Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency @sveltejs/kit to v2 [security] #978

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency @sveltejs/kit to v2 [security] #978

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) ^1.0.1 -> ^2.8.3 age adoption passing confidence
@sveltejs/kit (source) 1.0.1 -> 2.8.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-29003

Summary

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.

SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to it’s users. The protection is implemented at kit/src/runtime/server/respond.js#L52. While the implementation does a sufficient job in mitigating common CSRF attacks, the protection can be bypassed by simply specifying a different Content-Type header value.

Details

The CSRF protection is implemented using the code shown below.

const forbidden =
  // (1)
  request.method === 'POST' &&
  // (2)
  request.headers.get('origin') !== url.origin &&
  // (3)
  is_form_content_type(request);

if (forbidden) {
  // (4)
  const csrf_error = error(403, `Cross-site ${request.method} form submissions are forbidden`);
  if (request.headers.get('accept') === 'application/json') {
    return json(csrf_error.body, { status: csrf_error.status });
  }
  return text(csrf_error.body.message, { status: csrf_error.status });
}

If the incoming request specifies a POST method (1), the protection will compare the server’s origin with the value of the HTTP Origin header (2). A mismatch between these values signals that a potential attack has been detected. The final check is performed on the request’s Content-Type header (3) whether the value is either application/x-www-form-urlencoded or multipart/form-data (kit/src/utils/http.js#L71). If all the previous checks pass, the request will be rejected with an 403 error response (4).

The is_form_content_type validation is not sufficient to mitigate all possible variations of this type of attack. If a CSRF attack is performed with the Content-Type header set to text/plain, the protection will be circumvented and the request will be processed by the endpoint handler.

Impact

If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts.

Remediation

SvelteKit 1.15.1 updates the is_form_content_type function call in the CSRF protection logic to include text/plain.

As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on PUT, PATCH and DELETE methods as well. This latter hardening is only needed to protect users who have put in some sort of ?_method= override feature themselves in their handle hook, so that the request that resolve sees could be PUT/PATCH/DELETE when the browser issues a POST request.

CVE-2023-29008

Summary

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.

SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at kit/src/runtime/server/respond.js. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed by simply specifying an upper-cased Content-Type header value. The browser will not send uppercase characters on form submission, but this check does not block all expected cross-site requests: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

Details

The CSRF protection is implemented using the code shown below.

		const forbidden =
			is_form_content_type(request) &&
			(request.method === 'POST' ||
				request.method === 'PUT' ||
				request.method === 'PATCH' ||
				request.method === 'DELETE') &&
			request.headers.get('origin') !== url.origin;

		if (forbidden) {
			const csrf_error = error(403, `Cross-site ${request.method} form submissions are forbidden`);
			if (request.headers.get('accept') === 'application/json') {
				return json(csrf_error.body, { status: csrf_error.status });
			}
			return text(csrf_error.body.message, { status: csrf_error.status });
		}

If the incoming request specifies a POST/PUT/PATCH/DELETE method, the protection will compare the server’s origin with the value of the HTTP Origin header. A mismatch between these values signals that a potential attack has been detected. The final check is performed on the request’s Content-Type header whether the value is either application/x-www-form-urlencoded, multipart/form-data or text/plain. If all the previous checks pass, the request will be rejected with an 403 error response.
However, is_form_content_type, which is responsible for checking the value of the Content-Type header, is not sufficient to mitigate all possible variations of this type of attack. Since this function is checking Content-Type with lower-cased values, and the browser accepts upper-cased Content-Type header to be sent, a CSRF attack performed with the Content-Type header that contains an upper-cased character (e.g., text/plaiN) can circumvent the protection and the request will be processed by the endpoint handler.

Impact

If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. This may lead to all POST operations requiring authentication being allowed in the following cases:

  1. If the target site sets SameSite=None on its auth cookie and the user visits a malicious site in a Chromium-based browser
  2. If the target site doesn't set the SameSite attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off.
  3. If the user is visiting a malicious site with a very outdated browser.

Remediations

It is preferred to update to SvelteKit 1.15.2. It is also recommended to explicitly set SameSite to a value other than None on authentication cookies especially if the upgrade cannot be done in a timely manner.

CVE-2024-53262

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders:
%sveltekit.status% — the HTTP status
%sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

CVE-2024-53261

Summary

"Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."

Details

Source of potentially tainted data is in packages/kit/src/exports/vite/dev/index.js, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

Another source of potentially tainted data (according to Snyk) comes from ‎packages/kit/src/exports/vite/utils.js, line 30, col 30 (i.e., the url property of req). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

PoC

Not provided

Impact

Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.8.3

Compare Source

Patch Changes

  • fix: ensure error messages are escaped (#​13050)

  • fix: escape values included in dev 404 page (#​13039)

v2.8.2

Compare Source

Patch Changes

  • fix: prevent duplicate fetch request when using Request with load function's fetch (#​13023)

  • fix: do not override default cookie decoder to allow users to override the cookie library version (#​13037)

v2.8.1

Compare Source

Patch Changes

  • fix: only add nonce to script-src-elem, style-src-attr and style-src-elem CSP directives when unsafe-inline is not present (#​11613)

  • fix: support HTTP/2 in dev and production. Revert the changes from #​12907 to downgrade HTTP/2 to TLS as now being unnecessary (#​12989)

v2.8.0

Compare Source

Minor Changes
  • feat: add helper to identify ActionFailure objects (#​12878)

v2.7.7

Compare Source

Patch Changes

v2.7.6

Compare Source

Patch Changes
  • fix: update broken links in JSDoc (#​12960)

v2.7.5

Compare Source

Patch Changes

  • fix: warn on invalid cookie name characters (#​12806)

  • fix: when using @vitejs/plugin-basic-ssl, set a no-op proxy config to downgrade from HTTP/2 to TLS since undici does not yet enable HTTP/2 by default (#​12907)

v2.7.4

Compare Source

Patch Changes

  • fix: ensure element is focused after subsequent clicks of the same hash link (#​12866)

  • fix: avoid preload if event default was prevented for touchstart and mousedown events (#​12887)

  • fix: avoid reloading behaviour for hash links with data-sveltekit-reload if the hash is on the same page (#​12866)

v2.7.3

Compare Source

Patch Changes

  • fix: include importer in illegal import error message (#​12820)

  • fix: don't try reading assets directly that aren't present (#​12876)

  • fix: decode non-latin characters when previewing prerendered pages (#​12874)

  • fix: better error message when a Result is returned from a form action (#​12829)

  • docs: update URLs for new svelte.dev site (#​12857)

v2.7.2

Compare Source

Patch Changes
  • fix: use absolute links in JSDoc comments (#​12718)

v2.7.1

Compare Source

Patch Changes

  • chore: upgrade to sirv 3.0 (#​12796)

  • fix: warn when form action responses are lost because SSR is off (#​12063)

v2.7.0

Compare Source

Minor Changes
  • feat: update service worker when new version is detected (#​12448)
Patch Changes

  • fix: correctly handle relative paths when fetching assets on the server (#​12113)

  • fix: decode non ASCII anchor hashes when scrolling into view (#​12699)

  • fix: page response missing CSP and Link headers when return promise in load (#​12418)

v2.6.4

Compare Source

Patch Changes

  • fix: only preload links that have a different URL than the current page (#​12773)

  • fix: revert change to replace version in generateBundle (#​12779)

  • fix: catch stack trace fixing errors thrown in web containers (#​12775)

  • fix: use absolute links in JSDoc comments (#​12772)

v2.6.3

Compare Source

Patch Changes

  • fix: ensure a changing version doesn't affect the hashes for chunks without any actual code changes (#​12700)

  • fix: prevent crash when logging URL search params in a server load function (#​12763)

  • chore: revert update dependency cookie to ^0.7.0 (#​12767)

v2.6.2

Compare Source

Patch Changes
  • chore(deps): update dependency cookie to ^0.7.0 (#​12746)

v2.6.1

Compare Source

Patch Changes
  • fix: better error message when calling push/replaceState before router is initialized (#​11968)

v2.6.0

Compare Source

Minor Changes
  • feat: support typed arrays in load functions (#​12716)
Patch Changes
  • fix: open a new tab for <form target="_blank"> and ` submissions (#​11936)

v2.5.28

Compare Source

Patch Changes
  • fix: import node:process instead of using globals (#​12641)

v2.5.27

Compare Source

Patch Changes

  • fix: asynchronously instantiate components when using Svelte 5 (#​12613)

  • fix: use {@&#8203;render ...} tag when generating default fallback page for svelte 5 apps (#​12653)

  • fix: emulate event.platform even when the route does not exist (#​12513)

v2.5.26

Compare Source

Patch Changes
  • fix: exclude service worker directory from tsconfig (#​12196)

v2.5.25

Compare Source

Patch Changes

v2.5.24

Compare Source

Patch Changes

v2.5.23

Compare Source

Patch Changes
  • fix: use dynamic components in root.svelte instead of svelte:component for svelte 5 (#​12584)

v2.5.22

Compare Source

Patch Changes
  • chore: configure provenance in a simpler manner (#​12570)

v2.5.21

Compare Source

Patch Changes

v2.5.20

Compare Source

Patch Changes
  • fix: set revalidate cache header on 404'd static assets (#​12530)

v2.5.19

Compare Source

Patch Changes
  • fix: Svelte 5 - ignore binding_non_reactive warning in generated root component (you also need to update to [email protected]) (#​12524)

v2.5.18

Compare Source

Patch Changes

  • fix: respect HTML attributes enctype and formenctype for forms with use:enhance (#​12198)

  • fix: prevent client import error when a hooks.server file imports a private environment variable (#​12195)

  • fix: set default Content-Type header to application/x-www-form-urlencoded for POST form submissions with use:enhance to align with native form behaviour (#​12198)

v2.5.17

Compare Source

Patch Changes
  • chore: update package description (#​11846)

v2.5.16

Compare Source

Patch Changes
  • fix: determine local Svelte version more reliably (#​12350)

v2.5.15

Compare Source

Patch Changes

v2.5.14

Compare Source

Patch Changes
  • fix: read non-encoded data URIs (#​12347)

v2.5.13

Compare Source

Patch Changes
  • fix: decode asset URLs in dev when reading them, but for real this time (#​12344)

v2.5.12

Compare Source

Patch Changes
  • fix: decode asset URLs in dev when reading them (#​12341)

v2.5.11

Compare Source

Patch Changes

  • fix: hrefs that start with config.prerender.origin are now crawled (#​12277)

  • chore: add keywords for discovery in npm search (#​12330)

  • fix: handle whitespace in HTTP Accept header (#​12292)

v2.5.10

Compare Source

Patch Changes

  • fix: exclude server files from optimizeDeps.entries (#​12242)

  • fix: bump import-meta-resolve to remove deprecation warnings (#​12240)

v2.5.9

Compare Source

Patch Changes

  • fix: yield main thread before navigating (#​12225)

  • fix: correctly handle aliases to files in the .svelte-kit directory (#​12220)

v2.5.8

Compare Source

Patch Changes
  • fix: prevent excessive Vite dependency optimizations on navigation (#​12182)

v2.5.7

Compare Source

Patch Changes
  • chore(deps): update devalue to v5 ignore non-enumerable symbols during serialization (#​12141)

v2.5.6

Compare Source

Patch Changes
  • fix: avoid incorrectly un- and re-escaping cookies collected during a server-side fetch (#​11904)

v2.5.5

Compare Source

Patch Changes
  • fix: only hydrate when page is server-rendered (#​12050)

v2.5.4

Compare Source

Patch Changes
  • fix: prevent navigation when data-sveltekit-preload-data fails to fetch due to network error (#​11944)

v2.5.3

Compare Source

Patch Changes

  • fix: revert tsconfig change that includes svelte.config.js (#​11908)

  • fix: exclude server worker from tsconfig again (#​11727)

v2.5.2

Compare Source

Patch Changes
  • fix: tsconfig includes should cover svelte.config.js (#​11886)

v2.5.1

Compare Source

Patch Changes

  • fix: prevent stale values after invalidation (#​11870)

  • fix: prevent false positive history.pushState and history.replaceState warnings (#​11858)

  • fix: relax status code types (#​11781)

  • fix: popstate navigations take pushState navigations into account (#​11765)

v2.5.0

Compare Source

Minor Changes
  • feat: dev/preview/prerender platform emulation (#​11730)
Patch Changes
  • fix: strip /@&#8203;fs prefix correctly on Windows when invoking read() in dev mode (#​11728)

v2.4.3

Compare Source

Patch Changes
  • fix: only disallow body with GET/HEAD (#​11710)

v2.4.2

Compare Source

Patch Changes
  • fix: ignore bodies sent with non-PUT/PATCH/POST requests (#​11708)

v2.4.1

Compare Source

Patch Changes

  • fix: use Vite's default value for build.target and respect override supplied by user (#​11688)

  • fix: properly decode base64 strings inside read (#​11682)

  • fix: default route config to {} for feature checking (#​11685)

  • fix: handle onNavigate callbacks correctly (#​11678)

v2.4.0

Compare Source

Minor Changes
  • feat: add $app/server module with read function for reading assets from filesystem (#​11649)

v2.3.5

Compare Source

Patch Changes
  • fix: log a warning if fallback page overwrites prerendered page (#​11661)

v2.3.4

Compare Source

Patch Changes
  • fix: don't stash away original history methods so other libs can monkeypatch it (#​11657)

v2.3.3

Compare Source

Patch Changes
  • fix: remove internal __sveltekit/ module declarations from types (#​11620)

v2.3.2

Compare Source

Patch Changes

  • fix: return plaintext 404 for anything under appDir (#​11597)

  • fix: populate dynamic public env without using top-level await, which fails in Safari (#​11601)

v2.3.1

Compare Source

Patch Changes

  • fix: amend onNavigate type (#​11599)

  • fix: better error message when peer dependency cannot be found (#​11598)

v2.3.0

Compare Source

Minor Changes

v2.2.2

Compare Source

Patch Changes
  • fix: only add nonce to style-src CSP directive when unsafe-inline is not present (#​11575)

v2.2.1

Compare Source

Patch Changes

  • feat: add CSP support for style-src-elem (#​11562)

  • fix: address CSP conflicts with sha/nonce during dev (#​11562)

v2.2.0

Compare Source

Minor Changes
  • feat: expose $env/static/public in service workers (#​10994)
Patch Changes
  • fix: reload page on startup if document.URL contains credentials (#​11179)

v2.1.2

Compare Source

Patch Changes
  • fix: restore invalid route error message during build process (#​11559)

v2.1.1

Compare Source

Patch Changes

  • fix: respect the trailing slash option when navigating from the basepath root page (#​11388)

  • chore: shrink error messages shipped to client (#​11551)

v2.1.0

Compare Source

Minor Changes
  • feat: make client router treeshakeable (#​11340)
Patch Changes
  • chore: reduce client bundle size (#​11547)

v2.0.8

Compare Source

Patch Changes

  • fix: always scroll to top when clicking a # or #top link (099608c428a49504785eab3afe3b2e76a9317bdf)

  • fix: add nonce or hash to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in CSP config (#​11485)

  • fix: decode server data with stream: true during client-side navigation (#​11409)

  • fix: capture scroll position when using pushState (#​11540)

  • chore: use peer dependencies when linked (#​11433)

v2.0.7

Compare Source

Patch Changes
  • chore: removed deprecated config.package type (#​11462)

v2.0.6

Compare Source

Patch Changes
  • fix: allow dynamic env access when building but not prerendering (#​11436)

v2.0.5

Compare Source

Patch Changes

  • fix: render SPA shell when SSR is turned off and there is no server data (#​11405)

  • fix: upgrade sirv and mrmime to modernize javascript mime type (#​11419)

v2.0.4

Compare Source

Patch Changes

v2.0.3

Compare Source

Patch Changes
  • fix: reinstantiate state parameter for goto (#​11342)

v2.0.2

Compare Source

Patch Changes
  • fix: prevent endless SPA 404 loop (#​11354)

v2.0.1

Compare Source

Patch Changes
  • fix: correctly handle trailing slash redirect when navigating from the root page (#​11357)

v2.0.0

Compare Source

Major Changes

  • breaking: remove top-level promise awaiting (#​11176)

  • breaking: prevent use of dynamic env vars during prerendering, serve env vars dynamically (#​11277)

  • breaking: remove deprecated use:enhance callback values (#​11282)

  • breaking: turn error and redirect into commands (#​11165)

  • breaking: the type for depends now requires a : as part of the string (#​11201)

  • breaking: remove baseUrl fallback from generated tsconfig (#​11294)

  • breaking: fail if route with +page and +server is marked prerenderable (#​11256)

  • breaking: remove resolvePath in favour of resolveRoute from $app/paths (#​11265)

  • breaking: drop support for Svelte 3 (#​11168)

  • breaking: require Vite 5.0.3+ (#​11122)

  • breaking: generate __data.json files as sibling to .html files (#​11269)

  • breaking: fail if +page and +server have mismatched config (#​11256)

  • breaking: error if form without multipart/form-data enctype contains a file input (#​11282)

  • breaking: require paths pass to preloadCode to be prefixed with basepath (#​11259)

  • breaking: @sveltejs/vite-plugin-svelte is now a peer dependency and will need to be installed in each project using SvelteKit (#​11184)

  • breaking: stop re-exporting vitePreprocess (#​11297)

  • breaking: require path option when setting/deleting/serializing cookies (#​11240)

  • breaking: tighten up error handling (#​11289)

  • breaking: remove state option from goto in favor of shallow routing (#​11307)

  • breaking: disallow external navigation with goto (#​11207)

  • breaking: upgrade to TypeScript 5. Default moduleResolution to bundler in user projects to be permissive in consuming and NodeNext when running package to be strict in distributing (#​11160)

  • breaking: undefined is no longer a valid value for paths.relative (#​11185)

  • breaking: require Node 18.13 or newer (#​11172)

  • breaking: fix path resolution (#​11276)

  • breaking: remove dangerZone.trackServerFetches (#​11235)

Minor Changes

  • feat: add untrack to load (#​11311)

  • feat: implement shallow routing (#​11307)

  • feat: provide SvelteKit html typings (#​11222)

  • feat: redact internal stack trace when reporting config errors (#​11292)

  • feat: allow for fine grained invalidation of search params (#​11258)

Patch Changes

  • fix: prerender optional parameters as empty when entries contains '*' (#​11178)

  • fix: resolve route config correctly (#​11256)

  • fix: import Svelte types from svelte/compiler (#​11188)

  • fix: reset invalid resources after a successful invalidation (#​11268)

  • fix: Adjust fail method and ActionFailure type (#​11260)

  • chore(deps): upgrade cookies dependency (#​11189)

v1.30.4

Compare Source

Patch Changes
  • chore(deps): upgrade and unpin undici (#​11860)

v1.30.3

Compare Source

Patch Changes
  • fix: correct documentation for beforeNavigate (#​11300)

v1.30.2

Compare Source

Patch Changes
  • fix: revert recent 'correctly return 415' and 'correctly return 404' changes (#​11295)

v1.30.1

Compare Source

Patch Changes

  • fix: prerendered root page with paths.base config uses correct trailing slash option (#​10763)

  • fix: correctly return 404 when a form action is not found (#​11278)

v1.30.0

Compare Source

Minor Changes
  • feat: inline response.arrayBuffer() during ssr (#​10535)
Patch Changes

  • fix: allow "false" value for preload link options (#​10555)

  • fix: call worker unref instead of terminate (#​10120)

  • fix: correctly analyse exported server API methods during build (#​11019)

  • fix: avoid error when back navigating before page is initialized (#​10636)

  • fix: allow service-worker.js to import assets (#​9285)

  • fix: distinguish better between not-found and internal-error (#​11131)

v1.29.1

Compare Source

Patch Changes

  • fix: correctly return 415 when unexpected content types are submitted to actions (#​11255)

  • chore: deprecate preloadCode calls with multiple arguments (#​11266)

v1.29.0

Compare Source

Minor Changes
  • feat: add resolveRoute to $app/paths, deprecate resolvePath (#​11261)

v1.28.0

Compare Source

Minor Changes
  • chore: deprecate top level promise await behaviour (#​11175)
Patch Changes

  • fix: resolve relative cookie paths before storing (#​11253)

  • chore: deprecate cookies.set/delete without path option (#​11237)

  • fix: make sure promises from fetch handle errors (#​11228)

v1.27.7

Compare Source

Patch Changes

  • fix: set runes option in generated root (#​11111)

  • fix: retain URL query string for trailing slash redirects to prerendered pages (#​11142)

v1.27.6

Compare Source

Patch Changes

  • fix: use runes in generated root when detecting Svelte 5 (#​11028)

  • fix: correctly prerender pages that use browser globals and have SSR turned off (#​11032)

  • fix: correctly show 404 for prerendered dynamic routes when navigating client-side without a root layout server load (#​11025)

v1.27.5

Compare Source

Patch Changes

  • fix: add vite.config.js to included files in generated tsconfig (#​10788)

  • fix: cache location.origin on startup (#​11004)

v1.27.4

Compare Source

Patch Changes

  • fix: generate __data.json for prerendered pages when SSR is turned off (#​10988)

  • chore: add experimental compatibility for Svelte 5 (#​11002)

v1.27.3

Compare Source

Patch Changes
  • fix: use correct environment file for rendering spa fallback page (#​10963)

v1.27.2

Compare Source

Patch Changes
  • fix: missing File Node polyfill for Node version 18.11.0+ (#​10948)

v1.27.1

Compare Source

Patch Changes
  • fix: only apply some polyfills below node 18.11 (#​10920)

v1.27.0

Compare Source

Minor Changes
  • feat: add `in

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (rebase) August 6, 2024 06:45
@vercel Vercel
Copy link

vercel bot commented Aug 6, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
graphql-ez ❌ Failed (Inspect) Dec 9, 2024 0:03am

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 6, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: 0a425a4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 267eaf2 to 58314fb Compare October 9, 2024 09:33
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit to v1.15.2 [security] chore(deps): update dependency @sveltejs/kit [security] Oct 9, 2024
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 58314fb to 3f22898 Compare October 9, 2024 14:21
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit [security] chore(deps): update dependency @sveltejs/kit to v1.15.2 [security] Oct 9, 2024
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 3f22898 to d6fb4a4 Compare October 28, 2024 16:44
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit to v1.15.2 [security] chore(deps): update dependency @sveltejs/kit [security] Oct 28, 2024
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from d6fb4a4 to f37f3c2 Compare October 28, 2024 20:23
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit [security] chore(deps): update dependency @sveltejs/kit to v1.15.2 [security] Oct 28, 2024
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from f37f3c2 to b240513 Compare November 25, 2024 17:55
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit to v1.15.2 [security] chore(deps): update dependency @sveltejs/kit to v2 [security] Nov 25, 2024
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from b240513 to 2d52dce Compare December 2, 2024 11:23
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit to v2 [security] chore(deps): update dependency @sveltejs/kit [security] Dec 2, 2024
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 2d52dce to 0a425a4 Compare December 2, 2024 13:32
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit [security] chore(deps): update dependency @sveltejs/kit to v2 [security] Dec 2, 2024
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit to v2 [security] chore(deps): update dependency @sveltejs/kit to v2 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
auto-merge was automatically disabled December 8, 2024 18:39

Pull request was closed

@renovate renovate bot deleted the renovate/npm-sveltejs-kit-vulnerability branch December 8, 2024 18:39
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit to v2 [security] - autoclosed chore(deps): update dependency @sveltejs/kit to v2 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 07da92e to 0a425a4 Compare December 8, 2024 23:54
@renovate renovate bot enabled auto-merge (squash) December 9, 2024 00:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants