chore(deps): update dependency @sveltejs/kit to v2.57.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	2.53.4 → 2.57.1

---

@​sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service

CVE-2026-40074 / GHSA-3f6h-2hrp-w5wx

More information

Details

redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

• https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx
• https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
• https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
• https://nvd.nist.gov/vuln/detail/CVE-2026-40074
• https://github.com/sveltejs/kit/releases/tag/@​sveltejs/kit@2.57.1
• https://github.com/advisories/GHSA-3f6h-2hrp-w5wx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

@​sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass

CVE-2026-40073 / GHSA-2crg-3p73-43xp

More information

Details

Under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp
• https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95
• https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
• https://nvd.nist.gov/vuln/detail/CVE-2026-40073
• https://github.com/sveltejs/kit/releases/tag/@​sveltejs/kit@2.57.1
• https://github.com/advisories/GHSA-2crg-3p73-43xp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.57.1

Compare Source

Patch Changes

• fix: better validation for redirect inputs (10d7b44)

• fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

• fix: use default values as fallbacks (#​15680)

• fix: relax form typings for union types (#​15687)

v2.57.0

Compare Source

Minor Changes

• feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#​15530)

Patch Changes

• fix: use array type for select fields that accept multiple values (#​15591)

• fix: silently 404 Chrome DevTools workspaces request in dev and preview (#​15656)

• fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#​15323)

• fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#​15647)

• fix: reimplement treeshaking non-dynamic prerendered remote functions (#​15447)

v2.56.1

Compare Source

Patch Changes

• chore: update JSDoc (#​15640)

v2.56.0

Compare Source

Minor Changes

• breaking: rework client-driven refreshes (#​15562)

• breaking: stabilize remote function caching by sorting object keys (#​15570)

• breaking: add run() method to queries, disallow awaiting queries outside render (#​15533)

• feat: support TypeScript 6.0 (#​15595)

• breaking: isolate command-triggered query refresh failures per-query (#​15562)

• feat: use hydratable for remote function transport (#​15533)

• feat: allow form fields to specify a default value (field.as(type, value)) (#​15577)

Patch Changes

• fix: don't request new data when .refresh is called on a query with no cache entry (#​15533)

• fix: allow using multiple remote functions within one async derived (#​15561)

• fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#​15623)

• fix: manage queries in their own $effect.root (#​15533)

• fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#​15550)

• fix: correctly escape backticks when precomputing CSS (#​15593)

• fix: discard obsolete forks before finishing navigation (#​15634)

• chore: tighten up override implementation (#​15562)

• fix: ensure the default Svelte 5 error.svelte file uses runes mode (#​15609)

• fix: deduplicate same-cache-key batch calls during SSR (#​15533)

• fix: decrement pending_count when form callback doesn't call submit() (#​15520)

v2.55.0

Compare Source

Minor Changes

• feat: page and layout params with matchers are now type narrowed in $app/types, leading to better type safety when working with params in $app/types, $app/state, and hooks. (#​15502)

v2.54.0

Compare Source

Minor Changes

• feat: allow error boundaries to catch errors on the server (#​15308)

Patch Changes

• chore: upgrade devalue (#​15535)

• fix: don't wait for remote functions that are not awaited in the template (#​15280)

• feat: allow resolve() to accept pathnames with a search string and/or hash (#​15458)

• chore: remove deprecation warnings for config.kit.files.* options when validating the Svelte config file (#​15482)

• fix: handles form target attribute in remote form redirects (#​15457)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.