Skip to content

chore(deps): update dependency devalue to v5.6.4 [security]#15880

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-devalue-vulnerability
Open

chore(deps): update dependency devalue to v5.6.4 [security]#15880
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-devalue-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 12, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
devalue 5.6.35.6.4 age confidence

GitHub Vulnerability Alerts

CVE-2026-30226

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

GHSA-mwv9-gp5h-frr4

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted

Release Notes

sveltejs/devalue (devalue)

v5.6.4

Compare Source

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 12, 2026
@changeset-bot
Copy link

changeset-bot bot commented Mar 12, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: e226cc0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-devalue-vulnerability branch from d0ba19f to 7e8a7a1 Compare March 13, 2026 10:38
@renovate renovate bot force-pushed the renovate/npm-devalue-vulnerability branch from 7e8a7a1 to e226cc0 Compare March 13, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants