroll: The scroll position at the moment navigation was triggered
  • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

  This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

• feat: hydratable's injected script now works with CSP (#​15048)

Patch Changes

• fix: put preloads before styles (#​15232)

• fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#​15269)

• fix: fetch not working when URL is same host but different than paths.base (#​15291)

• fix: navigate to hash link when base element is present (#​15236)

• fix: avoid triggering handleError when redirecting in a remote function (#​15222)

• fix: include test directory in generated tsconfig.json alongside existing tests entry (#​15254)

• fix: generate tsconfig.json using the value of kit.files.src (#​15253)

v2.50.2

Compare Source

Patch Changes

• fix: ensure inlined CSS follows paths.assets and paths.relative settings (#​15153)

• fix: emit script CSP nonces when unsafe-inline is present if strict-dynamic is also present (#​15221)

• fix: re-export browser/dev from esm-env (#​15206)

• fix: use validated args in batch resolver in both csr and ssr (#​15215)

• fix: ensure CSS inlining includes components that are conditionally rendered (#​15153)

• fix: only match rest params with matchers when the matcher matches (#​15216)

• fix: properly handle percent-encoded anchors (e.g. <a href="#sparkles-%E2%9C%A8">) during prerendering. (#​15231)

v2.50.1

Compare Source

Patch Changes

• fix: include hooks.server and hooks.universal as explicit Vite build inputs to ensure assets imported by hooks files are correctly discovered (#​15178)

• fix: improves fields type for generic components (#​14974)

• fix: preload links if href changes (#​15191)

v2.50.0

Compare Source

Minor Changes

• breaking: remove buttonProps from experimental remote form functions; use e.g. <button {...myForm.fields.action.as('submit', 'register')}>Register</button> button instead (#​15144)

v2.49.5

Compare Source

Patch Changes

• fix: avoid overriding Vite default base when running Vitest 4 (#​14866)

• fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

• fix: add length checks to remote forms (8ed8155)

v2.49.4

Compare Source

Patch Changes

• fix: support instrumentation for vite preview (#​15105)

• fix: support for URLSearchParams.has(name, value) overload (#​15076)

• fix: put forking behind experimental.forkPreloads (#​15135)

v2.49.3

Compare Source

Patch Changes

• fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#​15121)

• fix: add typescript as an optional peer dependency (#​15074)

• fix: use hasOwn check when deep-setting object properties (#​15127)

v2.49.2

Compare Source

Patch Changes

• fix: Stop re-loading already-loaded CSS during server-side route resolution (#​15014)

• fix: posixify the instrumentation file import on Windows (#​14993)

• fix: Correctly handle shared memory when decoding binary form data (#​15028)

v2.49.1

Compare Source

Patch Changes

• fix: suppress state_referenced_locally warnings in .svelte-kit/generated/root.svelte (#​15013)

• fix: TypeError when doing response.clone() in page load (#​15005)

v2.49.0

Compare Source

Minor Changes

• feat: stream file uploads inside form remote functions allowing form data to be accessed before large files finish uploading (#​14775)

v2.48.8

Compare Source

Patch Changes

• breaking: invalid now must be imported from @sveltejs/kit (#​14768)

• breaking: remove submitter option from experimental form validate() method, always provide default submitter (#​14762)

v2.48.7

Compare Source

Patch Changes

• fix: allow multiple server-timing headers (#​14700)

• fix: allow access to root-level issues in schema-less forms (#​14893)

• fix: allow hosting hash-based apps from non-index.html files (#​14825)

v2.48.6

Compare Source

Patch Changes

• fix: clear issues upon passing validation (#​14683)

• fix: don't use fork of unrelated route (#​14947)

• fix: prevent type errors when optional @opentelemetry/api dependency isn't installed (#​14949)

• fix: preserve this when invoking standard validator (#​14943)

• fix: treat client/universal hooks as entrypoints for illegal server import detection (#​14876)

• fix: correct query .set and .refresh behavior in commands (#​14877)

• fix: improved the accuracy of the types of the output of field.as('...') (#​14908)

v2.48.5

Compare Source

Patch Changes

• fix: wait an extra microtask in dev before calling $_init_$ (#​14799)

• fix: discard preload fork before creating a new one (#​14865)

• fix: delete RemoteFormAllIssue, add path to RemoteFormIssue (#​14864)

v2.48.4

Compare Source

Patch Changes

• fix: adjust query's promise implementation to properly allow chaining (#​14859)

• fix: make prerender cache work, including in development (#​14860)

v2.48.3

Compare Source

Patch Changes

• fix: include hash when using resolve with hash routing enabled (#​14786)

• fix: afterNavigate callback not running after hydration when experimental async is enabled (#​14644)
  fix: Snapshot restore method not called after reload when experimental async is enabled

• fix: expose issue.path in .allIssues() (#​14784)

v2.48.2

Compare Source

Patch Changes

• fix: update DOM before running navigate callbacks (#​14829)

v2.48.1

Compare Source

Patch Changes

• fix: wait for commit promise instead of settled (#​14818)

v2.48.0

Compare Source

Minor Changes

• feat: use experimental fork API when available (#​14793)

Patch Changes

• fix: await for settled instead of tick in navigate (#​14800)

v2.47.3

Compare Source

Patch Changes

• fix: avoid hanging when error() is used while streaming promises from a server load function (#​14722)

• chore: treeshake load function code if we know it's unused (#​14764)

• fix: RecursiveFormFields type for recursive or unknown schemas (#​14734)

• fix: rework internal representation of form value to be $state (#​14771)

v2.47.2

Compare Source

Patch Changes

• fix: streamed promise not resolving when another load function returns a fast resolving promise (#​14753)

• chore: allow to run preflight validation only (#​14744)

• fix: update overload to set invalid type to schema input (#​14748)

v2.47.1

Compare Source

Patch Changes

• fix: allow read to be used at the top-level of remote function files (#​14672)

• fix: more robust remote files generation (#​14682)

v2.47.0

Compare Source

Minor Changes

• feat: add signal property to request (#​14715)

Patch Changes

• fix: resolve remote module syntax errors with trailing expressions (#​14728)

v2.46.5

Compare Source

Patch Changes

• fix: ensure form remote functions' fields.set triggers reactivity (#​14661)

v2.46.4

Compare Source

Patch Changes

• fix: prevent access of Svelte 5-only untrack function (#​14658)

v2.46.3

Compare Source

Patch Changes

• fix: merge field.set(...) calls (#​14651)

• fix: don't automatically reset form after an enhanced submission (#​14626)

• fix: normalize path strings when updating field values (#​14649)

v2.46.2

Compare Source

Patch Changes

• fix: prevent code execution order issues around SvelteKit's env modules (#​14637)

v2.46.1

Compare Source

Patch Changes

• fix: use $derived for form fields (#​14621)

• docs: remove @example blocks to allow docs to deploy (#​14636)

• fix: require a value with submit and hidden fields (#​14635)

• fix: delete hydration cache on effect teardown (#​14611)

v2.46.0

Compare Source

Minor Changes

• feat: imperative form validation (#​14624)

Patch Changes

• fix: wait a tick before collecting form data for validation (#​14631)

• fix: prevent code execution order issues around SvelteKit's env modules (#​14632)

v2.45.0

Compare Source

Minor Changes

• feat: form.for(id) now implicitly sets id on form object (#​14623)

Patch Changes

• fix: allow fetch in remote function without emitting a warning (#​14610)

v2.44.0

Compare Source

Minor Changes

• feat: expose event.route and event.url to remote functions (#​14606)

• breaking: update experimental form API (#​14481)

Patch Changes

• fix: don't crawl error responses during prerendering (#​14596)

v2.43.8

Compare Source

Patch Changes

• fix: HMR for query (#​14587)

• fix: avoid client modules while traversing dependencies to prevent FOUC during dev (#​14577)

• fix: skip prebundling of .remote.js files (#​14583)

• fix: more robust remote file pattern matching (#​14578)

v2.43.7

Compare Source

Patch Changes

• fix: correctly type the result of form remote functions that do not accept data (#​14573)

• fix: force remote module chunks to isolate themselves (#​14571)

v2.43.6

Compare Source

Patch Changes

• fix: ensure cache key is consistent between client/server (#​14563)

• fix: keep resolve relative to initial base during prerender (#​14533)

• fix: avoid including HEAD twice when an unhandled HTTP method is used in a request to a +server handler that has both a GET handler and a HEAD handler (#​14564)

• fix: smoothscroll to deep link (#​14569)

v2.43.5

Compare Source

Patch Changes

• fix: fall back to non-relative resolution when calling resolve(...) outside an event context (#​14532)

v2.43.4

Compare Source

Patch Changes

• fix: Webcontainer AsyncLocalStorage workaround (#​14526)

v2.43.3

Compare Source

Patch Changes

• fix: Webcontainer AsyncLocalStorage workaround (#​14521)

• fix: include the value of form submitters on form remote functions (#​14475)

v2.43.2

Compare Source

Patch Changes

• fix: ensure rendering starts off synchronously (#​14517)

• fix: keep serialized remote data alive until navigation (#​14508)

v2.43.1

Compare Source

Patch Changes

• fix: consistently use bare import for internals (#​14506)

v2.43.0

Compare Source

Minor Changes

• feat: experimental async SSR (#​14447)

Patch Changes

• fix: ensure __SVELTEKIT_PAYLOAD__.data is accessed safely (#​14491)

• fix: create separate cache entries for non-exported remote function queries (#​14499)

v2.42.2

Compare Source

Patch Changes

• fix: prevent loops in postbuild analysis phase (#​14450)

• fix: handle nested object fields in form data (#​14469)

• fix: robustify form helper types (#​14463)

• fix: avoid running the init hook during builds if there's nothing to prerender (#​14464)

• fix: ensure SSR rendering gets request store context (#​14476)

v2.42.1

Compare Source

Patch Changes

• fix: ensure environment setup is in its own chunk (#​14441)

v2.42.0

Compare Source

Minor Changes

• feat: enhance remote form functions with schema support, input and issues properties (#​14383)

• breaking: remote form functions get passed a parsed POJO instead of a FormData object now (#​14383)

v2.41.0

Compare Source

Minor Changes

• feat: add %sveltekit.version% to app.html (#​12132)

Patch Changes

• fix: allow remote functions to return custom types serialized with transport hooks (#​14435)

• fix: fulfil beforeNavigate complete when redirected (#​12896)

v2.40.0

Compare Source

Minor Changes

• feat: include event property on popstate/link/form navigation (#​14307)

Patch Changes

• fix: respect replaceState/keepFocus/noScroll when a navigation results in a redirect (#​14424)

• fix: invalidate preload cache when invalidateAll is true (#​14420)

v2.39.1

Compare Source

Patch Changes

• fix: more robust remote function code transformation (#​14418)

v2.39.0

Compare Source

Minor Changes

• feat: lazy discovery of remote functions (#​14293)

Patch Changes

• fix: layout load data not serialized on error page (#​14395)

• fix: fail prerendering when remote function fails (#​14365)

• fix: treat handle hook redirect as part of remote function call as json redirect (#​14362)

v2.38.1

Compare Source

Patch Changes

• fix: enable redirects from queries (#​14400)

• fix: remove empty nodes from serialized server load data (#​14404)

• fix: allow commands from within endpoints (#​14343)

v2.38.0

Compare Source

Minor Changes

• feat: add new remote function query.batch (#​14272)

v2.37.1

Compare Source

Patch Changes

• fix: serialize server load data before passing to universal load, to handle mutations and promises (#​14298)

• fix: resolve_route prevent dropping a trailing slash of id (#​14294)

• fix: assign correct status code to form submission error on the client (#​14345)

• fix: un-proxy form.result (#​14346)

v2.37.0

Compare Source

Minor Changes

• feat: automatically resolve query.refresh() promises on the server (#​14332)

• feat: allow query.set() to be called on the server (#​14304)

Patch Changes

• fix: disable CSRF checks in dev (#​14335)

• fix: allow redirects to external URLs from within form functions (#​14329)

• fix: add type definitions for query.set() method to override the value of a remote query function (#​14303)

• fix: ensure uniqueness of form.for(...) across form functions (#​14327)

v2.36.3

Compare Source

Patch Changes

• fix: bump devalue (#​14323)

• chore: consolidate dev checks to use esm-env instead of a __SVELTEKIT_DEV__ global (#​14308)

• fix: reset form inputs by default when using remote form functions (#​14322)

v2.36.2

Compare Source

Patch Changes

• chore: make config deprecation warnings more visible (#​14281)

• chore: remove redundant Not Found error message (#​14289)

• chore: deprecate csrf.checkOrigin in favour of csrf.trustedOrigins: ['*'] (#​14281)

v2.36.1

Compare Source

Patch Changes

• fix: ensure importing from $app/navigation works in test files (#​14195)

v2.36.0

Compare Source

Minor Changes

• feat: add csrf.trustedOrigins configuration (#​14021)

Patch Changes

• fix: correctly decode custom types streamed from a server load function (#​14261)

• fix: add trailing slash pathname when generating typed routes (#​14065)

v2.35.0

Compare Source

Minor Changes

• feat: better server-side error logging (#​13990)

Patch Changes

• fix: ensure static error page is loaded correctly for custom user errors (#​13952)

v2.34.1

Compare Source

Patch Changes

• fix: support multiple cookies with the same name across different paths and domains (b2c5d02)

• fix: add link header when preloading font (#​14200)

• fix: cookies.get(...) returns undefined for a just-deleted cookie (b2c5d02)

• fix: load env before prerender (c5f7139)

v2.34.0

Compare Source

Minor Changes

• feat: allow dynamic env access during prerender (#​14243)

Patch Changes

• fix: clone fetch responses so that headers are mutable (#​13942)

• fix: serialize server load data before passing to universal load, to handle mutations (#​14268)

• fix: allow asset(...) to be used with imported assets (#​14270)

v2.33.1

Compare Source

Patch Changes

• fix: make paths in .css assets relative (#​14262)

• fix: avoid copying SSR stylesheets to client assets (#​13069)

v2.33.0

Compare Source

Minor Changes

• feat: configure error reporting when routes marked as prerendable were not prerendered (#​11702)

Patch Changes

• fix: use correct flag for server tracing (#​14250)

• fix: correct type names for new handleUnseenRoutes option (#​14254)

• chore: Better docs and error message for missing @opentelemetry/api dependency (#​14250)

v2.32.0

Compare Source

Minor Changes

• feat: inline load fetch response.body stream data as base64 in page (#​11473)

Patch Changes

• fix: better error when .remote.ts files are used without the experimental.remoteFunctions flag (#​14225)

v2.31.1

Compare Source

Patch Changes

• fix: pass options to resolve in resolveId hook (#​14223)

v2.31.0

Compare Source

Minor Changes

• feat: OpenTelemetry tracing for handle, sequence, form actions, remote functions, and load functions running on the server (#​13899)

• feat: add instrumentation.server.ts for tracing and observability setup (#​13899)

v2.30.1

Compare Source

Patch Changes

• chore: generate $app/types in a more Typescript-friendly way (#​14207)

v2.30.0

Compare Source

Minor Changes

• feat: allow to specify options for the service worker in svelte.config.js (#​13578)

Patch Changes

• fix: ensure buttonProps.enhance works on buttons with nested text (#​14199)

• fix: pass validation issues specifically to avoid non-enumerable spreading error (#​14197)

v2.29.1

Compare Source

Patch Changes

• chore: allow remote functions in all of the src directory (#​14198)

v2.29.0

Compare Source

Minor Changes

• feat: add a kit.files.src option (#​14152)

Patch Changes

• fix: don't treat $lib/server.ts or $lib/server_whatever.ts as server-only modules, only $lib/server/** (#​14191)

• fix: make illegal server-only import errors actually useful (#​14155)

• chore: deprecate config.kit.files options (#​14152)

• fix: avoid warning if page options in a Svelte file belongs to a comment (#​14180)

v2.28.0

Compare Source

Minor Changes

• feat: add RouteId and RouteParams to NavigationTarget interface (#​14167)

• feat: add pending property to forms and commands (#​14137)

Patch Changes

• fix: fetch imported assets during prerender (#​12201)

• chore: refactor redundant base64 encoding/decoding functions (#​14160)

• fix: use correct cache result when fetching same url multiple times (#​12355)

• fix: don't refresh queries automatically when running commands (#​14170)

• fix: avoid writing remote function bundle to disk when treeshaking prerendered queries (#​14161)

v2.27.3

Compare Source

Patch Changes

• chore: add .git to the end of package.json repository url (#​14134)

v2.27.2

Compare Source

Patch Changes

• fix: ensure form() remote functions work when the app is configured to a single output (#​14127)

• fix: use the configured base path when calling remote functions from the client (#​14106)

v2.27.1

Compare Source

Patch Changes

• fix: correctly type remote function input parameters from a schema (#​14098)

• fix: match URL-encoded newlines in rest route params (#​14102)

• fix: correctly spell server-side in error messages (#​14101)

v2.27.0

Compare Source

Minor Changes

• feat: remote functions (#​13986)

v2.26.1

Compare Source

Patch Changes

• fix: posixify internal app server path (#​14049)

• fix: ignore route groups when generating typed routes (#​14050)

v2.26.0

Compare Source

Minor Changes

• feat: better type-safety for page.route.id, page.params, page.url.pathname and various other places (#​13864)

• feat: resolve(...) and asset(...) helpers for resolving paths (#​13864)

• feat: Add $app/types module with Asset, RouteId, Pathname, ResolvedPathname RouteParams<T> and LayoutParams<T> (#​13864)

v2.25.2

Compare Source

Patch Changes

• fix: correctly set URL when navigating during an ongoing navigation (#​14004)

v2.25.1

Compare Source

Patch Changes

• fix: add missing params property (#​14012)

v2.25.0

Compare Source

Minor Changes

• feat: support asynchronous read implementations from adapters (#​13859)

Patch Changes

• fix: log when no Svelte config file has been found to avoid confusion (#​14001)

v2.24.0

Compare Source

Minor Changes

• feat: typed params prop for page/layout components (#​13999)

Patch Changes

• fix: treeshake internal storage.get helper (#​13998)

v2.23.0

Compare Source

Minor Changes

• feat: support svelte.config.ts (#​13935)

  NOTE

  Your runtime has to support importing TypeScript files for svelte.config.ts to work.
  In Node.js, the feature is supported with the --experimental-strip-types flag starting in Node 22.6.0 and supported without a flag starting in Node 23.6.0.

Patch Changes

• fix: extend vite-plugin-svelte's Config type instead of duplicating it (#​13982)

• fix: regression with rolldown-vite not bundling a single JS file for single and inline apps (#​13941)

v2.22.5

[Compare Source](https://redirect.github.com/sveltejs/kit/compare/@sveltejs/kit@2.22.4...@sveltejs/kit@2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.