chore(deps): update dependency @sveltejs/kit to v2.20.6 [security] #940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-sveltejs-kit-vulnerability

Contributor

renovate bot commented Apr 14, 2025

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@sveltejs/kit (source)	`2.8.3` -> `2.20.6`

GitHub Vulnerability Alerts

CVE-2025-32388

Summary

Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.

Details

SvelteKit tracks which parameters in event.url.searchParams are read inside server load functions. If the application iterates over the these parameters, the uses.search_params array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form.

packages/kit/src/runtime/server/utils.js:150 has the stringify_uses(node) function which prints these out.

Reproduction

In a +page.server.js or +layout.server.js:

/** @&#8203;type {import('@&#8203;sveltejs/kit').Load} */
export function load(event) {
  const values = {};

  for (const key of event.url.searchParams.keys()) {
    values[key] = event.url.searchParams.get(key);
  }
}

If a user visits the page in question via a link containing ?</script/><script>window.pwned%3D1</script/>, the </script> will be included verbatim in the payload, causing the embedded script to be executed.

It is not necessary to return the parameter value from load or render it in the page, only to read it (which causes it to be tracked as a dependency) while load is running.

Impact

Any application that iterates over all values in event.url.searchParams in a load function in +page.server.js or +layout.server.js (directly or indirectly) is vulnerable to XSS.

Release Notes

sveltejs/kit (@sveltejs/kit)

`v2.20.6`

Patch Changes

fix: escape names of tracked search parameters (d3300c6a67908590266c363dba7b0835d9a194cf)

`v2.20.5`

Patch Changes

allow HandleServerError hook to access getRequestEvent (#13666)
fix: prevent Rollup warnings for undefined hooks (#13687)

`v2.20.4`

Patch Changes

chore: remove internal class-replacement hack that isn't needed anymore (#13664)

`v2.20.3`

Patch Changes

fix: only call afterNavigate once on app start when SSR is disabled (#13593)

`v2.20.2`

Patch Changes

fix: allow non-prerendered API endpoint calls during reroute when prerendering (#13616)

`v2.20.1`

Patch Changes

fix: avoid using top-level await (#13607)

`v2.20.0`

Minor Changes

feat: add getRequestEvent to $app/server (#13582)

`v2.19.2`

Patch Changes

fix: lazily load CSS for dynamically imported components (#13564)

`v2.19.1`

Patch Changes

fix: allow reroute to point to prerendered route (#13575)

`v2.19.0`

Minor Changes

feat: provide fetch to reroute (#13549)

Patch Changes

chore: cache reroute results (#13548)

`v2.18.0`

Minor Changes

feat: allow async reroute (#13520)
feat: provide normalizeUrl helper (#13539)

Patch Changes

fix: correct navigation history with hash router and ensure load functions are rerun on user changes to URL hash (#13492)
fix: include universal load assets as server assets (#13531)
fix: Include root layout and error nodes even when apps have only prerendered pages (#13522)
fix: correctly preload data on mousedown/touchstart if code was preloaded on hover (#13530)

`v2.17.3`

Patch Changes

fix: avoid simulated CORS errors with non-HTTP URLs (#13493)
fix: correctly preload links on mousedown/touchstart (#13486)
fix: load CSS when using server-side route resolution (#13498)
fix: correctly find shared entry-point CSS files during inlining (#13431)

`v2.17.2`

Patch Changes

fix: add promise return type to the enhance action callback (#13420)
fix: change server-side route resolution endpoint (#13461)

`v2.17.1`

Patch Changes

fix: make route resolution imports root-relative if paths.relative option is false (#13412)

`v2.17.0`

Minor Changes

feat: validate values for cache-control and content-type headers in dev mode (#13114)
feat: support server-side route resolution (#13379)

Patch Changes

chore: don't error during development when using use:enhance with +server as some third party libraries make it possible to POST forms to it (#13397)
fix: skip hooks for server fetch to prerendered routes (#13377)
fix: ignore non-entry-point CSS files during inlining (#13395)
fix: default server fetch to use prerendered paths (#13377)

`v2.16.1`

Patch Changes

fix: avoid overwriting headers for sub-requests made while loading the error page (#13341)
fix: correctly resolve index file entrypoints such as src/service-worker/index.js (#13354)
fix: correctly handle relative anchors when using the hash router (#13356)

`v2.16.0`

Minor Changes

feat: add ability to invalidate a custom identifier on goto() (#13256)

feat: remove the postinstall script to support pnpm 10 (#13304)

NOTE: users should add "prepare": "svelte-kit sync" to their package.json in order to avoid the following warning upon first running Vite:

▲ [WARNING] Cannot find base config file "./.svelte-kit/tsconfig.json" [tsconfig.json]

    tsconfig.json:2:12:
      2 │   "extends": "./.svelte-kit/tsconfig.json",
        ╵              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

feat: provide PageProps and LayoutProps types (#13308)

Patch Changes

perf: shorten chunk file names (#13003)
fix: strip internal data before passing URL to reroute (#13092)
fix: support absolute URLs and reroutes with data-sveltekit-preload-code="viewport" (#12217)
fix: use current window.fetch for server load fetch requests (#13315)
fix: resolve symlinks when handling routes (#12740)
fix: prevent infinite reload when using the hash router and previewing /index.html (#13296)
fix: service worker base path in dev mode (#12577)
chore: error during development when using use:enhance with +server (#13197)
chore: add most common status codes to redirect() JS documentation (#13301)
fix: correctly link to assets inlined by the inlineStyleThreshold option (#13068)
fix: fall back to importing dynamic dependencies relative to SvelteKit package (#12532)
fix: use arrow function types over bound funcs (#12955)
fix: correctly navigate when hash router is enabled and the browser encodes extra hashes (#13321)

`v2.15.3`

Patch Changes

fix: fix race-condition when not using SSR when pressing back before initial load (#12925)
fix: remove ":$" from virtual module ids to allow dev server to work with proxies (#12157)
fix: upgrade esm-env to remove warning when NODE_ENV is not set (#13291)
fix: handle Redirect thrown from root layout load function when client-side navigating to a non-existent page (#12005)
fix: make param matchers generated type import end with .js (#13286)

`v2.15.2`

Patch Changes

fix: correctly notify page store subscribers (#13205)
fix: prerender data when there is no server load but the trailingSlash option is set from the server (#13262)
fix: correctly remove navigation callbacks when returning function in onNavigate (#13241)

`v2.15.1`

Patch Changes

fix: add CSP hashes/nonces to inline styles when using bundleStrategy: 'inline' (#13232)
fix: silence dev/prod warning during sync (#13244)

`v2.15.0`

Minor Changes

feat: add bundleStrategy: 'inline' option (#13193)

`v2.14.1`

Patch Changes

fix: do not mutate URL during reroute logic (#13222)

`v2.14.0`

Minor Changes

feat: add hash-based routing option (#13191)

Patch Changes

fix: create new URL when calling goto(...), to handle case where URL is mutated (#13196)

`v2.13.0`

Minor Changes

feat: add bundleStrategy: 'split' | 'single' option (#13173)

`v2.12.2`

Patch Changes

fix: correctly resolve no hooks file when a similarly named directory exists (#13188)
fix: correctly resolve $app/state on the server with Vite 5 (#13192)

`v2.12.1`

Patch Changes

fix: replace navigating.current.<x> with navigating.<x> (#13174)

`v2.12.0`

Minor Changes

feat: add $app/state module (#13140)

Patch Changes

chore: specify the route ID in the error message during development when making a form action request to a route without form actions (#13167)

`v2.11.1`

Patch Changes

fix: adhere to Vite build.minify setting when building the service worker (#13143)

`v2.11.0`

Minor Changes

feat: transport custom types across the server/client boundary (#13149)

Patch Changes

fix: correctly resolve hooks file when a similarly named directory exists (#13144)

`v2.10.1`

Patch Changes

fix: export init hook from get_hooks (#13136)

`v2.10.0`

Minor Changes

feat: server and client init hook (#13103)

Patch Changes

fix: prevent hooks exported from hooks.js from overwriting hooks from hooks.server.js (#13104)

`v2.9.1`

Patch Changes

fix: correctly match route groups preceding optional parameters (#13099)

`v2.9.0`

Minor Changes

feat: Vite 6 support (#12270)

Patch Changes

fix: transform link[rel='shortcut icon'] and link[rel='apple-touch-icon'] to be absolute to avoid console error when navigating (#13077)

`v2.8.5`

Patch Changes

fix: don't hydrate when falling back to error page (#13056)

`v2.8.4`

Patch Changes

fix: update inline css url generation for FOUC prevention in dev (#13007)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency @sveltejs/kit to v2.20.6 [security]

1c5ac12

renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 5c79587 to 1c5ac12 Compare

April 24, 2025 13:44

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet