Closed renovate[bot] closed 2 weeks ago
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below:
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @poppanator/sveltekit-svg@3.0.1
npm error Found: svelte@4.2.19
npm error node_modules/svelte
npm error dev svelte@"4.2.19" from the root project
npm error peer svelte@"^3.54.0 || ^4.0.0-next.0" from @sveltejs/kit@1.27.2
npm error node_modules/@sveltejs/kit
npm error dev @sveltejs/kit@"1.27.2" from the root project
npm error peer @sveltejs/kit@"^1.5.0" from @sveltejs/adapter-vercel@3.0.3
npm error node_modules/@sveltejs/adapter-vercel
npm error dev @sveltejs/adapter-vercel@"3.0.3" from the root project
npm error 7 more (@sveltejs/vite-plugin-svelte, ...)
npm error
npm error Could not resolve dependency:
npm error peer svelte@"3.x" from @poppanator/sveltekit-svg@3.0.1
npm error node_modules/@poppanator/sveltekit-svg
npm error dev @poppanator/sveltekit-svg@"3.0.1" from the root project
npm error
npm error Conflicting peer dependency: svelte@3.59.2
npm error node_modules/svelte
npm error peer svelte@"3.x" from @poppanator/sveltekit-svg@3.0.1
npm error node_modules/@poppanator/sveltekit-svg
npm error dev @poppanator/sveltekit-svg@"3.0.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-08-30T17_21_57_736Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-08-30T17_21_57_736Z-debug-0.log
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
privacy-protect-68pv | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Aug 30, 2024 5:22pm |
Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x
releases. But if you manually upgrade to 4.x
then Renovate will re-enable minor
and patch
updates automatically.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
3.59.2
->4.2.19
GitHub Vulnerability Alerts
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"
->"
&
->&
<
-><
&
->&
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>
tag.PoC
A vulnerable page (
+page.svelte
):If a user accesses the following URL,
then,
alert(123)
will be executed.Impact
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
### [`v4.2.19`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.19) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.18...svelte@4.2.19) ##### Patch Changes - fix: ensure typings for `Configuration
📅 Schedule: Branch creation - "" in timezone America/Denver, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.