fix(deps): update dependency svelte to v5.46.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.46.1 → 5.46.4

GitHub Vulnerability Alerts

CVE-2025-15265

Summary

An XSS vulnerability exists in Svelte 5.46.0-2 resulting from improper escaping of hydratable keys. If these keys incorporate untrusted user input, arbitrary JavaScript can be injected into server-rendered HTML.

Details

When using the hydratable function, the first argument is used as a key to uniquely identify the data, such that the value is not regenerated in the browser.

This key is embedded into a <script> block in the server-rendered <head> without escaping unsafe characters. A malicious key can break out of the script context and inject arbitrary JavaScript into the HTML response.

Impact

This is a cross-site scripting vulnerability affecting applications that have the experimental.async flag enabled and use hydratable with keys incorporating untrusted user input.

• Impact: Arbitrary JS execution in the client’s browser.
• Exploitability: Remote, single-request if key is attacker-controlled.
• Typical Outcomes:
  • Session/token theft
  • DOM defacement
  • CSRF bypass via injected JS
  • Account takeover depending on cookie/session strategy

Affected applications should upgrade to a patched version immediately.

---

Release Notes

sveltejs/svelte (svelte)

v5.46.4

Compare Source

Patch Changes

• fix: use devalue.uneval to serialize hydratable keys (ef81048e238844b729942441541d6dcfe6c8ccca)

v5.46.3

Compare Source

Patch Changes

• fix: reconnect clean deriveds when they are read in a reactive context (#​17362)

• fix: don't transform references of function declarations in legacy mode (#​17431)

• fix: notify deriveds of changes to sources inside forks (#​17437)

• fix: always reconnect deriveds in get, when appropriate (#​17451)

• fix: prevent derives without dependencies from ever re-running (286b40c4526ce9970cb81ddd5e65b93b722fe468)

• fix: correctly update writable deriveds inside forks (#​17437)

• fix: remove $inspect calls after await expressions when compiling for production server code (#​17407)

• fix: clear batch between runs (#​17424)

• fix: adjust loc property of Program nodes created from <script> elements (#​17428)

• fix: don't revert source to UNINITIALIZED state when time travelling (#​17409)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8fd9328

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR