You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: propagate async @const blockers through closure references so template expressions like {(() => host)()} correctly wait for the awaited value (#18309)
if these branch preview links are not working, please check the logs for the commit-based preview link. There is a character limit of 28 for the branch subdomain, as well as some other heuristics, described here for the sake of implementation ease in deploy-preview.yml, that algo has been omitted. The URLs are logged in the wrangler output, but it's hard to get outputs from a matrix job. ↩
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/js-yaml@4.2.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm svelte is 91.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/svelte@5.56.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
renovateBot
changed the title
Update dependency svelte to v5.55.9
Update dependency svelte to v5.56.3
Jun 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
force-pushed
the
renovate/svelte-5.x-lockfile
branch
from
This PR contains the following updates:
5.55.4→5.56.3Release Notes
sveltejs/svelte (svelte)
v5.56.3Compare Source
Patch Changes
fix: ignore errors that occur in destroyed effects (#18384)
fix: type BigInts in
$state.snapshot(...)return values (#18388)v5.56.2Compare Source
Patch Changes
fix: properly track effect end node for async sibling component (#18371)
fix: prevent false-positive reactivity loss warning (#18373)
chore: bump esrap dependency (#18372)
fix: ignore declaration tags for animation directive (#18366)
fix: reject pending async deriveds on discard (#18308)
v5.56.1Compare Source
Patch Changes
fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)
fix: parse declaration tag contents more robustly (#18353)
fix: correctly transform references to earlier declarators in a declaration tag (e.g.
{let a = $state(0), b = $derived(a * 2)}) (#18348)fix: avoid spurious
state_referenced_locallywarnings for$deriveddeclarations in declaration tags (#18348)fix: tolerate whitespace before
let/constin declaration tags (#18348)fix: prevent infinite loop when a tag's expression ends with a trailing
/at the end of the input (#18350)fix: more robust parsing of declaration tags with regards to
type(#18330)fix: preserve newlines in spread input values when the
typeattribute is applied aftervalue(#18345)fix: update
SvelteURLSearchParamswhen setting duplicate keys to the same joined value (#18336)fix: check references for blockers on server, too (#18352)
v5.56.0Compare Source
Minor Changes
Patch Changes
perf: use
createElementinstead ofcreateElementNSfor HTML elements (#18262)perf: store
current_sourcesas aSetfor O(1) membership checks (#18278)perf: deduplicate identical hoisted templates within a component (#18320)
perf: hoist
rest_propsexclude list as a module-scopeSet(#18252)v5.55.10Compare Source
Patch Changes
fix: unlink errored and otherwise finished batch (#18264)
perf: walk composedPath() directly in delegated event propagation (#18268)
fix: transfer effects when merging batches (#18254)
fix: allow
$derived(await ...)in disconnected effect roots (#18273)fix: remove temporary raw-text hydration markers (#18269)
fix: propagate async
@constblockers through closure references so template expressions like{(() => host)()}correctly wait for the awaited value (#18309)fix: properly unlink batches (#18298)
fix: settle discarded batch (#18290)
fix: declare
let:directives before{@​const}declarations on slotted elements (#18271)fix: resume outro-ed branches if they were kept around (#18291)
fix: avoid waterfall-warning when async resolves to same value (#18297)
fix: correctly coordinate component-level effects inside async blocks (#18260)
fix: make unnecessary commit work less likely (#18263)
chore: add tag name to
a11y_click_events_have_key_eventswarning (#18272)fix: catch rejected promises while merging/committing (#18266)
v5.55.9Compare Source
Patch Changes
fix: don't unset batch when calling
{#await ...}promise (#18243)fix: promise-ify
{#await await ...}expressions on the server and correctly hydrate them on the client (#18243)fix: deduplicate dependencies that are added outside the init/update cycle (#18243)
fix: avoid false-positive batch invariant error (#18246)
fix: inline primitive constants in attribute values during SSR (#18232)
v5.55.8Compare Source
Patch Changes
fix(print): handle
svelte:bodyand fix keyframe percentage double-printing (#18234)fix: execute uninitialized derived even if it's destroyed (#18228)
fix: use named symbols everywhere (#18238)
fix: don't run teardown effects when deriveds are unfreezed (#18227)
fix: unset context synchronously in
run(#18236)v5.55.7Compare Source
Patch Changes
fix: prevent XSS on
hydratablefrom user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)chore: bump devalue (#18219)
fix: disallow empty attribute names during SSR (
547853e2406a2147ad7fb5ffeba95b01bd9642da)fix: harden regex (
d2375e2ebcab5c88feb5652f1a9d621b8f06b259)fix: move Svelte runtime properties to symbols (
e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)v5.55.6Compare Source
Patch Changes
fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)
fix: keep dependencies of
$state.eager/pending(#18218)fix: reapply context after transforming error during SSR (#18099)
fix: don't rebase just-created batches (#18117)
chore: allow
nullforpendingin typings (#18201)fix: flush eager effects in production (#18107)
fix: rethrow error of failed iterable after calling
return()(#18169)fix: account for proxified instance when updating
bind:this(#18147)fix: ensure scheduled batch is flushed if not obsolete (#18131)
fix: resolve stale deriveds with latest value (#18167)
chore: remove unnecessary
increment_pendingcalls (#18183)fix: correctly compile component member expressions for SSR (#18192)
fix: reset
source.updatedstack traces afterflush(#18196)fix: replacing async 'blocking' strategy with 'merging' (#18205)
fix: allow
@debugtags to reference awaited variables (#18138)fix: re-run fallback props if dependencies update (#18146)
fix: abort running obsolete async branches (#18118)
fix: ignore comments when reading CSS values (#18153)
fix: wrap
Promise.allinsaveduring SSR (#18178)fix: ignore false-positive errors of
$inspectdependencies (#18106)v5.55.5Compare Source
Patch Changes
fix: don't mark deriveds while an effect is updating (#18124)
fix: do not dispatch introstart event with animation of animate directive (#18122)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.