Skip to content

chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed#286

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-svelte-vulnerability
Closed

chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed#286
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-svelte-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 28, 2026

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 5.51.55.53.5 age confidence

GitHub Vulnerability Alerts

CVE-2026-27901

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

Release Notes

sveltejs/svelte (svelte)

v5.53.5

Compare Source

Patch Changes

v5.53.4

Compare Source

Patch Changes

  • fix: set server context after async transformError (#​17799)

  • fix: hydrate if blocks correctly (#​17784)

  • fix: handle default parameters scope leaks (#​17788)

  • fix: prevent flushed effects from running again (#​17787)

v5.53.3

Compare Source

Patch Changes

  • fix: render :catch of #await block with correct key (#​17769)

  • chore: pin aria-query@​5.3.1 (#​17772)

  • fix: make string coercion consistent to toString (#​17774)

v5.53.2

Compare Source

Patch Changes

  • fix: update expressions on server deriveds (#​17767)

  • fix: further obfuscate node:crypto import from overzealous static analysis (#​17763)

v5.53.1

Compare Source

Patch Changes
  • fix: handle shadowed function names correctly (#​17753)

v5.53.0

Compare Source

Minor Changes

  • feat: allow comments in tags (#​17671)

  • feat: allow error boundaries to work on the server (#​17672)

Patch Changes

  • fix: use TrustedHTML to test for customizable <select> support, where necessary (#​17743)

  • fix: ensure head effects are kept in the effect tree (#​17746)

  • chore: deactivate current_batch by default in unset_context (#​17738)

v5.52.0

Compare Source

Minor Changes
  • feat: support TrustedHTML in {@&#8203;html} expressions (#​17701)
Patch Changes

  • fix: repair dynamic component truthy/falsy hydration mismatches (#​17737)

  • fix: re-run non-render-bound deriveds on the server (#​17674)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@nx-cloud
Copy link

nx-cloud bot commented Feb 28, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 30c7fe2

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 2m 2s View ↗
nx run-many --target=build --exclude=examples/** ✅ Succeeded 17s View ↗

☁️ Nx Cloud last updated this comment at 2026-02-28 21:27:34 UTC

@renovate renovate bot changed the title chore(deps): update dependency svelte to v5.53.5 [security] chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed Mar 1, 2026
@renovate renovate bot closed this Mar 1, 2026
@renovate renovate bot deleted the renovate/npm-svelte-vulnerability branch March 1, 2026 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants