chore(deps): update dependency @sveltejs/kit to v2.53.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	2.50.2 → 2.53.3

GitHub Vulnerability Alerts

GHSA-vrhm-gvg7-fpcf

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

GHSA-88qp-p4qg-rqm6

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

GHSA-fpg4-jhqr-589c

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service.

Only users with experimental.remoteFunctions: true who are using the form function and are processing the files array without validation are vulnerable.

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.53.3

Compare Source

Patch Changes

• fix: prevent overlapping file metadata in remote functions form (faba869)

v2.53.2

Compare Source

Patch Changes

• fix: server-render nested form value sets (#​15378)

• fix: use deep partial types for form remote functions .value() and .set(...) (#​14837)

• fix: provide correct url info to remote functions (#​15418)

• fix: allow optional types for remote query/command/prerender functions (#​15293)

• fix: allow commands in more places (#​15288)

v2.53.1

Compare Source

Patch Changes

• fix: address warning about inlineDynamicImports when using Vite 8 (#​15403)

v2.53.0

Compare Source

Minor Changes

• feat: support Vite 8 (#​15024)

Patch Changes

• fix: remove event listeners on form attachment cleanup (#​15286)

• fix: apply queries refreshed in a form remote function when a redirect is thrown (#​15362)

v2.52.2

Compare Source

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#​15339)

• fix: parse file offset table more strictly (f47c01b)

v2.52.0

Compare Source

Minor Changes

• feat: match function to map a path back to a route id and params (#​14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#​15246)

• fix: resolve will narrow types to follow trailing slash page settings (#​15027)

v2.51.0

Compare Source

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#​15248)

  Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

  • from.scroll: The scroll position at the moment navigation was triggered
  • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

  This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

• feat: hydratable's injected script now works with CSP (#​15048)

Patch Changes

• fix: put preloads before styles (#​15232)

• fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#​15269)

• fix: fetch not working when URL is same host but different than paths.base (#​15291)

• fix: navigate to hash link when base element is present (#​15236)

• fix: avoid triggering handleError when redirecting in a remote function (#​15222)

• fix: include test directory in generated tsconfig.json alongside existing tests entry (#​15254)

• fix: generate tsconfig.json using the value of kit.files.src (#​15253)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lcapi-examples-api	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-astro	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-next-14	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-next-15	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-next-16	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-next-enterprise	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-nuxt	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-studio	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-sveltekit	Ready	Preview, Comment	Mar 15, 2026 2:58am
lcapi-examples-tanstack-start	Ready	Preview, Comment	Mar 15, 2026 2:58am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​groq@​5.13.0 ⏵ 5.16.0
	npm/​@​sanity/​client@​7.16.0 ⏵ 7.17.0	+1			+2
	npm/​postcss@​8.5.6 ⏵ 8.5.8
	npm/​vue@​3.5.29 ⏵ 3.5.30	+1		+1
	npm/​sanity@​5.14.0-next.24 ⏵ 5.16.0-next.28	+1
	npm/​@​vitejs/​plugin-react@​5.1.3 ⏵ 5.2.0

View full report