🚨 [security] [app] Update @sveltejs/kit 2.5.6 → 2.8.3 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​sveltejs/kit (2.5.6 → 2.8.3)

Security Advisories 🚨

🚨 @sveltejs/kit has unescaped error message included on error page

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders:
%sveltekit.status% — the HTTP status
%sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

🚨 @sveltejs/kit vulnerable to on dev mode 404 page

Summary

"Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."

Details

Source of potentially tainted data is in packages/kit/src/exports/vite/dev/index.js, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

Another source of potentially tainted data (according to Snyk) comes from ‎packages/kit/src/exports/vite/utils.js, line 30, col 30 (i.e., the url property of req). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

PoC

Not provided

Impact

Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.

Sorry, we couldn't find anything useful about this release.

↗️ devalue (indirect, 4.3.2 → 5.1.1) · Repo · Changelog

Release Notes

5.1.1 (from changelog)

• Only iterate over own properties of reducers (#80)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

• -> v5.1.1
• Merge pull request #80 from danielroe/fix/proto
• add test
• fix: guard null/empty reducers
• Merge remote-tracking branch 'upstream/main' into fix/proto
• -> v5.1.0
• Merge pull request #69 from LorisSigrist/master
• Merge branch 'main' into pr/69
• Merge pull request #82 from Rich-Harris/better-key-stringification
• Merge pull request #81 from GauBen/patch-1
• better key stringification
• chore: marked package as free of side-effects
• fix: do not iterate over prototype properties of reduers
• -> v5.0.0
• Merge pull request #78 from Rich-Harris/ignore-non-enumerable-symbols
• -> v4.3.3
• -> v4.3.3
• ignore non-enumerable symbols
• Merge pull request #60 from ivanhofer/typo
• Merge pull request #61 from ivanhofer/invalid-date
• Merge branch 'master' into pr/61
• tweak
• Merge pull request #64 from gtm-nayan/error-path-post-map
• Merge branch 'master' into pr/64
• add test
• Merge pull request #77 from Rich-Harris/node-20
• add node 18/20 to test matrix, fix bad error in node 20
• remove playground file
• Mention TypedArrays in the features
• Add support for ArrayBuffers and TypedArrays

↗️ import-meta-resolve (indirect, 4.0.0 → 4.1.0) · Repo

Release Notes

4.1.0

Misc

• d363b81 Refactor to hide deprecation warning
• dbb53a5 Backport changes from Node
• 66b952b Refactor tests to not assume name of project folder
  by @kapouer in #25

Full Changelog: 4.0.0...4.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• 4.1.0
• Fix Actions
• Update Actions
• Refactor to hide deprecation warning
• Backport changes from Node
• Update dev-dependencies
• Refactor tests to not assume name of project folder
• Fix tests for newest Node
• Update dev-dependencies

↗️ sirv (indirect, 2.0.4 → 3.0.0) · Repo

Release Notes

3.0.0

Breaking

• Now requires Node 18+ : c7d2479,
• Added exports map for native ESM support: c7d2479

Features

• Added node: prefix for explicit native imports, which unlocks Deno support (#163): 912af6f
  Thank you @karimfromjordan

Patches

• Add separate CJS and ESM definitions: 982fcc8
  Previously CJS types were wrong/incompatible.

Chores

• (sirv-cli) Upgrade get-port to 5.1.1 for TS definitions: e5e0826
• Write tests in native ESM: 2f36733
• (CI): Add Node 20 to matrix: 9ca1cbc

---

Full Changelog: v2.0.4...v3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• v3.0.0
• chore: native ESM tests
• chore(sirv-cli): bump `get-port` version
• fix(sirv): separate ESM vs CJS type definitions
• fix: add `node:` prefix (#163)
• chore(ci): add Node 20 to matrix
• break: require Node 18+
• chore(ci): pnpm -> bun

🗑️ @​sveltejs/vite-plugin-svelte (removed)

🗑️ @​sveltejs/vite-plugin-svelte-inspector (removed)

🗑️ deepmerge (removed)

🗑️ svelte-hmr (removed)

🗑️ vitefu (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)