Skip to content

chore(deps): update dependency svelte to v5.51.5 [security]#3373

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-svelte-vulnerability
Open

chore(deps): update dependency svelte to v5.51.5 [security]#3373
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-svelte-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 20, 2026

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 5.49.15.51.5 age confidence

GitHub Vulnerability Alerts

CVE-2026-27119

In certain circumstances, the server-side rendering output of an <option> element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27122

When using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected.

CVE-2026-27121

Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers.

Release Notes

sveltejs/svelte (svelte)

v5.51.5

Compare Source

Patch Changes

v5.51.4

Compare Source

Patch Changes

  • chore: proactively defer effects in pending boundary (#​17734)

  • fix: detect and error on non-idempotent each block keys in dev mode (#​17732)

v5.51.3

Compare Source

Patch Changes

  • fix: prevent event delegation logic conflicting between svelte instances (#​17728)

  • fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#​17712)

  • fix: locate Rollup annontaion friendly to JS downgraders (#​17724)

  • fix: run effects in pending snippets (#​17719)

v5.51.2

Compare Source

Patch Changes

  • fix: take async into consideration for dev delegated handlers (#​17710)

  • fix: emit state_referenced_locally warning for non-destructured props (#​17708)

v5.51.1

Compare Source

Patch Changes

  • fix: don't crash on undefined document.contentType (#​17707)

  • fix: use symbols for encapsulated event delegation (#​17703)

v5.51.0

Compare Source

Minor Changes
  • feat: Use TrustedTypes for HTML handling where supported (#​16271)
Patch Changes

  • fix: sanitize template-literal-special-characters in SSR attribute values (#​17692)

  • fix: follow-up formatting in print() — flush block-level elements into separate sequences (#​17699)

  • fix: preserve delegated event handlers as long as one or more root components are using them (#​17695)

v5.50.3

Compare Source

Patch Changes

  • fix: take into account nodeName case sensitivity on XHTML pages (#​17689)

  • fix: render multiple and selected attributes as empty strings for XHTML compliance (#​17689)

  • fix: always lowercase HTML elements, for XHTML compliance (#​17664)

  • fix: freeze effects-inside-deriveds when disconnecting, unfreeze on reconnect (#​17682)

  • fix: propagate $effect errors to <svelte:boundary> (#​17684)

v5.50.2

Compare Source

Patch Changes

  • fix: resolve effect_update_depth_exceeded when using bind:value on <select> with derived state in legacy mode (#​17645)

  • fix: don't swallow DOMException when media.play() fails in bind:paused (#​17656)

  • chore: provide proper public type for parseCss result (#​17654)

  • fix: robustify blocker calculation (#​17676)

  • fix: reduce if block nesting (#​17662)

v5.50.1

Compare Source

Patch Changes

  • fix: render boolean attribute values as empty strings for XHTML compliance (#​17648)

  • fix: prevent async render tag hydration mismatches (#​17652)

v5.50.0

Compare Source

Minor Changes
  • feat: allow use of createContext when instantiating components programmatically (#​17575)
Patch Changes

  • fix: ensure infinite effect loops are cleared after flushing (#​17601)

  • fix: allow {#key NaN} (#​17642)

  • fix: detect store in each block expression regardless of AST shape (#​17636)

  • fix: treat <menu> like <ul>/<ol> for a11y role checks (#​17638)

  • fix: add vite-ignore comment inside dynamic crypto import (#​17623)

  • chore: wrap JSDoc URLs in @see and @link tags (#​17617)

  • fix: properly hydrate already-resolved async blocks (#​17641)

  • fix: emit each_key_duplicate error in production (#​16724)

  • fix: exit resolved async blocks on correct node when hydrating (#​17640)

v5.49.2

Compare Source

Patch Changes

  • chore: remove SvelteKit data attributes from elements.d.ts (#​17613)

  • fix: avoid erroneous async derived expressions for blocks (#​17604)

  • fix: avoid Cloudflare warnings about not having the "node:crypto" module (#​17612)

  • fix: reschedule effects inside unskipped branches (#​17604)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@renovate renovate bot enabled auto-merge (squash) February 20, 2026 16:31
@vercel
Copy link

vercel bot commented Feb 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
live-visual-editing-next Ready Ready Preview, Comment Feb 20, 2026 4:33pm
visual-editing-next Ready Ready Preview, Comment Feb 20, 2026 4:33pm
visual-editing-page-builder-demo Ready Ready Preview, Comment Feb 20, 2026 4:33pm
visual-editing-storybook Ready Ready Preview, Comment Feb 20, 2026 4:33pm
visual-editing-studio Ready Ready Preview Feb 20, 2026 4:33pm
5 Skipped Deployments
Project Deployment Actions Updated (UTC)
visual-editing-astro Ignored Ignored Feb 20, 2026 4:33pm
visual-editing-next-with-i18n Ignored Ignored Feb 20, 2026 4:33pm
visual-editing-nuxt Ignored Ignored Feb 20, 2026 4:33pm
visual-editing-remix Ignored Ignored Feb 20, 2026 4:33pm
visual-editing-svelte Ignored Ignored Feb 20, 2026 4:33pm

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Feb 20, 2026

⚠️ No Changeset found

Latest commit: 7be986d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security
Copy link

socket-security bot commented Feb 20, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​types/​react@​19.2.13 ⏵ 19.2.14100 +110079 +195100
Updatednpm/​next@​16.2.0-canary.29 ⏵ 16.2.0-canary.5381 +149991 +198 +170
Updatednpm/​turbo@​2.8.2 ⏵ 2.8.101001008597 +1100
Updatednpm/​svelte@​5.49.1 ⏵ 5.51.588 +1100 +688 +198 +1100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 bot 📦 deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants