Skip to content

chore(deps): update dependency @sveltejs/kit to v2.49.5 [security]#362

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-sveltejs-kit-vulnerability
Open

chore(deps): update dependency @sveltejs/kit to v2.49.5 [security]#362
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-sveltejs-kit-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 15, 2026

This PR contains the following updates:

Package Change Age Confidence
@sveltejs/kit (source) 2.47.12.49.5 age confidence

GitHub Vulnerability Alerts

CVE-2025-67647

Summary

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Details

Affected versions from 2.44.0 onwards are vulnerable to DoS if:

  • your app has at least one prerendered route (export const prerender = true)

Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:

  • your app has at least one prerendered route (export const prerender = true)
  • AND you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation

Impact

The DoS causes the running server process to end.

The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.

It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).

Credits

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.49.5

Compare Source

Patch Changes

  • fix: avoid overriding Vite default base when running Vitest 4 (#​14866)

  • fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

  • fix: add length checks to remote forms (8ed8155)

v2.49.4

Compare Source

Patch Changes

  • fix: support instrumentation for vite preview (#​15105)

  • fix: support for URLSearchParams.has(name, value) overload (#​15076)

  • fix: put forking behind experimental.forkPreloads (#​15135)

v2.49.3

Compare Source

Patch Changes

  • fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#​15121)

  • fix: add typescript as an optional peer dependency (#​15074)

  • fix: use hasOwn check when deep-setting object properties (#​15127)

v2.49.2

Compare Source

Patch Changes

  • fix: Stop re-loading already-loaded CSS during server-side route resolution (#​15014)

  • fix: posixify the instrumentation file import on Windows (#​14993)

  • fix: Correctly handle shared memory when decoding binary form data (#​15028)

v2.49.1

Compare Source

Patch Changes

  • fix: suppress state_referenced_locally warnings in .svelte-kit/generated/root.svelte (#​15013)

  • fix: TypeError when doing response.clone() in page load (#​15005)

v2.49.0

Compare Source

Minor Changes
  • feat: stream file uploads inside form remote functions allowing form data to be accessed before large files finish uploading (#​14775)

v2.48.8

Compare Source

Patch Changes

  • breaking: invalid now must be imported from @sveltejs/kit (#​14768)

  • breaking: remove submitter option from experimental form validate() method, always provide default submitter (#​14762)

v2.48.7

Compare Source

Patch Changes

  • fix: allow multiple server-timing headers (#​14700)

  • fix: allow access to root-level issues in schema-less forms (#​14893)

  • fix: allow hosting hash-based apps from non-index.html files (#​14825)

v2.48.6

Compare Source

Patch Changes

  • fix: clear issues upon passing validation (#​14683)

  • fix: don't use fork of unrelated route (#​14947)

  • fix: prevent type errors when optional @opentelemetry/api dependency isn't installed (#​14949)

  • fix: preserve this when invoking standard validator (#​14943)

  • fix: treat client/universal hooks as entrypoints for illegal server import detection (#​14876)

  • fix: correct query .set and .refresh behavior in commands (#​14877)

  • fix: improved the accuracy of the types of the output of field.as('...') (#​14908)

v2.48.5

Compare Source

Patch Changes

  • fix: wait an extra microtask in dev before calling $_init_$ (#​14799)

  • fix: discard preload fork before creating a new one (#​14865)

  • fix: delete RemoteFormAllIssue, add path to RemoteFormIssue (#​14864)

v2.48.4

Compare Source

Patch Changes

  • fix: adjust query's promise implementation to properly allow chaining (#​14859)

  • fix: make prerender cache work, including in development (#​14860)

v2.48.3

Compare Source

Patch Changes

  • fix: include hash when using resolve with hash routing enabled (#​14786)

  • fix: afterNavigate callback not running after hydration when experimental async is enabled (#​14644)
    fix: Snapshot restore method not called after reload when experimental async is enabled

  • fix: expose issue.path in .allIssues() (#​14784)

v2.48.2

Compare Source

Patch Changes
  • fix: update DOM before running navigate callbacks (#​14829)

v2.48.1

Compare Source

Patch Changes
  • fix: wait for commit promise instead of settled (#​14818)

v2.48.0

Compare Source

Minor Changes
  • feat: use experimental fork API when available (#​14793)
Patch Changes
  • fix: await for settled instead of tick in navigate (#​14800)

v2.47.3

Compare Source

Patch Changes

  • fix: avoid hanging when error() is used while streaming promises from a server load function (#​14722)

  • chore: treeshake load function code if we know it's unused (#​14764)

  • fix: RecursiveFormFields type for recursive or unknown schemas (#​14734)

  • fix: rework internal representation of form value to be $state (#​14771)

v2.47.2

Compare Source

Patch Changes

  • fix: streamed promise not resolving when another load function returns a fast resolving promise (#​14753)

  • chore: allow to run preflight validation only (#​14744)

  • fix: update overload to set invalid type to schema input (#​14748)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the internal label Jan 15, 2026
@netlify
Copy link

netlify bot commented Jan 15, 2026
edited
Loading

Deploy Preview for sheepdog ready!

Name Link
🔨 Latest commit cdbcd95
🔍 Latest deploy log https://app.netlify.com/projects/sheepdog/deploys/698e06d0d2dbac0008c220c5
😎 Deploy Preview https://deploy-preview-362--sheepdog.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 15, 2026
edited
Loading 

npm i https://pkg.pr.new/@sheepdog/core@362

npm i https://pkg.pr.new/@sheepdog/svelte@362

npm i https://pkg.pr.new/@sheepdog/vanilla@362

commit: cdbcd95

@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 9861d82 to 620084f Compare January 19, 2026 15:50
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 620084f to cdbcd95 Compare February 12, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

internal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants