Skip to content

Comments

[SECURITY]: Bump svelte from 5.39.11 to 5.48.0#290

Merged
ascender1729 merged 1 commit intomasterfrom
dependabot/npm_and_yarn/svelte-5.48.0
Feb 3, 2026
Merged

[SECURITY]: Bump svelte from 5.39.11 to 5.48.0#290
ascender1729 merged 1 commit intomasterfrom
dependabot/npm_and_yarn/svelte-5.48.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 23, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps svelte from 5.39.11 to 5.48.0.

Release notes

Sourced from svelte's releases.

svelte@5.48.0

Minor Changes

  • feat: export parseCss from svelte/compiler (#17496)

Patch Changes

  • fix: handle non-string values in svelte:element this attribute (#17499)

  • fix: faster deduplication of dependencies (#17503)

svelte@5.47.1

Patch Changes

  • fix: trigger selectedcontent reactivity (#17486)

svelte@5.47.0

Minor Changes

  • feat: customizable <select> elements (#17429)

Patch Changes

  • fix: mark subtree of svelte boundary as dynamic (#17468)

  • fix: don't reset static elements with debug/snippets (#17477)

svelte@5.46.4

Patch Changes

svelte@5.46.3

Patch Changes

  • fix: reconnect clean deriveds when they are read in a reactive context (#17362)

svelte@5.46.1

Patch Changes

  • fix: type currentTarget in on function (#17370)

  • fix: skip static optimisation for stateless deriveds after await (#17389)

  • fix: prevent infinite loop when HMRing a component with an await (#17380)

svelte@5.46.0

Minor Changes

  • feat: Add csp option to render(...), and emit hashes when using hydratable (#17338)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.48.0

Minor Changes

  • feat: export parseCss from svelte/compiler (#17496)

Patch Changes

  • fix: handle non-string values in svelte:element this attribute (#17499)

  • fix: faster deduplication of dependencies (#17503)

5.47.1

Patch Changes

  • fix: trigger selectedcontent reactivity (#17486)

5.47.0

Minor Changes

  • feat: customizable <select> elements (#17429)

Patch Changes

  • fix: mark subtree of svelte boundary as dynamic (#17468)

  • fix: don't reset static elements with debug/snippets (#17477)

5.46.4

Patch Changes

5.46.3

Patch Changes

  • fix: reconnect clean deriveds when they are read in a reactive context (#17362)

  • fix: don't transform references of function declarations in legacy mode (#17431)

  • fix: notify deriveds of changes to sources inside forks (#17437)

  • fix: always reconnect deriveds in get, when appropriate (#17451)

  • fix: prevent derives without dependencies from ever re-running (286b40c4526ce9970cb81ddd5e65b93b722fe468)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added chore Maintenance and housekeeping tasks security Security-related issues and vulnerabilities labels Jan 23, 2026
@dependabot dependabot bot requested a review from ascender1729 as a code owner January 23, 2026 20:57
@dependabot dependabot bot added security Security-related issues and vulnerabilities chore Maintenance and housekeeping tasks labels Jan 23, 2026
@coderabbitai
Copy link

coderabbitai bot commented Jan 23, 2026
edited
Loading

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 23, 2026
edited
Loading

Deploying issueflow with  Cloudflare Pages  Cloudflare Pages

Latest commit: a12acd0
Status:⚡️  Build in progress...

View logs

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/svelte-5.48.0 branch from 2485185 to 24b3bae Compare February 3, 2026 12:08
@ascender1729
Copy link
Member

ascender1729 commented Feb 3, 2026

@dependabot rebase

@dependabot
[SECURITY]: Bump svelte from 5.39.11 to 5.48.0
a12acd0 
Bumps [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) from 5.39.11 to 5.48.0.
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.48.0/packages/svelte)

---
updated-dependencies:
- dependency-name: svelte
  dependency-version: 5.48.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/svelte-5.48.0 branch from 24b3bae to a12acd0 Compare February 3, 2026 14:19
@ascender1729 ascender1729 merged commit 9799a51 into master Feb 3, 2026
7 of 8 checks passed
@ascender1729 ascender1729 deleted the dependabot/npm_and_yarn/svelte-5.48.0 branch February 3, 2026 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ascender1729 ascender1729 Awaiting requested review from ascender1729 ascender1729 is a code owner

Assignees

No one assigned

Labels

chore Maintenance and housekeeping tasks security Security-related issues and vulnerabilities

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ascender1729