fix(deps): update dependency svelte to v5.55.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.55.5 → 5.55.7

---

Svelte: ReDoS in <svelte:element> Tag Validation

CVE-2026-42567 / GHSA-9rmh-mm8f-r9h6

More information

Details

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6
• https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
• https://github.com/advisories/GHSA-9rmh-mm8f-r9h6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Svelte: SSR XSS via Insecure Promise Serialization in hydratable

GHSA-f3cj-j4f6-wq85

More information

Details

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:

• you are using hydratable (an experimental feature at the time of this report)
• you are passing attacker-controlled input such that a synchronous value is hydrated, then a promise value, e.g. hydratable('someKey', () => [synchronousValue, promiseValue])

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

• https://github.com/sveltejs/svelte/security/advisories/GHSA-f3cj-j4f6-wq85
• https://github.com/sveltejs/svelte/commit/a16ebc67bbcf8f708360195687e1b2719463e1a4
• http://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
• https://github.com/advisories/GHSA-f3cj-j4f6-wq85

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Svelte SSR vulnerable to cross-site scripting via spread attributes

CVE-2026-42599 / GHSA-pr6f-5x2q-rwfp

More information

Details

When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires.

This is similar to but different from CVE-2026-27121.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

• https://github.com/sveltejs/svelte/security/advisories/GHSA-pr6f-5x2q-rwfp
• https://nvd.nist.gov/vuln/detail/CVE-2026-27121
• https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
• https://github.com/advisories/GHSA-pr6f-5x2q-rwfp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State

CVE-2026-42573 / GHSA-rcqx-6q8c-2c42

More information

Details

Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.

You are vulnerable if all of the following is true:

• you are using attribute spreading on a form element
• you are using attribute spreading or allow a dynamic value for the name attribute on an input or button element within that form
• both of these are simultaneously user-controllable

<form {...spread1}>
  <input {...spread2}>
</form>

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

References

• https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42
• https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7
• https://github.com/advisories/GHSA-rcqx-6q8c-2c42

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sveltejs/svelte (svelte)

v5.55.7

Compare Source

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#​18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

v5.55.6

Compare Source

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#​18180)

• fix: keep dependencies of $state.eager/pending (#​18218)

• fix: reapply context after transforming error during SSR (#​18099)

• fix: don't rebase just-created batches (#​18117)

• chore: allow null for pending in typings (#​18201)

• fix: flush eager effects in production (#​18107)

• fix: rethrow error of failed iterable after calling return() (#​18169)

• fix: account for proxified instance when updating bind:this (#​18147)

• fix: ensure scheduled batch is flushed if not obsolete (#​18131)

• fix: resolve stale deriveds with latest value (#​18167)

• chore: remove unnecessary increment_pending calls (#​18183)

• fix: correctly compile component member expressions for SSR (#​18192)

• fix: reset source.updated stack traces after flush (#​18196)

• fix: replacing async 'blocking' strategy with 'merging' (#​18205)

• fix: allow @debug tags to reference awaited variables (#​18138)

• fix: re-run fallback props if dependencies update (#​18146)

• fix: abort running obsolete async branches (#​18118)

• fix: ignore comments when reading CSS values (#​18153)

• fix: wrap Promise.all in save during SSR (#​18178)

• fix: ignore false-positive errors of $inspect dependencies (#​18106)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: bun.lock

Command failed: bun install --ignore-scripts
Resolving dependencies
Resolved, downloaded and extracted [2]
error: No version matching "svelte" found for specifier "5.55.7" (blocked by minimum-release-age: 259200 seconds)
error: svelte@5.55.7 failed to resolve

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	papermc-website	587eee9	May 15 2026, 01:09 PM