deps(deps): update dependency svelte to v3.49.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	3.38.0 -> 3.49.0

GitHub Vulnerability Alerts

CVE-2022-25875

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

---

Release Notes

sveltejs/svelte (svelte)

v3.49.0

Compare Source

• Improve performance of string escaping during SSR (#​5701)
• Add ComponentType and ComponentProps convenience types (#​6770)
• Add support for CSS @layer (#​7504)
• Export CompileOptions from svelte/compiler (#​7658)
• Fix DOM-less components not being properly destroyed (#​7488)
• Fix class: directive updates with <svelte:element> (#​7521, #​7571)
• Harden attribute escaping during SSR (#​7530)

v3.48.0

Compare Source

• Allow creating cancelable custom events with createEventDispatcher (#​4623)
• Support {@​const} tag in {#if} blocks #​7241
• Return the context object in setContext #​7427
• Allow comments inside {#each} blocks when using animate: (#​3999)
• Fix |local transitions in {#key} blocks (#​5950)
• Support svg namespace for {@​html} (#​7002, #​7450)
• Fix {@​const} tag not working inside a component when there's no let: #​7189
• Remove extraneous leading newline inside <pre> and <textarea> (#​7264)
• Fix erroneous setting of textContent for <template> elements (#​7297)
• Fix value of let: bindings not updating in certain cases (#​7440)
• Fix handling of void tags in <svelte:element> (#​7449)
• Fix handling of boolean attributes in <svelte:element> (#​7478)
• Add special style scoping handling of [open] selectors on <dialog> elements (#​7495)

v3.47.0

Compare Source

• Add support for dynamic elements through <svelte:element> (#​2324)
• Miscellaneous variable context fixes in {@​const} (#​7222)
• Fix {#key} block not being reactive when the key variable is not otherwise used (#​7408)
• Add Symbol as a known global (#​7418)

v3.46.6

Compare Source

• Actually include action TypeScript interface in published package (#​7407)

v3.46.5

Compare Source

• Add TypeScript interfaces for typing actions (#​6538)
• Do not generate unused-export-let warning inside <script context="module"> blocks (#​7055)
• Do not collapse whitespace-only CSS vars (#​7152)
• Add aria-description to the list of allowed ARIA attributes (#​7301)
• Fix attribute escaping during SSR (#​7327)
• Prevent .innerHTML optimization from being used when style: directive is present (#​7386)

v3.46.4

Compare Source

• Avoid maximum call stack size exceeded errors on large components (#​4694)
• Preserve leading space with preserveWhitespace: true (#​4731)
• Preserve leading space in <pre> tags (#​6437)
• Improve error message when trying to use style: directives on inline components (#​7177)
• Add FormData as a known global (#​7199)
• Mark css/instance/module AST properties as optional in types (#​7204)

v3.46.3

Compare Source

• Ignore whitespace in {#each} blocks when containing elements with animate: (#​5477)
• Throw compiler error when variable in context="instance" collides with import in context="module" (#​7090)
• Fix compiler crash when {@​const} contains arrow functions (#​7134)

v3.46.2

Compare Source

• Export FlipParams interface from svelte/animate (#​7103)
• Fix style: directive reactivity inside {#each} block (#​7136)

v3.46.1

Compare Source

• Handle style:kebab-case directives (#​7122)
• Improve AST produced for style: directives (#​7127)

v3.46.0

Compare Source

• Implement {@​const} tag (RFC #​33, #​6413)
• Implement style: directive (RFC #​42, #​5923)
• Fix style manager conflicts when using multiple Svelte instances (#​7026)
• Fix hydration when using {@​html} (#​7115)

v3.45.0

Compare Source

• Fix non-boolean attribute rendering in SSR to render truthy values as-is (#​6121)
• Fix binding to a member expression also invalidating the member property (#​6921)
• Fix default values in {#each}/etc. destructurings not being considered references for the purposes of compiler warnings (#​6964)
• Fix {:else if} value incorrectly being cached (#​7043)
• Add a11y-no-redundant-roles warning (#​7067)
• Fix code generation error with arrow functions whose bodies are object destructuring assignments (#​7087)

v3.44.3

Compare Source

• Fix bind:this binding inside onMount for manually instantiated component (#​6760)
• Prevent cursor jumps with one-way binding for other type="text"-like <input>s (#​6941)
• Exclude async loops from loopGuardTimeout (#​6945)

v3.44.2

Compare Source

• Fix overly restrictive preprocessor types (#​6904)
• More specific typing for crossfade function - returns a tuple, not an array (#​6926)
• Add URLSearchParams as a known global (#​6938)
• Add types field to exports map (#​6939)

v3.44.1

Compare Source

• Fix code generation when a multi-line return statement contains comments (code-red#36)
• Fix code generation when for/if/while statements have empty bodies (#​6884)

v3.44.0

Compare Source

• Add enableSourcemap compiler option (#​6835)

v3.43.2

Compare Source

• Fix regression where user-specified imports were not rewritten according to the sveltePath option (#​6834)

v3.43.1

Compare Source

• Prevent a rejecting promise used in {#await} during SSR from appearing as an unhandled rejection (#​6789)

v3.43.0

Compare Source

• Use export map to expose no-op versions of lifecycle functions for SSR (#​6743)
• Prefer context passed to component constructor, even when running synchronously in another component (#​6753)
• Handle preprocessors that return empty sourcemaps (#​6757)

v3.42.6

Compare Source

• Hide private preprocess typings (#​6622)
• Fix reactive function in {:else if} expression not being properly re-run (#​6727)

v3.42.5

Compare Source

• In draw transition, account for stroke-linecap in determining length (#​4540)
• Fix regression with destructuring assignments with default values (#​6699)

v3.42.4

Compare Source

• Only apply optimized src attribute handling when in an html namespace (#​6575)
• Fix styles for transitions and animations being attached to the wrong document in <iframe>s (#​6637)
• Fix <select> with a {...spread} attribute that didn't provide a value key getting its value improperly unset (#​6675)

v3.42.3

Compare Source

• Add BigInt as a known global (#​6671)
• Fix regression where onDestroy in svelte/ssr was improperly a no-op (#​6676)

v3.42.2

Compare Source

• Collapse whitespace in class and style attributes (#​6004)
• Deselect all <option>s in a <select> where the bound value doesn't match any of them (#​6126)
• In hydrated components, only rely on helpers for creating the types of elements present in the component (#​6555)
• Add HTMLElement and SVGElement as known globals (#​6643)
• Account for scaling in flip animations (#​6657)

v3.42.1

Compare Source

• Fix regression with reordering keyed {#each} blocks when compiling with hydration enabled (#​6561)

v3.42.0

Compare Source

• Allow use:actions to be used on <svelte:body> (#​3163)
• Improve parser errors for certain invalid components (#​6259, #​6288)
• Fix paths in generator JS sourcemaps to be relative (#​6598)
• Fix overzealous warnings about context="module" variables not being reactive (#​6606)

v3.41.0

Compare Source

• Support export { ... } from syntax in components (#​2214)
• Support export let { ... } = syntax in components (#​5612)
• Support {#await ... then/catch} without a variable for the resolved/rejected value (#​6270)

v3.40.3

Compare Source

• Fix <slot> data when a transition is cancelled before completing (#​5394)
• Fix destructuring into variables beginning with $ so that they result in store updates (#​5653)
• Fix in: transition configuration not properly updating when it's changed after its initial creation (#​6505)
• Fix applying :global() for > selector combinator (#​6550)
• Fix mounting component at detached DOM node (#​6567)

v3.40.2

Compare Source

• Fix dynamic autofocus={...} attribute handling (#​4995)
• Add filename to combined source map if needed (#​6089)
• In AST, parse empty attribute values as an empty string (#​6286)
• Fix tracking whether transition has started (#​6399)
• Fix incorrect scoping of :global() selectors (#​6550)

v3.40.1

Compare Source

• Fix store reactivity regression when using reactive statements (#​6557)

v3.40.0

Compare Source

• Support rendering a component in a shadow DOM (#​5869)
• Fix :root selector being erroneously scoped to component (#​4767)
• Fix .end in AST for expressions inside attributes (#​6258)
• Fix one-way <select> binding when it has a spread attribute (#​6433)
• Various hydration improvements and fixes (#​6449)
• Use smaller versions of internal helpers when compiling without hydration support (#​6462)
• Fix two-way binding of values when updating through synchronous component accessors (#​6502)

v3.39.0

Compare Source

• Support bind:group in SSR (#​4621)
• Add a11y warning a11y-mouse-events-have-key-events which checks that mouseover/mouseout are accompanied by focus/blur event handlers (#​5938)
• Make it possible to silence more warnings (#​5954)
• Add |trusted event modifier (#​6137)
• Add varsReport compiler option to include all variables reference in the component in the variables report (#​6192)
• Add errorMode compiler option to try to continue compiling when an error is detected (#​6194)
• Expose svelte/ssr which exports lifecycle methods as no-ops (#​6416)
• Add getAllContexts (#​6447)
• Throw proper error for export default function() {} and export default class {} rather than crashing the compiler (#​3275)
• Fix SSR rendering of falsy input values (#​4551)
• Fix preserveComments in SSR mode (#​4730)
• Do not warn if context="module" variables are not the only dependencies in reactive statements (#​5954)
• Stop checking a11y-media-has-caption a11y warning on <audio> elements (#​6054)
• Fix erroneous "unknown prop" warning when using slot on a component (#​6065)
• Add sourcemaps to all HTML elements (#​6092)
• Relax derived function signature (#​6178)
• Throw compiler error when passing empty directive names (#​6299)
• Fix compiler error when using :where() inside :global() (#​6434)
• Fix ordering of elements in keyed {#each} (#​6444)
• Remove deprecated a11y warning a11y-no-onchange warning (#​6457)
• Fix :global() with pseudo element not being seen as global (#​6468)
• Allow :global() to contain multiple selectors when it is not part of a larger selector (#​6477)
• Make <script> and <style> end tag parsing more robust (#​6511)

v3.38.3

Compare Source

• Speed up hydration by reducing amount of element reorderings (#​4308)
• Fix escaping attribute values when using a spread in SSR (#​5756)
• Throw compiler error when :global() contains multiple selectors (#​5907)
• Give explicit error rather than crashing when an attribute shorthand {} is empty (#​6086)
• Make <textarea> end tag parsing more robust (#​6276)
• Fix :global(...):some-pseudoclass selectors not being seen as global (#​6306)
• Fix type signatures of writable and readable so it's possible to call them without arguments (#​6291, #​6345)
• Preserve this in bubbled events (#​6310)
• Fix slot props not updating when transition is aborted (#​6386)
• Fix generic props relationship in SvelteComponentTyped (#​6400)

v3.38.2

Compare Source

• Revert hydration optimisation for the time being (#​6279)

v3.38.1

Compare Source

• Fix hydration regression (#​6274)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
svelte	3.38.0...3.49.0	None	+0/-0	7.25 MB	conduitry