chore(deps): update dependency @sveltejs/kit to v2.49.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	2.42.2 → 2.49.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-67647

Summary

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Details

Affected versions from 2.44.0 onwards are vulnerable to DoS if:

• your app has at least one prerendered route (export const prerender = true)

Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:

• your app has at least one prerendered route (export const prerender = true)
• AND you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation

Impact

The DoS causes the running server process to end.

The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.

It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo)
• d-xuan (wednesday)

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.49.5

Compare Source

Patch Changes

• fix: avoid overriding Vite default base when running Vitest 4 (#​14866)

• fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

• fix: add length checks to remote forms (8ed8155)

v2.49.4

Compare Source

Patch Changes

• fix: support instrumentation for vite preview (#​15105)

• fix: support for URLSearchParams.has(name, value) overload (#​15076)

• fix: put forking behind experimental.forkPreloads (#​15135)

v2.49.3

Compare Source

Patch Changes

• fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#​15121)

• fix: add typescript as an optional peer dependency (#​15074)

• fix: use hasOwn check when deep-setting object properties (#​15127)

v2.49.2

Compare Source

Patch Changes

• fix: Stop re-loading already-loaded CSS during server-side route resolution (#​15014)

• fix: posixify the instrumentation file import on Windows (#​14993)

• fix: Correctly handle shared memory when decoding binary form data (#​15028)

v2.49.1

Compare Source

Patch Changes

• fix: suppress state_referenced_locally warnings in .svelte-kit/generated/root.svelte (#​15013)

• fix: TypeError when doing response.clone() in page load (#​15005)

v2.49.0

Compare Source

Minor Changes

• feat: stream file uploads inside form remote functions allowing form data to be accessed before large files finish uploading (#​14775)

v2.48.8

Compare Source

Patch Changes

• breaking: invalid now must be imported from @sveltejs/kit (#​14768)

• breaking: remove submitter option from experimental form validate() method, always provide default submitter (#​14762)

v2.48.7

Compare Source

Patch Changes

• fix: allow multiple server-timing headers (#​14700)

• fix: allow access to root-level issues in schema-less forms (#​14893)

• fix: allow hosting hash-based apps from non-index.html files (#​14825)

v2.48.6

Compare Source

Patch Changes

• fix: clear issues upon passing validation (#​14683)

• fix: don't use fork of unrelated route (#​14947)

• fix: prevent type errors when optional @opentelemetry/api dependency isn't installed (#​14949)

• fix: preserve this when invoking standard validator (#​14943)

• fix: treat client/universal hooks as entrypoints for illegal server import detection (#​14876)

• fix: correct query .set and .refresh behavior in commands (#​14877)

• fix: improved the accuracy of the types of the output of field.as('...') (#​14908)

v2.48.5

Compare Source

Patch Changes

• fix: wait an extra microtask in dev before calling $_init_$ (#​14799)

• fix: discard preload fork before creating a new one (#​14865)

• fix: delete RemoteFormAllIssue, add path to RemoteFormIssue (#​14864)

v2.48.4

Compare Source

Patch Changes

• fix: adjust query's promise implementation to properly allow chaining (#​14859)

• fix: make prerender cache work, including in development (#​14860)

v2.48.3

Compare Source

Patch Changes

• fix: include hash when using resolve with hash routing enabled (#​14786)

• fix: afterNavigate callback not running after hydration when experimental async is enabled (#​14644)
  fix: Snapshot restore method not called after reload when experimental async is enabled

• fix: expose issue.path in .allIssues() (#​14784)

v2.48.2

Compare Source

Patch Changes

• fix: update DOM before running navigate callbacks (#​14829)

v2.48.1

Compare Source

Patch Changes

• fix: wait for commit promise instead of settled (#​14818)

v2.48.0

Compare Source

Minor Changes

• feat: use experimental fork API when available (#​14793)

Patch Changes

• fix: await for settled instead of tick in navigate (#​14800)

v2.47.3

Compare Source

Patch Changes

• fix: avoid hanging when error() is used while streaming promises from a server load function (#​14722)

• chore: treeshake load function code if we know it's unused (#​14764)

• fix: RecursiveFormFields type for recursive or unknown schemas (#​14734)

• fix: rework internal representation of form value to be $state (#​14771)

v2.47.2

Compare Source

Patch Changes

• fix: streamed promise not resolving when another load function returns a fast resolving promise (#​14753)

• chore: allow to run preflight validation only (#​14744)

• fix: update overload to set invalid type to schema input (#​14748)

v2.47.1

Compare Source

Patch Changes

• fix: allow read to be used at the top-level of remote function files (#​14672)

• fix: more robust remote files generation (#​14682)

v2.47.0

Compare Source

Minor Changes

• feat: add signal property to request (#​14715)

Patch Changes

• fix: resolve remote module syntax errors with trailing expressions (#​14728)

v2.46.5

Compare Source

Patch Changes

• fix: ensure form remote functions' fields.set triggers reactivity (#​14661)

v2.46.4

Compare Source

Patch Changes

• fix: prevent access of Svelte 5-only untrack function (#​14658)

v2.46.3

Compare Source

Patch Changes

• fix: merge field.set(...) calls (#​14651)

• fix: don't automatically reset form after an enhanced submission (#​14626)

• fix: normalize path strings when updating field values (#​14649)

v2.46.2

Compare Source

Patch Changes

• fix: prevent code execution order issues around SvelteKit's env modules (#​14637)

v2.46.1

Compare Source

Patch Changes

• fix: use $derived for form fields (#​14621)

• docs: remove @example blocks to allow docs to deploy (#​14636)

• fix: require a value with submit and hidden fields (#​14635)

• fix: delete hydration cache on effect teardown (#​14611)

v2.46.0

Compare Source

Minor Changes

• feat: imperative form validation (#​14624)

Patch Changes

• fix: wait a tick before collecting form data for validation (#​14631)

• fix: prevent code execution order issues around SvelteKit's env modules (#​14632)

v2.45.0

Compare Source

Minor Changes

• feat: form.for(id) now implicitly sets id on form object (#​14623)

Patch Changes

• fix: allow fetch in remote function without emitting a warning (#​14610)

v2.44.0

Compare Source

Minor Changes

• feat: expose event.route and event.url to remote functions (#​14606)

• breaking: update experimental form API (#​14481)

Patch Changes

• fix: don't crawl error responses during prerendering (#​14596)

v2.43.8

Compare Source

Patch Changes

• fix: HMR for query (#​14587)

• fix: avoid client modules while traversing dependencies to prevent FOUC during dev (#​14577)

• fix: skip prebundling of .remote.js files (#​14583)

• fix: more robust remote file pattern matching (#​14578)

v2.43.7

Compare Source

Patch Changes

• fix: correctly type the result of form remote functions that do not accept data (#​14573)

• fix: force remote module chunks to isolate themselves (#​14571)

v2.43.6

Compare Source

Patch Changes

• fix: ensure cache key is consistent between client/server (#​14563)

• fix: keep resolve relative to initial base during prerender (#​14533)

• fix: avoid including HEAD twice when an unhandled HTTP method is used in a request to a +server handler that has both a GET handler and a HEAD handler (#​14564)

• fix: smoothscroll to deep link (#​14569)

v2.43.5

Compare Source

Patch Changes

• fix: fall back to non-relative resolution when calling resolve(...) outside an event context (#​14532)

v2.43.4

Compare Source

Patch Changes

• fix: Webcontainer AsyncLocalStorage workaround (#​14526)

v2.43.3

Compare Source

Patch Changes

• fix: Webcontainer AsyncLocalStorage workaround (#​14521)

• fix: include the value of form submitters on form remote functions (#​14475)

v2.43.2

Compare Source

Patch Changes

• fix: ensure rendering starts off synchronously (#​14517)

• fix: keep serialized remote data alive until navigation (#​14508)

v2.43.1

Compare Source

Patch Changes

• fix: consistently use bare import for internals (#​14506)

v2.43.0

Compare Source

Minor Changes

• feat: experimental async SSR (#​14447)

Patch Changes

• fix: ensure __SVELTEKIT_PAYLOAD__.data is accessed safely (#​14491)

• fix: create separate cache entries for non-exported remote function queries (#​14499)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0e243b1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 0e243b1

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:knip,tes...	❌ Failed	2m 35s	View ↗
nx run-many --target=build --exclude=examples/*...	❌ Failed	1m 19s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-01-16 11:14:50 UTC