Update dependency svelte to v4 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	^3.9.2 -> ^4.0.0
svelte (source)	^3.44.0 -> ^4.0.0

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

• If the string is an attribute value:
  • " -> "
  • & -> &
  • Other characters -> No conversion
• Otherwise:
  • < -> <
  • & -> &
  • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

---

Release Notes

sveltejs/svelte (svelte)

v4.2.19

Compare Source

Patch Changes

• fix: ensure typings for <svelte:options> are picked up (#​12902)

• fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

• chore: speed up regex (#​11922)

v4.2.17

Compare Source

Patch Changes

• fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes

• fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes

• support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes

• fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes

• fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes

• fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes

• fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes

• fix: add scrollend event type (#​10336)

• fix: add fetchpriority attribute type (#​10390)

• fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

• fix: make inline doc links valid (#​10366)

v4.2.9

Compare Source

Patch Changes

• fix: add types for popover attributes and events (#​10042)

• fix: add gamepadconnected and gamepaddisconnected events (#​9864)

• fix: make @types/estree a dependency (#​10149)

• fix: bump axobject-query (#​10167)

v4.2.8

Compare Source

Patch Changes

• fix: port over props that were set prior to initialization (#​9701)

v4.2.7

Compare Source

Patch Changes

• fix: handle spreads within static strings (#​9554)

v4.2.6

Compare Source

Patch Changes

• fix: adjust static attribute regex (#​9551)

v4.2.5

Compare Source

Patch Changes

• fix: ignore expressions in top level script/style tag attributes (#​9498)

v4.2.4

Compare Source

Patch Changes

• fix: handle closing tags inside attribute values (#​9486)

v4.2.3

Compare Source

Patch Changes

• fix: improve a11y-click-events-have-key-events message (#​9358)

• fix: more robust hydration of html tag (#​9184)

v4.2.2

Compare Source

Patch Changes

• fix: support camelCase properties on custom elements (#​9328)

• fix: add missing plaintext-only value to contenteditable type (#​9242)

• chore: upgrade magic-string to 0.30.4 (#​9292)

• fix: ignore trailing comments when comparing nodes (#​9197)

v4.2.1

Compare Source

Patch Changes

• fix: update style directive when style attribute is present and is updated via an object prop (#​9187)

• fix: css sourcemap generation with unicode filenames (#​9120)

• fix: do not add module declared variables as dependencies (#​9122)

• fix: handle svelte:element with dynamic this and spread attributes (#​9112)

• fix: silence false positive reactive component warning (#​9094)

• fix: head duplication when binding is present (#​9124)

• fix: take custom attribute name into account when reflecting property (#​9140)

• fix: add indeterminate to the list of HTMLAttributes (#​9180)

• fix: recognize option value on spread attribute (#​9125)

v4.2.0

Compare Source

Minor Changes

• feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#​9070)

v4.1.2

Compare Source

Patch Changes

• fix: allow child element with slot attribute within svelte:element (#​9038)

• fix: Add data-* to svg attributes (#​9036)

v4.1.1

Compare Source

Patch Changes

• fix: svelte:component spread props change not picked up (#​9006)

v4.1.0

Compare Source

Minor Changes

• feat: add ability to extend custom element class (#​8991)

Patch Changes

• fix: ensure svelte:component evaluates props once (#​8946)

• fix: remove let:variable slot bindings from select binding dependencies (#​8969)

• fix: handle destructured primitive literals (#​8871)

• perf: optimize imports that are not mutated or reassigned (#​8948)

• fix: don't add accessor twice (#​8996)

v4.0.5

Compare Source

Patch Changes

• fix: generate type definition with nullable types (#​8924)

v4.0.4

Compare Source

Patch Changes

• fix: claim svg tags in raw mustache tags correctly (#​8910)

• fix: repair invalid raw html content during hydration (#​8912)

v4.0.3

Compare Source

Patch Changes

• fix: handle falsy srcset values (#​8901)

v4.0.2

Compare Source

Patch Changes

• fix: reflect all custom element prop updates back to attribute (#​8898)

• fix: shrink custom element baseline a bit (#​8858)

• fix: use non-destructive hydration for all @html tags (#​8880)

• fix: align disclose-version exports specification (#​8874)

• fix: check srcset when hydrating to prevent needless requests (#​8868)

v4.0.1

Compare Source

Patch Changes

• fix: ensure identifiers in destructuring contexts don't clash with existing ones (#​8840)

• fix: ensure createEventDispatcher and ActionReturn work with types from generic function parameters (#​8872)

• fix: apply transition to <svelte:element> with local transition (#​8865)

• fix: relax a11y "no redundant role" rule for li, ul, ol (#​8867)

• fix: remove tsconfig.json from published package (#​8859)

v4.0.0

Compare Source

Major Changes

• breaking: Minimum supported Node version is now Node 16 (#​8566)

• breaking: Minimum supported webpack version is now webpack 5 (#​8515)

• breaking: Bundlers must specify the browser condition when building a frontend bundle for the browser (#​8516)

• breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#​8516)

• breaking: Minimum supported rollup-plugin-svelte version is now 7.1.5 (198dbcf)

• breaking: Minimum supported svelte-loader is now 3.1.8 (198dbcf)

• breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#​8488)

• breaking: Remove svelte/register hook, CJS runtime version and CJS compiler output (#​8613)

• breaking: Stricter types for createEventDispatcher (see PR for migration instructions) (#​7224)

• breaking: Stricter types for Action and ActionReturn (see PR for migration instructions) (#​7442)

• breaking: Stricter types for onMount - now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions
  (see PR for migration instructions) (#​8136)

• breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) ([#​8457](https://github.
  com/feat: custom elements rework sveltejs/svelte#8457))

• breaking: Deprecate SvelteComponentTyped in favor of SvelteComponent (#​8512)

• breaking: Make transitions local by default to prevent confusion around page navigations (#​6686)

• breaking: Error on falsy values instead of stores passed to derived (#​7947)

• breaking: Custom store implementers now need to pass an update function additionally to the set function ([#​6750](https://github.com/sveltejs/svelte/pull/
  6750))

• breaking: Do not expose default slot bindings to named slots and vice versa (#​6049)

• breaking: Change order in which preprocessors are applied (#​8618)

• breaking: The runtime now makes use of classList.toggle(name, boolean) which does not work in very old browsers ([#​8629](https://github.com/sveltejs/svelte/
  pull/8629))

• breaking: apply inert to outroing elements (#​8628)

• breaking: use CustomEvent constructor instead of deprecated createEvent method (#​8775)

Minor Changes

• Add a way to modify attributes for script/style preprocessors (#​8618)

• Improve hydration speed by adding data-svelte-h attribute to detect unchanged HTML elements (#​7426)

• Add a11y no-noninteractive-element-interactions rule (#​8391)

• Add a11y-no-static-element-interactionsrule (#​8251)

• Allow #each to iterate over iterables like Set, Map etc (#​7425)

• Improve duplicate key error for keyed each blocks (#​8411)

• Warn about : in attributes and props to prevent ambiguity with Svelte directives (#​6823)

• feat: add version info to window. You can opt out by setting discloseVersion to false in the compiler options (#​8761)

• feat: smaller minified output for destructor chunks (#​8763)

Patch Changes

• Bind null option and input values consistently (#​8312)

• Allow $store to be used with changing values including nullish values (#​7555)

• Initialize stylesheet with /* empty */ to enable setting CSP directive that also works in Safari (#​7800)

• Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#​8284)

• Fix transitions so that they don't require a style-src 'unsafe-inline' Content Security Policy (CSP) (#​6662).

• Explicitly disallow var declarations extending the reactive statement scope (#​6800)

• Improve error message when trying to use animate: directives on inline components (#​8641)

• fix: export ComponentType from svelte entrypoint (#​8578)

• fix: never use html optimization for mustache tags in hydration mode (#​8744)

• fix: derived store types (#​8578)

• Generate type declarations with dts-buddy (#​8578)

• fix: ensure types are loaded with all TS settings (#​8721)

• fix: account for preprocessor source maps when calculating meta info (#​8778)

• chore: deindent cjs output for compiler (#​8785)

• warn on boolean compilerOptions.css (#​8710)

• fix: export correct SvelteComponent type (#​8721)

v3.59.2

Compare Source

v3.59.1

Compare Source

v3.59.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 737be28

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
turborepo-sveltekit-start	Error			Oct 2, 2025 2:23pm

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate-bot!). We assume it knows what it's doing!

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 12 minutes (more than 100, code: "api-deployments-free-per-day").

[vercel]

@renovate-bot is attempting to deploy a commit to the Samson Unyinmadu 's projects Team on Vercel.

A member of the Team first needs to authorize it.