fix(deps): update dependency svelte to v5.46.4 [security]#15220
Merged
florian-lefebvre merged 1 commit intomainfrom Jan 21, 2026
Merged
fix(deps): update dependency svelte to v5.46.4 [security]#15220florian-lefebvre merged 1 commit intomainfrom
florian-lefebvre merged 1 commit intomainfrom
Conversation
|
github-actions
bot
added
pkg: svelte
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
3 times, most recently
from
a2bb5c8 to
5c42d73
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
2 times, most recently
from
5c42d73 to
1af2cba
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
1af2cba to
0a857dc
Compare
| "@astrojs/vue": "workspace:*", | ||
| "astro": "workspace:*", | ||
| "svelte": "^4.2.20" | ||
| "svelte": "^5.0.0" |
Member
There was a problem hiding this comment.
@Princesseuh do you know if this was on v4 on purpose? Or is upgrading to v5 safe?
Member
There was a problem hiding this comment.
It's just used for tests, so probably that Svelte 5 didn't exist when I made this, ha. Should be safe to upgrade
florian-lefebvre
approved these changes
Jan 21, 2026
florian-lefebvre
added a commit
that referenced
this pull request
Jan 22, 2026
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Emanuele Stoppa <[email protected]> Co-authored-by: Matt Kane <[email protected]> Co-authored-by: Matthew Phillips <[email protected]> Co-authored-by: Matthew Phillips <[email protected]> Co-authored-by: Florian Lefebvre <[email protected]> Co-authored-by: Erika <[email protected]> Co-authored-by: Sarah Rainsberger <[email protected]> Co-authored-by: Armand Philippot <[email protected]> Co-authored-by: matthewp <[email protected]> Co-authored-by: florian-lefebvre <[email protected]> Co-authored-by: ematipico <[email protected]> Co-authored-by: Luiz Ferraz <[email protected]> Co-authored-by: HiDeoo <[email protected]> Co-authored-by: Princesseuh <[email protected]> Co-authored-by: Chris Swithinbank <[email protected]> Co-authored-by: Antony Faris <[email protected]> Co-authored-by: Erika <[email protected]> Co-authored-by: Houston (Bot) <[email protected]> Co-authored-by: Florian Lefebvre <[email protected]> Co-authored-by: Volpeon <[email protected]> Co-authored-by: Martin Trapp <[email protected]> Co-authored-by: fkatsuhiro <[email protected]> Co-authored-by: Oliver Speir <[email protected]> Co-authored-by: Andreas Deininger <[email protected]> Co-authored-by: Roman <[email protected]> Co-authored-by: fabon <[email protected]> Co-authored-by: Raanelom <[email protected]> Co-authored-by: Rahul Dogra <[email protected]> Co-authored-by: James Garbutt <[email protected]> Co-authored-by: Pegasus <[email protected]> Co-authored-by: Cameron Smith <[email protected]> Co-authored-by: Martin Trapp <[email protected]> Co-authored-by: Rafael ヤスヒデ 須藤 <[email protected]> Co-authored-by: Matthew Phillips <[email protected]> Co-authored-by: Julien Cayzac <[email protected]> Co-authored-by: Drew Powers <[email protected]> Co-authored-by: Emanuele Stoppa <[email protected]> Co-authored-by: MkDev11 <[email protected]> Co-authored-by: andy <[email protected]> Co-authored-by: Luky Setiawan <[email protected]> Co-authored-by: btea <[email protected]> Co-authored-by: cid <[email protected]> Co-authored-by: Simen Sagholen Førrisdal <[email protected]> Co-authored-by: Alex Launi <[email protected]> Co-authored-by: Kedar Vartak <[email protected]> Co-authored-by: yy <[email protected]> Co-authored-by: Matheus Baroni <[email protected]> Co-authored-by: Kevin Brown <[email protected]> fix(ci): Reinstall deps after having published VS Code (#14996) fix(svelte): allow client directives (#15004) fix(assets): Fixes missing format option for svgs in the passthrough service (#14987) fix(deps): update all non-major dependencies (#15020) fix(content-layer): Try a smarter solution to normalize bare image paths in JSON (#15028) fix(astro): assets vite build log (#15034) resolved (#15033) fix: Remote images: Prevent internal caching from interfering with Astro's cache (#14954) fix(deps): update astro adapters (#15084) fix(deps): update all non-major dependencies (#15072) fix(deps): update astro client runtimes (#15085) fix: move ts-plugin node_modules to dist (#15083) fix: components imports paths (#15107) fix(assets): Use Vite's isFileLoadingAllowed to check if a file can be loaded (#15052) fix(vscode): Correctly handle TypeScript blocks ending with types (#15109) fix(svelte): improve Svelte children prop type checking (#15070) fix Firefox e2e tests for playwright 1.57 (#15113) fix(deps): update astro dependencies (#15103) fix: lint vt test (#15114) fix(deps): update language tools (#15104) resolver abstraction (#15111) fix(vue): add HTML attributes to generated TypeScript types (#15016) Fixes #14686 fix(vscode): Don't update @types/vscode automatically (#15131) fix: adjust page warning to only show up in more relevant times (#15127) fix(dev): preserve query params when base path is stripped (#15124) fix(assets): hoist ?? inside JSON.stringify in virtual module codegen (#15140) fix(toolbar): skip image audit for framework components (#15149) Fixes #15048 fix: Accept setCookie from both context and headers (#15152) fix(ci): Move ts-plugin-bundle to node_modules after recreating node_modules (#15156) fix: scripts not rendering with unused Fragment slots (#13847) (#15147) Fix hydration for framework components in MDX slots (#15150) fix(deps): update astro adapters (#15173) fix: fix image 500 error when moving dist directory in standalone Node (#15169) fix: Allow node: prefix for Node builtins for Vercel middleware (#14863) fix: Allow node: prefix for Node builtins for Vercel middleware (#14839)" fix(node): hash URL stripping (#15196) fix(core): add defensive validation for mod.page in App.render (#15148) fix(css): rewrite absolute URLs with base path in dev mode (#14622) Closes #14585 fix(docs): replace outdated Astro docs links (#15199) fix(lint): Move ESLint comment (#15216) fix: update devalue to the latest (#15222) fix(css): prevent CSS double-bundling (#14991) (#15017) Fixes #14991 fix: assets referenced via js chunks are not flagged as orphaned (#14607) fix(build): Prevent duplicate CSS for hydrated client components" (#14612)" Fixes #14252 fix(deps): update astro client runtimes (#15240) fix(deps): update astro adapters (#15243) fix(deps): update astro dependencies (#15241) fix(deps): update dependency prettier to ^3.8.0 (#15244) fix(deps): update all non-major dependencies (#15242) Fix greedy regex in error message markdown rendering (#15230) Fixes #15068 fixes: #15252 fix: prevent font copying when stopping dev server with q+enter (#15178) fix: renovate config typo (#15256) Fixes #15251 fix: typo in comment (#15232) fix(deps): update dependency svelte to v5.46.4 [security] (#15220) fix: add favicon.ico fallbacks to all examples (#15262)
florian-lefebvre
added a commit
that referenced
this pull request
Jan 30, 2026
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Emanuele Stoppa <[email protected]> Co-authored-by: Matt Kane <[email protected]> Co-authored-by: Matthew Phillips <[email protected]> Co-authored-by: Matthew Phillips <[email protected]> Co-authored-by: Florian Lefebvre <[email protected]> Co-authored-by: Erika <[email protected]> Co-authored-by: Sarah Rainsberger <[email protected]> Co-authored-by: Armand Philippot <[email protected]> Co-authored-by: matthewp <[email protected]> Co-authored-by: florian-lefebvre <[email protected]> Co-authored-by: ematipico <[email protected]> Co-authored-by: Luiz Ferraz <[email protected]> Co-authored-by: HiDeoo <[email protected]> Co-authored-by: Princesseuh <[email protected]> Co-authored-by: Chris Swithinbank <[email protected]> Co-authored-by: Claude Opus 4.5 <[email protected]> Co-authored-by: Antony Faris <[email protected]> Co-authored-by: Erika <[email protected]> Co-authored-by: Houston (Bot) <[email protected]> Co-authored-by: Florian Lefebvre <[email protected]> Co-authored-by: Volpeon <[email protected]> Co-authored-by: Martin Trapp <[email protected]> Co-authored-by: fkatsuhiro <[email protected]> Co-authored-by: Oliver Speir <[email protected]> Co-authored-by: Andreas Deininger <[email protected]> Co-authored-by: Roman <[email protected]> Co-authored-by: fabon <[email protected]> Co-authored-by: Raanelom <[email protected]> Co-authored-by: Rahul Dogra <[email protected]> Co-authored-by: James Garbutt <[email protected]> Co-authored-by: Pegasus <[email protected]> Co-authored-by: Cameron Smith <[email protected]> Co-authored-by: Martin Trapp <[email protected]> Co-authored-by: Rafael ヤスヒデ 須藤 <[email protected]> Co-authored-by: Matthew Phillips <[email protected]> Co-authored-by: Julien Cayzac <[email protected]> Co-authored-by: Drew Powers <[email protected]> Co-authored-by: Emanuele Stoppa <[email protected]> Co-authored-by: MkDev11 <[email protected]> Co-authored-by: andy <[email protected]> Co-authored-by: Luky Setiawan <[email protected]> Co-authored-by: btea <[email protected]> Co-authored-by: cid <[email protected]> Co-authored-by: Simen Sagholen Førrisdal <[email protected]> Co-authored-by: Alex Launi <[email protected]> Co-authored-by: Kedar Vartak <[email protected]> Co-authored-by: yy <[email protected]> Co-authored-by: Matheus Baroni <[email protected]> Co-authored-by: Kevin Brown <[email protected]> Co-authored-by: Eric Grill <[email protected]> Co-authored-by: Cameron Pak <[email protected]> Co-authored-by: Tony Narlock <[email protected]> Co-authored-by: John Mortlock <[email protected]> Co-authored-by: Patrick Arlt <[email protected]> Co-authored-by: Mark Ignacio <[email protected]> fix(ci): Reinstall deps after having published VS Code (#14996) fix(svelte): allow client directives (#15004) fix(assets): Fixes missing format option for svgs in the passthrough service (#14987) fix(deps): update all non-major dependencies (#15020) fix(content-layer): Try a smarter solution to normalize bare image paths in JSON (#15028) fix(astro): assets vite build log (#15034) resolved (#15033) fix: Remote images: Prevent internal caching from interfering with Astro's cache (#14954) fix(deps): update astro adapters (#15084) fix(deps): update all non-major dependencies (#15072) fix(deps): update astro client runtimes (#15085) fix: move ts-plugin node_modules to dist (#15083) fix: components imports paths (#15107) fix(assets): Use Vite's isFileLoadingAllowed to check if a file can be loaded (#15052) fix(vscode): Correctly handle TypeScript blocks ending with types (#15109) fix(svelte): improve Svelte children prop type checking (#15070) fix Firefox e2e tests for playwright 1.57 (#15113) fix(deps): update astro dependencies (#15103) fix: lint vt test (#15114) fix(deps): update language tools (#15104) resolver abstraction (#15111) fix(vue): add HTML attributes to generated TypeScript types (#15016) Fixes #14686 fix(vscode): Don't update @types/vscode automatically (#15131) fix: adjust page warning to only show up in more relevant times (#15127) fix(dev): preserve query params when base path is stripped (#15124) fix(assets): hoist ?? inside JSON.stringify in virtual module codegen (#15140) fix(toolbar): skip image audit for framework components (#15149) Fixes #15048 fix: Accept setCookie from both context and headers (#15152) fix(ci): Move ts-plugin-bundle to node_modules after recreating node_modules (#15156) fix: scripts not rendering with unused Fragment slots (#13847) (#15147) Fix hydration for framework components in MDX slots (#15150) fix(deps): update astro adapters (#15173) fix: fix image 500 error when moving dist directory in standalone Node (#15169) fix: Allow node: prefix for Node builtins for Vercel middleware (#14863) fix: Allow node: prefix for Node builtins for Vercel middleware (#14839)" fix(node): hash URL stripping (#15196) fix(core): add defensive validation for mod.page in App.render (#15148) fix(css): rewrite absolute URLs with base path in dev mode (#14622) Closes #14585 fix(docs): replace outdated Astro docs links (#15199) fix(lint): Move ESLint comment (#15216) fix: update devalue to the latest (#15222) fix(css): prevent CSS double-bundling (#14991) (#15017) Fixes #14991 fix: assets referenced via js chunks are not flagged as orphaned (#14607) fix(build): Prevent duplicate CSS for hydrated client components" (#14612)" Fixes #14252 fix(deps): update astro client runtimes (#15240) fix(deps): update astro adapters (#15243) fix(deps): update astro dependencies (#15241) fix(deps): update dependency prettier to ^3.8.0 (#15244) fix(deps): update all non-major dependencies (#15242) Fix greedy regex in error message markdown rendering (#15230) Fixes #15068 fixes: #15252 fix: prevent font copying when stopping dev server with q+enter (#15178) fix: renovate config typo (#15256) Fixes #15251 fix: typo in comment (#15232) fix(deps): update dependency svelte to v5.46.4 [security] (#15220) fix: add favicon.ico fallbacks to all examples (#15262) fix(cli): add .vercel to .gitignore when using astro add vercel (#15185) Closes #15058 fix(fonts): font providers as class instances (#15286) Fix: Remove await from getActionResult JSDoc example (#15304) fix(errors): Only style valid URLs in the error overlay (#15324) fix(fonts): remove getFontBuffer() (#15334)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.2.20→^5.0.05.46.1→5.46.4GitHub Vulnerability Alerts
CVE-2025-15265
Summary
An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of
hydratablekeys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.Details
When using the
hydratablefunction, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.This key is embedded into a
<script>block in the server-rendered<head>without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.Impact
This is a cross-site scripting vulnerability affecting applications that have the
experimental.asyncflag enabled and usehydratablewith keys incorporating untrusted user input.Affected applications should upgrade to a patched version immediately.
Release Notes
sveltejs/svelte (svelte)
v5.46.4Compare Source
Patch Changes
devalue.unevalto serializehydratablekeys (ef81048e238844b729942441541d6dcfe6c8ccca)v5.46.3Compare Source
Patch Changes
fix: reconnect clean deriveds when they are read in a reactive context (#17362)
fix: don't transform references of function declarations in legacy mode (#17431)
fix: notify deriveds of changes to sources inside forks (#17437)
fix: always reconnect deriveds in get, when appropriate (#17451)
fix: prevent derives without dependencies from ever re-running (
286b40c4526ce9970cb81ddd5e65b93b722fe468)fix: correctly update writable deriveds inside forks (#17437)
fix: remove
$inspectcalls after await expressions when compiling for production server code (#17407)fix: clear batch between runs (#17424)
fix: adjust
locproperty ofProgramnodes created from<script>elements (#17428)fix: don't revert source to UNINITIALIZED state when time travelling (#17409)
v5.46.1Compare Source
Patch Changes
fix: type
currentTargetinonfunction (#17370)fix: skip static optimisation for stateless deriveds after
await(#17389)fix: prevent infinite loop when HMRing a component with an
await(#17380)v5.46.0Compare Source
Minor Changes
cspoption torender(...), and emit hashes when usinghydratable(#17338)v5.45.10Compare Source
Patch Changes
AsyncLocalStorage(#17350)v5.45.9Compare Source
Patch Changes
fix: correctly reschedule deferred effects when reviving a batch after async work (#17332)
fix: correctly print
!doctypeduringprint(#17341)v5.45.8Compare Source
Patch Changes
fix: set AST
root.startto0androot.endtotemplate.length(#17125)fix: prevent erroneous
state_referenced_locallywarnings on prop fallbacks (#17329)v5.45.7Compare Source
Patch Changes
fix: Add
<textarea wrap="off">as a valid attribute value (#17326)fix: add more css selectors to
print()(#17330)fix: don't crash on
hydratableserialization failure (#17315)v5.45.6Compare Source
Patch Changes
fix: don't issue a11y warning for
<video>without captions if it has nosrc(#17311)fix: add
srcObjectto permitted<audio>/<video>attributes (#17310)v5.45.5Compare Source
Patch Changes
fix: correctly reconcile each blocks after outroing branches are resumed (#17258)
fix: destroy each items after siblings are resumed (#17258)
v5.45.4Compare Source
Patch Changes
chore: move DOM-related effect properties to
effect.nodes(#17293)fix: allow
$props.id()to occur after anawait(#17285)fix: keep reactions up to date even when read outside of effect (#17295)
v5.45.3Compare Source
Patch Changes
add props to state_referenced_locally (#17266)
fix: preserve node locations for better sourcemaps (#17269)
fix: handle cross-realm Promises in
hydratable(#17284)v5.45.2Compare Source
Patch Changes
fix: array destructuring after await (#17254)
fix: throw on invalid
{@​tag}s (#17256)v5.45.1Compare Source
Patch Changes
v5.45.0Compare Source
Minor Changes
print(...)function (#16188)v5.44.1Compare Source
Patch Changes
fix: await blockers before initialising const (#17226)
fix: link offscreen items and last effect in each block correctly (#17244)
fix: generate correct code for simple destructurings (#17237)
fix: ensure each block animations don't mess with transitions (#17238)
v5.44.0Compare Source
Minor Changes
hydratableAPI (#17154)v5.43.15Compare Source
Patch Changes
fix: don't execute attachments and attribute effects eagerly (#17208)
chore: lift "flushSync cannot be called in effects" restriction (#17139)
fix: store forked derived values (#17212)
v5.43.14Compare Source
Patch Changes
fix: correctly migrate named self closing slots (#17199)
fix: error at compile time instead of at runtime on await expressions inside bindings/transitions/animations/attachments (#17198)
fix: take async blockers into account for bindings/transitions/animations/attachments (#17198)
v5.43.13Compare Source
Patch Changes
v5.43.12Compare Source
Patch Changes
v5.43.11Compare Source
Patch Changes
perf: don't use tracing overeager during dev (#17183)
fix: don't cancel transition of already outroing elements (#17186)
v5.43.10Compare Source
Patch Changes
v5.43.9Compare Source
Patch Changes
fix: correctly handle functions when determining async blockers (#17137)
fix: keep deriveds reactive after their original parent effect was destroyed (#17171)
fix: ensure eager effects don't break reactions chain (#17138)
fix: ensure async
@constin boundary hydrates correctly (#17165)fix: take blockers into account when creating
#awaitblocks (#17137)fix: parallelize async
@consts in the template (#17165)v5.43.8Compare Source
Patch Changes
v5.43.7Compare Source
Patch Changes
fix: properly defer document title until async work is complete (#17158)
fix: ensure deferred effects can be rescheduled later on (#17147)
fix: take blockers of components into account (#17153)
v5.43.6Compare Source
Patch Changes
v5.43.5Compare Source
Patch Changes
fix: ensure async static props/attributes are awaited (#17120)
fix: wait on dependencies of async bindings (#17120)
fix: await dependencies of style directives (#17120)
v5.43.4Compare Source
Patch Changes
chore: simplify connection/disconnection logic (#17105)
fix: reconnect deriveds to effect tree when time-travelling (#17105)
v5.43.3Compare Source
Patch Changes
fix: ensure fork always accesses correct values (#17098)
fix: change title only after any pending work has completed (#17061)
fix: preserve symbols when creating derived rest properties (#17096)
v5.43.2Compare Source
Patch Changes
v5.43.1Compare Source
Patch Changes
$bindableafterawaitexpressions (#17066)v5.43.0Compare Source
Minor Changes
Patch Changes
v5.42.3Compare Source
Patch Changes
fix: handle
<svelte:head>rendered asynchronously (#17052)fix: don't restore batch in
#await(#17051)v5.42.2Compare Source
Patch Changes
fix: better error message for global variable assignments (#17036)
chore: tweak memoizer logic (#17042)
v5.42.1Compare Source
Patch Changes
discard()aftercommit()(#17034)v5.42.0Compare Source
Minor Changes
forkAPI (#17004)Patch Changes
fix: always allow
setContextbefore first await in component (#17031)fix: less confusing names for inspect errors (#17026)
v5.41.4Compare Source
Patch Changes
fix: take into account static blocks when determining transition locality (#17018)
fix: coordinate mount of snippets with await expressions (#17021)
fix: better optimization of await expressions (#17025)
fix: flush pending changes after rendering
failedsnippet (#16995)v5.41.3Compare Source
Patch Changes
chore: exclude vite optimized deps from stack traces (#17008)
perf: skip repeatedly traversing the same derived (#17016)
v5.41.2Compare Source
Patch Changes
fix: keep batches alive until all async work is complete (#16971)
fix: don't preserve reactivity context across function boundaries (#17002)
fix: make
$inspectlogs come from the callsite (#17001)fix: ensure guards (eg. if, each, key) run before their contents (#16930)
v5.41.1Compare Source
Patch Changes
fix: place
let:declarations before{@​const}declarations (#16985)fix: improve
each_key_without_aserror (#16983)chore: centralise branch management (#16977)
v5.41.0Compare Source
Minor Changes
$state.eager(value)rune (#16849)Patch Changes
fix: preserve
<select>state while focused (#16958)chore: run boundary async effects in the context of the current batch (#16968)
fix: error if
eachblock haskeybut noasclause (#16966)v5.40.2Compare Source
Patch Changes
pendingbranch of SSR boundary (#16965)v5.40.1Compare Source
Patch Changes
v5.40.0Compare Source
Minor Changes
createContextutility for type-safe context (#16948)Patch Changes
chore: simplify
batch.apply()(#16945)fix: don't rerun async effects unnecessarily (#16944)
v5.39.13Compare Source
Patch Changes
fix: add missing type for
frattribute forradialGradienttags in svg (#16943)fix: unset context on stale promises (#16935)
v5.39.12Compare Source
Patch Changes
fix: better input cursor restoration for
bind:value(#16925)fix: track the user's getter of
bind:this(#16916)fix: generate correct SSR code for the case where
pendingis an attribute (#16919)fix: generate correct code for
eachblocks with async body (#16923)v5.39.11Compare Source
Patch Changes
v5.39.10Compare Source
Patch Changes
fix: hydrate each blocks inside element correctly (#16908)
fix: allow await in if block consequent and alternate (#16890)
fix: don't replace rest props with
$$propsfor excluded props (#16898)fix: correctly transform
$derivedprivate fields on server (#16894)fix: add
UNKNOWNevaluation value before breaking forbinding.initial===SnippetBlock(#16910)v5.39.9Compare Source
Patch Changes
v5.39.8Compare Source
Patch Changes
fix: check boundary
pendingattribute at runtime on server (#16855)fix: preserve tuple type in
$state.snapshot(#16864)fix: allow await in svelte:boundary without pending (#16857)
fix: update
bind:checkederror message to clarify usage with radio inputs (#16874)v5.39.7Compare Source
Patch Changes
chore: simplify batch logic (#16847)
fix: rebase pending batches when other batches are committed (#16866)
fix: wrap async
childrenin$$renderer.async(#16862)fix: silence label warning for buttons and anchor tags with title attributes (#16872)
fix: coerce nullish
<title>to empty string (#16863)v5.39.6Compare Source
Patch Changes
fix: depend on reads of deriveds created within reaction (async mode) (#16823)
fix: SSR regression of processing attributes of
<select>and<option>(#16821)fix: async
class:+ spread attributes were compiled into sync server-side code (#16834)fix: ensure tick resolves within a macrotask (#16825)
v5.39.5Compare Source
Patch Changes
fix: allow
{@​html await ...}and snippets with async content on the server (#16817)fix: use nginx SSI-compatible comments for
$props.id()(#16820)v5.39.4Compare Source
Patch Changes
awaitin<script>(#16806)v5.39.3Compare Source
Patch Changes
fix: remove outer hydration markers (#16800)
fix: async hydration (#16797)
v5.39.2Compare Source
Patch Changes
fix: preserve SSR context when block expressions contain
await(#16791)chore: bump some devDependencies (#16787)
v5.39.1Compare Source
Patch Changes
fix: add missing type for
frattribute forradialGradienttags in svg (#16943)fix: unset context on stale promises (#16935)
v5.39.0Compare Source
Minor Changes
Patch Changes
v5.38.10Compare Source
Patch Changes
v5.38.9Compare Source
Patch Changes
chore: generate CSS hash using the filename (#16740)
fix: correctly analyze
<object.property>components (#16711)fix: clean up scheduling system (#16741)
fix: transform input defaults from spread (#16481)
fix: don't destroy contents of
svelte:boundaryunless the boundary is an error boundary (#16746)v5.38.8Compare Source
Patch Changes
$effect.pendingcount to the correct boundary (#16732)v5.38.7Compare Source
Patch Changes
fix: replace
undefinedwithvoid(0)in CallExpressions (#16693)fix: ensure batch exists when resetting a failed boundary (#16698)
fix: place store setup inside async body (#16687)
v5.38.6Compare Source
Patch Changes
flushSyncwhile flushing effects (#16674)v5.38.5Compare Source
Patch Changes
v5.38.3Compare Source
Patch Changes
fix: ensure correct order of template effect values (#16655)
fix: allow async
{@​const}in more places (#16643)fix: properly catch top level await errors (#16619)
perf: prune effects without dependencies (#16625)
fix: only emit
for_await_track_reactivity_lossin async mode (#16644)v5.38.2Compare Source
Patch Changes
perf: run blocks eagerly during flush instead of aborting (#16631)
fix: don't clone non-proxies in
$inspect(#16617)fix: avoid recursion error when tagging circular references (#16622)
v5.38.1Compare Source
Patch Changes
v5.38.0Compare Source
Minor Changes
awaitinside@constdeclarations (#16542)Patch Changes
fix: remount at any hydration error (#16248)
chore: emit
await_reactivity_lossinfor awaitloops (#16521)fix: emit
snippet_invalid_exportinstead ofundefined_exportfor exported snippets (#16539)v5.37.3Compare Source
Patch Changes
v5.37.2Compare Source
Patch Changes
fix: double event processing in firefox due to event object being garbage collected (#16527)
fix: add bindable dimension attributes types to SVG and MathML elements (#16525)
fix: correctly differentiate static fields before emitting
duplicate_class_field(#16526)fix: prevent last_propagated_event from being DCE'd (#16538)
v5.37.1Compare Source
Patch Changes
chore: remove some todos (#16515)
fix: allow await expressions inside
{#await ...}argument (#16514)fix:
append_stylesin an effect to make them available on mount (#16509)chore: remove
parser.template_untrimmed(#16511)fix: always inject styles when compiling as a custom element (#16509)
v5.37.0Compare Source
Minor Changes
compileModule(#16362)Patch Changes
v5.36.17Compare Source
Patch Changes
fix: throw on duplicate class field declarations (#16502)
fix: add types for
partattribute to svg attributes (#16499)v5.36.16Compare Source
Patch Changes
fix: don't update a focused input with values from its own past (#16491)
fix: don't destroy effect roots created inside of deriveds (#16492)
v5.36.15Compare Source
Patch Changes
v5.36.14Compare Source
Patch Changes
fix: keep input in sync when binding updated via effect (#16482)
fix: rename form accept-charset attribute (#16478)
fix: prevent infinite async loop (#16482)
fix: exclude derived writes from effect abort and rescheduling (#16482)
v5.36.13Compare Source
Patch Changes
v5.36.12Compare Source
Patch Changes
capture_signalsto legacy module (#16456)v5.36.10Compare Source
Patch Changes
v5.36.9Compare Source
Patch Changes
fix: don't reexecute derived with no dependencies on teardown (#16438)
fix: disallow
export { foo as default }in<script module>(#16447)fix: move ownership validation into async component body (#16449)
fix: allow async destructured deriveds (#16444)
fix: move store setup/cleanup outside of async component body (#16443)
v5.36.8Compare Source
Patch Changes
fix: keep effect in the graph if it has an abort controller (#16430)
chore: Switch
payload.outto an array (#16428)v5.36.7Compare Source
Patch Changes
<svelte:...>elements to inherit fromSvelteHTMLElements(#16424)v5.36.6Compare Source
Patch Changes
fix: delegate functions with shadowed variables if declared locally (#16417)
fix: handle error in correct boundary after reset (#16171)
fix: make
<svelte:boundary>reset function a noop after the first call (#16171)v5.36.5Compare Source
Patch Changes
fix: silence
$inspecterrors when the effect is about to be destroyed (#16391)fix: more informative error when effects run in an infinite loop (#16405)
v5.36.4Compare Source
Patch Changes
fix: avoid microtask in flushSync (#16394)
fix: ensure compiler state is reset before compilation (#16396)
v5.36.3Compare Source
Patch Changes
fix: don't log
await_reactivity_losswarning when signal is read inuntrack(#16385)fix: better handle $inspect on array mutations (#16389)
fix: leave proxied array
lengthuntouched when deleting properties (#16389)fix: update
$effect.pending()immediately after a batch is removed (#16382)v5.36.2Compare Source
Patch Changes
fix: add
$effect.pending()to types (#16376)fix: add
pendingsnippet to<svelte:boundary>types (#16379)v5.36.1Compare Source
Patch Changes
fix: throw on duplicate class field declarations (#16502)
fix: add types for
partattribute to svg attributes (#16499)v5.36.0Compare Source
Minor Changes
awaitin components when using theexperimental.asynccompiler option (#15844)Patch Changes
fix: silence a11y warning for inert elements (#16339)
chore: clean up a11y analysis code (#16345)
v5.35.7Compare Source
Patch Changes
fix: silence autofocus a11y warning inside
<dialog>(#16341)fix: don't show adjusted error messages in boundaries (#16360)
chore: replace inline regex with variable (#16340)
v5.35.6Compare Source
Patch Changes
chore: simplify reaction/source ownership tracking (#16333)
chore: simplify internal component
pop()(#16331)v5.35.5Compare Source
Patch Changes
fix: associate sources in Spring/Tween/SvelteMap/SvelteSet with correct reaction (#16325)
fix: re-evaluate derived props during teardown (#16278)
v5.35.4Compare Source
Patch Changes
v5.35.3Compare Source
Patch Changes
fix: account for mounting when
select_optioninattribute_effect(#16309)fix: do not proxify the value assigned to a derived (#16302)
v5.35.2Compare Source
Patch Changes
v5.35.1Compare Source
Patch Changes
__svelte_metaobjects (#16255)v5.35.0Compare Source
Minor Changes
getAbortSignal()(#16266)Patch Changes
v5.34.9Compare Source
Patch Changes
v5.34.8Compare Source
Patch Changes
fix: untrack
$inspect.withand add check for unsafe mutation (#16209)fix: use fine grained for template if the component is not explicitly in legacy mode (#16232)
lift unsafe_state_mutation constraints for SvelteSet, SvelteMap, SvelteDate, SvelteURL and SvelteURLSearchParams created inside the derived (#16221)
[
v5.34.7](https://redirect.github.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#5347Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.