fix: upgrade @sveltejs/kit to 2.57.1 (CVE-2026-40073) #10637

coderabbitai · 2026-05-05T07:11:15Z

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "Checking resolved versions in pnpm-lock.yaml..." rg -n '"@sveltejs/kit@|/@sveltejs/kit/|@sveltejs/adapter-node@|/@sveltejs/adapter-node/"' pnpm-lock.yaml echo echo "Checking for potentially vulnerable 2.55.x kit entries..." rg -n '@sveltejs/kit@2\.55\.' pnpm-lock.yaml || true

Repository: TanStack/query

Length of output: 106

🏁 Script executed:

ls -la | grep -E "(pnpm-lock|package-lock|yarn\.lock|package\.json)"

Repository: TanStack/query

Length of output: 192

🏁 Script executed:

head -120 package.json | tail -20

Repository: TanStack/query

Length of output: 763

🏁 Script executed:

git ls-files | grep -E "(lock|package\.json)" | head -10

Repository: TanStack/query

Length of output: 512

🏁 Script executed:

# Search more carefully in pnpm-lock.yaml for `@sveltejs/kit` rg -i "sveltejs" pnpm-lock.yaml | head -20

Repository: TanStack/query

Length of output: 3758

🏁 Script executed:

# Check the exact format of dependencies in pnpm-lock.yaml grep -n "sveltejs" pnpm-lock.yaml | head -30

Repository: TanStack/query

Length of output: 5115

🏁 Script executed:

# Get context around the 2.55.0 entries to see which packages depend on them sed -n '1715,1725p' pnpm-lock.yaml

Repository: TanStack/query

Length of output: 1123

🏁 Script executed:

# Check if `@sveltejs/adapter-auto` specifies a version that requires 2.55.0 sed -n '1717,1725p' pnpm-lock.yaml

Repository: TanStack/query

Length of output: 1040

Vulnerable @sveltejs/kit@2.55.0 versions remain in pnpm-lock.yaml and must be regenerated.

The root package.json correctly specifies @sveltejs/kit@2.57.1, but pnpm-lock.yaml still resolves multiple instances of the vulnerable @sveltejs/kit@2.55.0 across example projects (lines 1720–1822 and beyond). These entries exist because example projects declare @sveltejs/kit with the specifier ^2.42.2 and @sveltejs/adapter-auto@6.1.1 depends on the older version. Run pnpm install to regenerate the lockfile and ensure all @sveltejs/kit resolutions are updated to 2.57.1 or later.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@package.json` around lines 107 - 109, The pnpm lockfile still resolves vulnerable `@sveltejs/kit`@2.55.0; update all example project package.json entries that use the specifier ^2.42.2 to require `@sveltejs/kit`@2.57.1 (or a range >=2.57.1), bump or replace `@sveltejs/adapter-auto` to a version that depends on the newer kit, then run pnpm install to regenerate pnpm-lock.yaml so all `@sveltejs/kit` resolutions point to 2.57.1+ (alternatively add a pnpm overrides/resolutions entry forcing `@sveltejs/kit`@2.57.1 and run pnpm install).

-Original file line number
+Diff line change
@@ Expand Up / @@ -103,5 +103,8 @@ @@
           "vite": "^6.4.1",
           "esbuild": "^0.27.2"
         }
+      },
+      "dependencies": {
+        "@sveltejs/kit": "2.57.1"
       }
     }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: upgrade @sveltejs/kit to 2.57.1 (CVE-2026-40073) #10637

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 5, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fix: upgrade @sveltejs/kit to 2.57.1 (CVE-2026-40073) #10637

Are you sure you want to change the base?

fix: upgrade @sveltejs/kit to 2.57.1 (CVE-2026-40073) #10637

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 5, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!