Bump @sveltejs/kit from 2.49.5 to 2.53.3

[dependabot]

Bumps @sveltejs/kit from 2.49.5 to 2.53.3.

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.53.3

Patch Changes

• fix: prevent overlapping file metadata in remote functions form (faba869)

@​sveltejs/kit@​2.53.2

Patch Changes

• fix: server-render nested form value sets (#15378)

• fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

• fix: provide correct url info to remote functions (#15418)

• fix: allow optional types for remote query/command/prerender functions (#15293)

• fix: allow commands in more places (#15288)

@​sveltejs/kit@​2.53.1

Patch Changes

• fix: address warning about inlineDynamicImports when using Vite 8 (#15403)

@​sveltejs/kit@​2.53.0

Minor Changes

• feat: support Vite 8 (#15024)

Patch Changes

• fix: remove event listeners on form attachment cleanup (#15286)

• fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

@​sveltejs/kit@​2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.53.3

Patch Changes

• fix: prevent overlapping file metadata in remote functions form (faba869)

2.53.2

Patch Changes

• fix: server-render nested form value sets (#15378)

• fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

• fix: provide correct url info to remote functions (#15418)

• fix: allow optional types for remote query/command/prerender functions (#15293)

• fix: allow commands in more places (#15288)

2.53.1

Patch Changes

• fix: address warning about inlineDynamicImports when using Vite 8 (#15403)

2.53.0

Minor Changes

• feat: support Vite 8 (#15024)

Patch Changes

• fix: remove event listeners on form attachment cleanup (#15286)

• fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

... (truncated)

Commits

• 66d88c9 Version Packages (#15440)
• faba869 Merge commit from fork
• 708fc4b chore(deps): bump rollup to 4.59.0 (#15433)
• 98496fa Version Packages (#15416)
• 8c5048b fix: provide correct url info to remote functions (#15418)
• ce4b57c fix: allow commands in more places (#15288)
• 7277edb chore: fix CI lint (#15417)
• 64f484f fix: deep partial .value() and .set(...) types for forms (#14837)
• d28d372 fix: allow optional types for remote query/command/prerender functions (#15293)
• 244838c fix: server-render nested form value sets (#15378)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

Automated dependency update bumping @sveltejs/kit from 2.49.5 to 2.53.3, bringing important security fixes and bug improvements.

• Security: Includes critical fix to validate form file information and prevent amplification attacks (v2.52.2)
• Bug Fixes: Multiple form-related fixes including nested form value sets, remote function URL handling, and optional types support
• Compatibility: Adds support for Vite 8 and fixes related warnings
• Transitive Updates: Updates related dependencies (acorn, devalue, semver, isexe, set-cookie-parser)

This is a minor version update with backwards-compatible changes focusing on security and stability improvements.

Confidence Score: 5/5

• Safe to merge - standard dependency update with security fixes and no breaking changes
• This is an automated Dependabot PR with a minor version bump that includes important security patches and bug fixes. The changes are limited to package manifests with no application code modifications. SvelteKit follows semantic versioning, making this backwards-compatible update safe.
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Bumped @sveltejs/kit from 2.49.5 to 2.53.3 in devDependencies
pnpm-lock.yaml	Updated lockfile with new @sveltejs/kit version and transitive dependencies (acorn, devalue, semver, isexe, set-cookie-parser)

_{Last reviewed commit: 630c86e}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
zenith	Error		Mar 2, 2026 0:24am

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}