We’ve released patches for 5 vulnerabilities across devalue , svelte , @sveltejs/kit , and @sveltejs/adapter-node . Here’s what you need to know:
Upgrade now
If you’re using any of these packages, upgrade them to their corresponding non-vulnerable versions:
devalue : 5.6.2
: svelte : 5.46.4
: @sveltejs/kit : 2.49.5
: @sveltejs/adapter-node : 5.5.1
For cross-dependent packages — svelte and @sveltejs/kit depend on devalue — patched versions already include upgraded dependencies.
We’re extremely thankful to all of the security researchers who responsibly disclosed these vulnerabilities and worked with us to get them fixed, to the security team at Vercel who helped us navigate the disclosure process, and to the maintainers who worked to publish the fixes.
Over the last few weeks, we’ve seen a spate of high profile vulnerabilities affecting popular tools across the web development ecosystem. While they are unfortunate, it has been encouraging to see the community pulling together to keep end users safe. Using the lessons learned from these vulnerabilities, we will invest in processes that will help catch future bugs during the writing and review phases, before they go live.
... continue reading