chore(deps): update dependency svelte to v5.53.5 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.53.3 → 5.53.5

GitHub Vulnerability Alerts

CVE-2026-27902

Errors from transformError were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from transformError.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

CVE-2026-27901

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

---

Release Notes

sveltejs/svelte (svelte)

v5.53.5

Compare Source

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

v5.53.4

Compare Source

Patch Changes

• fix: set server context after async transformError (#​17799)

• fix: hydrate if blocks correctly (#​17784)

• fix: handle default parameters scope leaks (#​17788)

• fix: prevent flushed effects from running again (#​17787)

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.