Skip to content

chore(deps): update dependency @sveltejs/kit to v2.20.6 [security] #9054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 23, 2025
Merged

chore(deps): update dependency @sveltejs/kit to v2.20.6 [security] #9054

merged 1 commit into from
Apr 23, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 23, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) 2.20.5 -> 2.20.6 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-32388

Summary

Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.

Details

SvelteKit tracks which parameters in event.url.searchParams are read inside server load functions. If the application iterates over the these parameters, the uses.search_params array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form.

packages/kit/src/runtime/server/utils.js:150 has the stringify_uses(node) function which prints these out.

Reproduction

In a +page.server.js or +layout.server.js:

/** @​type {import('@​sveltejs/kit').Load} */
export function load(event) {
  const values = {};

  for (const key of event.url.searchParams.keys()) {
    values[key] = event.url.searchParams.get(key);
  }
}

If a user visits the page in question via a link containing ?</script/><script>window.pwned%3D1</script/>, the </script> will be included verbatim in the payload, causing the embedded script to be executed.

It is not necessary to return the parameter value from load or render it in the page, only to read it (which causes it to be tracked as a dependency) while load is running.

Impact

Any application that iterates over all values in event.url.searchParams in a load function in +page.server.js or +layout.server.js (directly or indirectly) is vulnerable to XSS.

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.20.6

Compare Source

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Apr 23, 2025
@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Apr 23, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 3b61f44.

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 45s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 1s View ↗

☁️ Nx Cloud last updated this comment at 2025-04-23 08:05:59 UTC

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Apr 23, 2025
edited
Loading

More templates

@tanstack/angular-query-devtools-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-devtools-experimental@9054

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@9054

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@9054

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@9054

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@9054

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@9054

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@9054

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@9054

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@9054

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@9054

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@9054

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@9054

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@9054

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@9054

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@9054

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@9054

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@9054

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@9054

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@9054

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@9054

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@9054

commit: 3b61f44

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 23, 2025
edited
Loading

Sizes for commit 3b61f44:

Branch Bundle Size
Main
This PR

@codecov Codecov
Copy link

codecov bot commented Apr 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.58%. Comparing base (1b169ae) to head (3b61f44).
Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #9054   +/-   ##
=======================================
  Coverage   44.58%   44.58%           
=======================================
  Files         203      203           
  Lines        8104     8104           
  Branches     1811     1810    -1     
=======================================
  Hits         3613     3613           
  Misses       4059     4059           
  Partials      432      432
Components Coverage Δ
@tanstack/angular-query-devtools-experimental ∅ <ø> (∅)
@tanstack/angular-query-experimental 85.23% <ø> (ø)
@tanstack/eslint-plugin-query 83.02% <ø> (ø)
@tanstack/query-async-storage-persister 43.85% <ø> (ø)
@tanstack/query-broadcast-client-experimental ∅ <ø> (∅)
@tanstack/query-codemods 0.00% <ø> (ø)
@tanstack/query-core 95.95% <ø> (ø)
@tanstack/query-devtools 3.61% <ø> (ø)
@tanstack/query-persist-client-core 73.46% <ø> (ø)
@tanstack/query-sync-storage-persister 84.61% <ø> (ø)
@tanstack/react-query 95.42% <ø> (ø)
@tanstack/react-query-devtools 10.00% <ø> (ø)
@tanstack/react-query-next-experimental ∅ <ø> (∅)
@tanstack/react-query-persist-client 100.00% <ø> (ø)
@tanstack/solid-query 78.48% <ø> (ø)
@tanstack/solid-query-devtools ∅ <ø> (∅)
@tanstack/solid-query-persist-client 100.00% <ø> (ø)
@tanstack/svelte-query 88.15% <ø> (ø)
@tanstack/svelte-query-devtools ∅ <ø> (∅)
@tanstack/svelte-query-persist-client 100.00% <ø> (ø)
@tanstack/vue-query 71.10% <ø> (ø)
@tanstack/vue-query-devtools ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 9833846 to 3b61f44 Compare April 23, 2025 08:03
@renovate renovate bot merged commit b13f0b8 into main Apr 23, 2025
7 checks passed
@renovate renovate bot deleted the renovate/npm-sveltejs-kit-vulnerability branch April 23, 2025 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants