Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency svelte [security] #84

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency svelte [security] #84

wants to merge 1 commit into from
+4,762 −3,685

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 30, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
svelte (source) ^3.57.0 -> ^5.0.0 age adoption passing confidence
svelte (source) ^3.57.0 -> ^4.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

  • If the string is an attribute value:
    • " -> "
    • & -> &
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • & -> &amp;
    • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

v5.14.2

Compare Source

Patch Changes

  • fix: correctly highlight first rerun of $inspect.trace (#​14734)

  • chore: more loose parser improvements (#​14733)

v5.14.1

Compare Source

Patch Changes
  • fix: improve unowned derived performance (#​14724)

v5.14.0

Compare Source

Minor Changes

v5.13.0

Compare Source

Minor Changes

  • feat: add outro option to unmount (#​14540)

  • feat: provide loose parser mode (#​14691)

v5.12.0

Compare Source

Minor Changes
  • feat: expose more AST types from "svelte/compiler" (#​14601)
Patch Changes

  • fix: don't add parenthesis to media query if already present (#​14699)

  • fix: ensure if block paths retain correct template namespacing (#​14685)

v5.11.3

Compare Source

Patch Changes

  • fix: allow unquoted slash in attributes (#​14615)

  • fix: better handle hydration of script/style elements (#​14683)

  • fix: make defaultValue work with spread (#​14640)

  • fix: avoid mutation validation for invalidate_inner_signals (#​14688)

v5.11.2

Compare Source

Patch Changes
  • fix: correctly handle ssr for reactivity/window (#​14681)

v5.11.1

Compare Source

Patch Changes

  • fix: account for global block in is_empty (#​14677)

  • fix: remove overzealous reactive_declaration_non_reactive_property warning (#​14663)

v5.11.0

Compare Source

Minor Changes
  • feat: add svelte/reactivity/window module (#​14660)
Patch Changes
  • fix: take into account registration state when setting custom element props (#​14508)

v5.10.1

Compare Source

Patch Changes

  • fix: ensure snippet hoisting works in the correct scope (#​14642)

  • fix: ensure $state.snapshot clones holey arrays correctly (#​14657)

  • fix: restore input binding selection position (#​14649)

  • fix: transform everything that is not a selector inside :global (#​14577)

  • Overwrite Spring.#last_value when using .set() with {instant: true} (#​14656)

  • fix: don't emit assignment warnings for bindings (#​14651)

v5.10.0

Compare Source

Minor Changes
  • feat: provide links to documentation for errors/warnings (#​14629)
Patch Changes

  • fix: allow exports with source from script module even if no bind is present (#​14620)

  • fix: deconflict get_name for literal class properties (#​14607)

v5.9.1

Compare Source

Patch Changes
  • fix: mark subtree dynamic for bind with sequence expressions (#​14626)

v5.9.0

Compare Source

Minor Changes
  • feat: add support for bind getters/setters (#​14307)
Patch Changes
  • fix: always run if block code the first time (#​14597)

v5.8.1

Compare Source

Patch Changes
  • fix: reinstate missing prefersReducedMotion export (#​14586)

v5.8.0

Compare Source

Minor Changes
  • feat: add Spring and Tween classes to svelte/motion (#​11519)

v5.7.1

Compare Source

Patch Changes
  • fix: ensure bindings always take precedence over spreads (#​14575)

v5.7.0

Compare Source

Minor Changes

  • feat: add createSubscriber function for creating reactive values that depend on subscriptions (#​14422)

  • feat: add reactive MediaQuery class, and a prefersReducedMotion class instance (#​14422)

Patch Changes
  • fix: treat undefined and null the same for the initial input value (#​14562)

v5.6.2

Compare Source

Patch Changes
  • chore: make if blocks tree-shakable (#​14549)

v5.6.1

Compare Source

Patch Changes
  • fix: handle static form values in combination with default values (#​14555)

v5.6.0

Compare Source

Minor Changes
  • feat: support defaultValue/defaultChecked for inputs (#​14289)

v5.5.4

Compare Source

Patch Changes

  • fix: better error messages for invalid HTML trees (#​14445)

  • fix: remove spreaded event handlers when they become nullish (#​14546)

  • fix: respect the unidirectional nature of time (#​14541)

v5.5.3

Compare Source

Patch Changes

  • fix: don't try to add owners to non-$state class fields (#​14533)

  • fix: capture infinite_loop_guard in error boundary (#​14534)

  • fix: proxify values when assigning using ||=, &&= and ??= operators (#​14273)

v5.5.2

Compare Source

Patch Changes
  • fix: use correct reaction when lazily creating deriveds inside SvelteDate (#​14525)

v5.5.0

Compare Source

Minor Changes
  • feat: allow snippets to be exported from module scripts (#​14315)
Patch Changes
  • fix: ignore TypeScript generics on variables (#​14509)

v5.4.0

Compare Source

Minor Changes

v5.3.2

Compare Source

Patch Changes

  • fix: correctly prune CSS for elements inside snippets (#​14494)

  • fix: render attributes during SSR regardless of case (#​14492)

v5.3.1

Compare Source

Patch Changes

  • fix: treat spread elements the same as call expressions (#​14488)

  • fix: correctly increment/decrement bigints (#​14485)

v5.3.0

Compare Source

Minor Changes
  • feat: add error boundaries with <svelte:boundary> (#​14211)

v5.2.12

Compare Source

Patch Changes

  • fix: upgrade to esm-env 1.2.1 to fix issues with non-Vite setups (#​14470)

  • fix: prevent infinite loops when pruning CSS (#​14474)

  • fix: generate correct code when encountering object expression statement (#​14480)

v5.2.11

Compare Source

Patch Changes

  • fix: ignore text and expressions outside the template when validating HTML (#​14468)

  • fix: better account for render tags when pruning CSS (#​14456)

v5.2.10

Compare Source

Patch Changes

  • fix: correctly remove unused selectors in middle of selector lists (#​14448)

  • chore: upgrade esm-env for Vite 6 support (#​14460)

  • fix: strip exported TypeScript function overloads (#​14458)

v5.2.9

Compare Source

Patch Changes

  • fix: show :then block for null/undefined value (#​14440)

  • fix: relax html parent validation (#​14442)

  • fix: prevent memory leak when creating deriveds inside untrack (#​14443)

  • fix: disregard TypeScript nodes when pruning CSS (#​14446)

v5.2.8

Compare Source

Patch Changes

  • fix: correctly prune each blocks (#​14403)

  • fix: provide temporary LegacyComponentType (#​14257)

  • fix: attach spread attribute events synchronously (#​14387)

  • fix: ensure last empty text node correctly hydrates (#​14425)

  • fix: correctly prune key blocks (#​14403)

v5.2.7

Compare Source

Patch Changes
  • fix: always use set for private identifiers (#​14378)

v5.2.6

Compare Source

Patch Changes
  • fix: remove template expression inlining (#​14374)

v5.2.5

Compare Source

Patch Changes

  • fix: correctly handle srcObject attribute on video elements (#​14369)

  • add contentvisibilityautostatechange event to element definitions (#​14373)

  • fix: tighten up export default validation (#​14368)

  • fix: include method definitions in class private fields (#​14365)

v5.2.4

Compare Source

Patch Changes

  • fix: ensure internal cloning can work circular values (#​14347)

  • fix: correctly update dynamic member expressions (#​14359)

  • fix: ensure is_pure takes into account $effect.tracking() (#​14333)

  • fix: coerce value to number when hydrating range/number input with changed value (#​14349)

v5.2.3

Compare Source

Patch Changes
  • fix: ensure dynamic call expressions correctly generate output (#​14345)

v5.2.2

Compare Source

Patch Changes
  • fix: treat property accesses of literals as pure (#​14325)

v5.2.1

Compare Source

Patch Changes

  • fix: mark pseudo classes nested inside :not as used (#​14303)

  • fix: disallow invalid attributes for <svelte:window> and <svelte:document> (#​14228)

  • fix: ensure props passed to components via mount are updateable (#​14210)

  • fix: mark subtree dynamic for img with loading attribute (#​14317)

  • fix: avoid relying on Node specifics within compiler (#​14314)

v5.2.0

Compare Source

Minor Changes
  • feat: better inlining of static attributes (#​14269)

v5.1.17

Compare Source

Patch Changes

  • fix: account for :has(...) as part of :root (#​14229)

  • fix: prevent nested pseudo class from being marked as unused (#​14229)

  • fix: use strict equality for key block comparisons in runes mode (#​14285)

  • fix: bump is-reference dependency to fix import.meta bug (#​14286)

v5.1.16

Compare Source

Patch Changes

  • fix: don't wrap pseudo classes inside :global(...) with another :global(...) during migration (#​14267)

  • fix: bail on named slots with that have reserved keywords during migration (#​14278)

v5.1.15

Compare Source

Patch Changes
  • fix: consider static attributes that are inlined in the template (#​14249)

v5.1.14

Compare Source

Patch Changes

  • fix: migration script messing with attributes (#​14260)

  • fix: do not treat reassigned synthetic binds as state in runes mode (#​14236)

  • fix: account for mutations in script module in ownership check (#​14253)

  • fix: consider img with loading attribute not static (#​14237)

v5.1.13

Compare Source

Patch Changes

  • fix: add migration task when there's a variable named that would conflict with a rune (#​14216)

  • fix: consider valueOf in the reactive methods of SvelteDate (#​14227)

  • fix: handle sibling combinators within :has (#​14213)

  • fix: consider variables with synthetic store sub as state (#​14195)

  • fix: read index as a source in legacy keyed each block (#​14208)

  • fix: account for shadowing children slot during migration (#​14224)

  • fix: ensure explicit nesting selector is always applied (#​14193)

  • fix: add lang="ts" attribute during migration if needed (#​14222)

v5.1.12

Compare Source

Patch Changes

  • fix: ignore as type expressions on property definitions (#​14181)

  • fix: restore active reaction if then block throws (#​14191)

  • chore: adds legacy mode flag reducing bundle size in runes mode only apps (#​14180)

v5.1.11

Compare Source

Patch Changes

  • fix: error on TypeScript's readonly modifier (#​14153)

  • fix: remove scoping for :not selectors (#​14177)

v5.1.10

Compare Source

Patch Changes

  • fix: ensure non-matching elements are scoped for :not(...) selector (#​13999)

  • fix: ensure video elements autoplay in safari (#​14095)

  • fix: ensure trailing multiline comments on props produce correct code (#​14143#issuecomment-2455702689) (#​14143)

  • fix: correctly infer <a> tag namespace (#​14134)

  • fix: check options namespace for top level svelte:elements (#​14101)

  • fix: ensure migrate keeps inline/trailing comments in $props type definition (#​14143)

  • fix: update links in JSDoc (#​14165)

  • fix: ensure SvelteMap and SvelteSet work with generators in dev (#​14103)

  • fix: only output the key for each_key_duplicate (#​14147)

  • fix: prevent migrated snippet from shadow snippet prop (#​14127)

  • fix: pass along anchor in legacy class wrappers (#​14100)

  • fix: recognize all custom element prop definitions (#​14084)

  • fix: migrate multiple declarations with only some exported correctly (#​14126)

v5.1.9

Compare Source

Patch Changes
  • fix: ensure transitions are applied to nested elements (#​14080)

v5.1.8

Compare Source

Patch Changes
  • fix: ensure compiler statements are correctly included (#​14074)

v5.1.7

Compare Source

Patch Changes

  • fix: ensure each block inert items are disposed of if the each block is also inert (#​13930)

  • fix: allow warningFilter option for compileModule (#​14066)

  • fix: ensure onMount correctly fires when new expressions are used (#​14049)

  • fix: wrap :id, :where``:not and :has with :global during migration (#​13850)

  • fix: ensure custom element attribute/prop changes are in their own context (#​14016)

v5.1.6

Compare Source

Patch Changes
  • fix: ensure child effects are destroyed before their deriveds (#​14043)

v5.1.5

Compare Source

Patch Changes

  • fix: replace typo in compiler error messages (#​14044)

  • fix: preserve the separator between selectors when an unused selector is in between (#​13954)

  • fix: more robust re-subscribe detection for fromStore (#​13995)

  • fix: allow to pass in TS preference to migration (#​13929)

  • fix: extend derived/state validation error to indirect exports (#​14039)

  • fix: minify inject CSS in prod mode (#​14006)

  • fix: ensure toStore subscription correctly syncs latest value (#​14015)

  • fix: don't access requestAnimationFrame until needed to reduce need for mocks during testing (#​14040)

  • fix: ensure element effects are executed in the correct order (#​14038)

  • fix: make compiler error extend from Error (#​14036)

v5.1.4

Compare Source

Patch Changes

  • fix: add empty stack to CompileDiagnostic to show error on build (#​13942)

  • fix: ensure effect_tracking correctly handles tracking reactions (#​14005)

  • fix: update broken links (#​13944)

  • fix: more exhaustive check during SvelteMap.set in deriveds (#​13951)

  • fix: trim whitespace while migrating blocks (#​13941)

  • fix: update links that previously pointed to preview site (#​14001)

  • fix: properly migrate imports types prefixed with $ (#​14007)

v5.1.3

Compare Source

Patch Changes

  • fix: rethrow errors from await block if no catch block exists (#​13819)

  • fix: ensure SVG element attributes have case preserved (#​13935)

  • fix: ensure bind:group works as intended with proxied state objects (#​13939)

  • fix: ensure value is correctly set to zero on the progress element (#​13924)

  • fix: skip comment nodes in snippet validation logic (#​13936)

  • fix: typo in Action types (#​13874)

  • fix: remove metadata from legacy AST (#​13927)

v5.1.2

Compare Source

Patch Changes

  • fix: improve consistency of transitions (#​13895)

  • fix: enable bound store props in runes mode components (#​13887)

  • fix: ensure each block references to imports are handled correctly (#​13892)

  • fix: ensure SvelteMap reactivity persists through deriveds (#​13877)

  • fix: ensure snippets after empty text correctly hydrate (#​13870)

  • fix: prevent migration script from adding props. to the export let identifier (#​13899)

  • fix: prevent var name clashing for delegated events without params (#​13896)

v5.1.1

Compare Source

Patch Changes

  • fix: internally wrap store subscribe in untrack (#​13858)

  • fix: allow binding to const with spread in legacy mode (#​13849)

  • fix: ensure props internally untracks current_value on sets (#​13859)

  • fix: properly traverse children when checking matches for :has (#​13866)

v5.1.0

Compare Source

Minor Changes

  • feat: export mount() options as the MountOptions type (#​13674)

  • feat: allow usage of getContext() within $derived runes (#​13830)

Patch Changes

  • fix: properly migrate ts with inferred type comments (#​13761)

  • fix: correct property name conversion in custom transitions (#​13820)

  • fix: ensure $effect.tracking returns false inside transition functions (#​13775)

  • fix: migrate default slots to children snippet (#​13760)

  • fix: don't print errors on migration errors (#​13754)

  • fix: prevent spread attribute from overriding class directive (#​13763)

  • fix: ensure :has selectors followed by other selectors match (#​13824)

  • fix: ensure muted DOM property works correctly in FF (#​13751)

  • fix: show filename information in legacy_recursive_reactive_block (#​13764)

v5.0.5

Compare Source

Patch Changes

  • fix: mark :has selectors with multiple preceding selectors as used (#​13750)

  • fix: ensure event context is reset before invoking callback (#​13737)

  • fix: add more robust check for Element prototype (#​13744)

  • fix: do not comment out unused selectors that are inside an unused selector (#​13746)

  • fix: more accurately detect $derived migration opportunities (#​13740)

  • fix: @​debug does not work with proxied-state (#​13690)

  • fix: do not add jsdoc if no types found (#​13738)

v5.0.4

Compare Source

Patch Changes

  • fix: webview preload tag can be any string (#​13733)

  • fix: better children snippet / default slot interop (#​13734)

v5.0.3

Compare Source

Patch Changes
  • chore: ensure transition events are dispatched without current reaction (#​13719)

v5.0.2

Compare Source

Patch Changes
  • fix: don't blank css on migration error (#​13703)

v5.0.1

Compare Source

Patch Changes
  • fix: use typedef for JSDoc props and maintain comments (#​13698)

v5.0.0

Compare Source

A new major version of Svelte has been released! 🎉

The new version brings:

  • even better performance,
  • a more granular reactivity system with runes,
  • more expressive template syntax with snippets and event attributes,
  • native TypeScript support,
  • and backwards compatibility with the previous syntax!

For more details check out the Svelte docs and the migration guide.

v4.2.19

Compare Source

Patch Changes

  • fix: ensure typings for <svelte:options> are picked up (#​12902)

  • fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

v4.2.17

Compare Source

Patch Changes
  • fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes
  • fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes
  • support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes
  • fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes
  • fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes
  • fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes
  • fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes

  • fix: add scrollend event type (#​10336)

  • fix: add fetchpriority attribute type (#​10390)

  • fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

  • fix: make inline doc links valid (#​10366)

v4.2.9

Compare Source

Patch Changes

  • fix: add types for popover attributes and events (#​10042)

  • fix: add gamepadconnected and gamepaddisconnected events (#​9864)

  • fix: make @types/estree a dependency (#​10149)

  • fix: bump axobject-query (#​10167)

v4.2.8

Compare Source

Patch Changes
  • fix: port over props that were set prior to initialization (#​9701)

v4.2.7

Compare Source

Patch Changes
  • fix: handle spreads within static strings (#​9554)

v4.2.6

Compare Source

Patch Changes
  • fix: adjust static attribute regex (#​9551)

v4.2.5

Compare Source

Patch Changes
  • fix: ignore expressions in top level script/style tag attributes (#​9498)

v4.2.4

Compare Source

Patch Changes
  • fix: handle closing tags inside attribute values (#​9486)

v4.2.3

Compare Source

Patch Changes

  • fix: improve a11y-click-events-have-key-events message (#​9358)

  • fix: more robust hydration of html tag (#​9184)

v4.2.2

Compare Source

Patch Changes

  • fix: support camelCase properties on custom elements (#​9328)

  • fix: add missing plaintext-only value to contenteditable type (#​9242)

  • chore: upgrade magic-string to 0.30.4 (#​9292)

  • fix: ignore trailing comments when comparing nodes (#​9197)

v4.2.1

Compare Source

Patch Changes

  • fix: update style directive when style attribute is present and is updated via an object prop (#​9187)

  • fix: css sourcemap generation with unicode filenames (#​9120)

  • fix: do not add module declared variables as dependencies (#​9122)

  • fix: handle svelte:element with dynamic this and spread attributes (#​9112)

  • fix: silence false positive reactive component warning (#​9094)

  • fix: head duplication when binding is present (#​9124)

  • fix: take custom attribute name into account when reflecting property (#​9140)

  • fix: add indeterminate to the list of HTMLAttributes (#​9180)

  • fix: recognize option value on spread attribute (#​9125)

v4.2.0

Compare Source

Minor Changes
  • feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#​9070)

v4.1.2

Compare Source

Patch Changes

  • fix: allow child element with slot attribute within svelte:element (#​9038)

  • fix: Add data-* to svg attributes (#​9036)

v4.1.1

Compare Source

Patch Changes
  • fix: svelte:component spread props change not picked up (#​9006)

v4.1.0

Compare Source

Minor Changes
  • feat: add ability to extend custom element class (#​8991)
Patch Changes

  • fix: ensure svelte:component evaluates props once (#​8946)

  • fix: remove let:variable slot bindings from select binding dependencies (#​8969)

  • fix: handle destructured primitive literals (#​8871)

  • perf: optimize imports that are not mutated or reassigned (#​8948)

  • fix: don't add accessor twice (#​8996)

v4.0.5

Compare Source

Patch Changes
  • fix: generate type definition with nullable types (#​8924)

v4.0.4

Compare Source

Patch Changes

  • fix: claim svg tags in raw mustache tags correctly (#​8910)

  • fix: repair invalid raw html content during hydration (#​8912)

v4.0.3

Compare Source

Patch Changes
  • fix: handle falsy srcset values (#​8901)

v4.0.2

Compare Source

Patch Changes

  • fix: reflect all custom element prop updates back to attribute (#​8898)

  • fix: shrink custom element baseline a bit (#​8858)

  • fix: use non-destructive hydration for all @html tags (#​8880)

  • fix: align disclose-version exports specification (#​8874)

  • fix: check srcset when hydrating to prevent needless requests (#​8868)

v4.0.1

Compare Source

Patch Changes

  • fix: ensure identifiers in destructuring contexts don't clash with existing ones (#​8840)

  • fix: ensure createEventDispatcher and ActionReturn work with types from generic function parameters (#​8872)

  • fix: apply transition to <svelte:element> with local transition (#​8865)

  • fix: relax a11y "no redundant role" rule for li, ul, ol (#​8867)

  • fix: remove tsconfig.json from published package (#​8859)

v4.0.0

Compare Source

Major Changes
  • breaking: Minimum supported Node version is now Node 16 ([#​8566](https

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel Vercel
Copy link

vercel bot commented Aug 30, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
overlastic ❌ Failed (Inspect) Dec 17, 2024 7:33pm

@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 3730ea5 to 6f01dc7 Compare October 9, 2024 09:42
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 6f01dc7 to a7eca82 Compare October 9, 2024 12:50
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from a7eca82 to 20bbe4a Compare October 28, 2024 14:08
@renovate renovate bot changed the title chore(deps): update dependency svelte to v4 [security] chore(deps): update dependency svelte [security] Oct 28, 2024
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 20bbe4a to 4b08fa6 Compare October 28, 2024 15:34
@renovate renovate bot changed the title chore(deps): update dependency svelte [security] chore(deps): update dependency svelte to v4 [security] Oct 28, 2024
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 4b08fa6 to 7fdf2d3 Compare December 2, 2024 08:35
@renovate renovate bot changed the title chore(deps): update dependency svelte to v4 [security] chore(deps): update dependency svelte [security] Dec 2, 2024
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 7fdf2d3 to 216d1db Compare December 2, 2024 10:51
@renovate renovate bot changed the title chore(deps): update dependency svelte [security] chore(deps): update dependency svelte to v4 [security] Dec 2, 2024
@renovate renovate bot changed the title chore(deps): update dependency svelte to v4 [security] fix(deps): update dependency svelte to v4 [security] Dec 11, 2024
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 216d1db to f9043b0 Compare December 17, 2024 19:33
@renovate renovate bot changed the title fix(deps): update dependency svelte to v4 [security] fix(deps): update dependency svelte [security] Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants