This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.46.1 → 5.46.4

GitHub Vulnerability Alerts

CVE-2025-15265

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

• Impact: Arbitrary JS execution in the client’s browser.
• Exploitability: Remote, single-request if key is attacker-controlled.
• Typical Outcomes:
  • Session/token theft
  • DOM defacement
  • CSRF bypass via injected JS
  • Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.

Release Notes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

• If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.