chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#101
Merged
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.57.1→2.60.1@sveltejs/kit:
query.batchcross-talkGHSA-hgv7-v322-mmgr
More information
Details
query.batch()could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure.Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
sveltejs/kit (@sveltejs/kit)
v2.60.1Compare Source
Patch Changes
chore: bump
svelteanddevalue(#15836)fix: prevent
query.batchcross-talk (dadaefc)v2.60.0Compare Source
Minor Changes
feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)
feat: warn on unread
formremote function validation issues (#15653)Patch Changes
fix: abort navigation after async rendering if obsolete (#15811)
fix: skip refreshing queries on full-page reload form submissions (#15803)
v2.59.1Compare Source
Patch Changes
v2.59.0Compare Source
Minor Changes
feat: support
query.batchinrequested(...)(#15751)breaking: on the server, make the promise returned from
refreshrepresent adding the refresh to the map, not the time it takes to run the remote function (#15705)feat: experimental
query.livefunction (#15705)Patch Changes
fix: unwrap
PromiseinRemoteCommandoutput type (#15771)fix: empty call to
.updates()on a command/form invocation means "don't update anything" (#15705)fix:
form.fields.foo.as('checkbox', default_value)now works (#15752)fix: remote forms with default values defined by
field.as('text', defaultValue)now correctly reset to the provided default values once submitted (#15753)fix: make sure queries always get started correctly (#15705)
fix: allow plain functions as overrides in
updates(#15705)v2.58.0Compare Source
Minor Changes
breaking: require
limitinrequested(as originally intended) (#15739)feat:
RemoteQueryFunctiongains an optional third generic parameterValidated(defaulting toInput) that represents the argument type after schema validation/transformation (#15739)breaking:
requestednow yields{ arg, query }entries instead of the validated argument (#15739)Patch Changes
fix: allow
query().current,.error,.loading, and.readyto work in non-reactive contexts (#15699)fix: prevent
deep_setcrash on nullish nested values (#15600)fix: restore correct
RemoteFormFieldstyping for nullable array fields (e.g. when a schema uses.default([])), so.as('checkbox')and friends work again (#15723)fix: don't warn about removed SSI comments in
transformPageChunk(#15695)Server-side include (SSI) directives like
<!--#include virtual="..." -->are HTML comments that are replaced by servers such as nginx. Previously, removing them intransformPageChunkwould trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with<!--#and Svelte's hydration comments never do, they can be safely excluded from the check.Change enhance function return type from void to MaybePromise. (#15710)
fix: throw an error when
resolveis called with an external URL (#15733)fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#15718)
fix: reset form result on redirect (#15724)
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.