Skip to content

chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#1100

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-sveltejs-kit-vulnerability
Open

chore(deps): update dependency @sveltejs/kit to v2.60.1 [security]#1100
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-sveltejs-kit-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@sveltejs/kit (source) 2.59.12.60.1 age confidence

@​sveltejs/kit: query.batch cross-talk

GHSA-hgv7-v322-mmgr

More information

Details

query.batch() could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.60.1

Compare Source

Patch Changes
  • chore: bump svelte and devalue (#​15836)

  • fix: prevent query.batch cross-talk (dadaefc)

v2.60.0

Compare Source

Minor Changes
  • feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#​15802)

  • feat: warn on unread form remote function validation issues (#​15653)

Patch Changes
  • fix: abort navigation after async rendering if obsolete (#​15811)

  • fix: skip refreshing queries on full-page reload form submissions (#​15803)


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-sveltejs-kit-vulnerability branch April 27, 2026 17:51
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] - autoclosed chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch 3 times, most recently from 41ebbd7 to 95cddce Compare April 29, 2026 15:34
@renovate renovate Bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 95cddce to 0fb2dc7 Compare June 8, 2026 03:43
@renovate renovate Bot changed the title chore(deps): update dependency @sveltejs/kit to v2.57.1 [security] chore(deps): update dependency @sveltejs/kit to v2.60.1 [security] Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

0 participants