Skip to content

deps(deps-dev): bump the svelte-ecosystem group with 2 updates #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 1 commit into from
Closed

deps(deps-dev): bump the svelte-ecosystem group with 2 updates #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 12 additions & 14 deletions bun.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
"@electric-sql/pglite": "^0.4.5",
"@internationalized/date": "^3.12.1",
"@playwright/test": "^1.60.0",
"@sveltejs/kit": "^2.60.1",
"@sveltejs/kit": "^2.61.1",
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify `@sveltejs/kit`@2.61.1 exists and check for vulnerabilities

# Check if the version exists on npm
echo "=== Checking `@sveltejs/kit`@2.61.1 exists ==="
npm view `@sveltejs/kit`@2.61.1 version

# Check for security advisories
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "`@sveltejs/kit`") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: Divkix/Logwell

Length of output: 2744

Update the lockfile so installs use the bumped, non-vulnerable dependency versions
package.json bumps @sveltejs/kit to ^2.61.1, but package-lock.json still pins @sveltejs/kit to 2.59.1, so installs won’t pick up the intended upgrade. @sveltejs/kit@2.61.1 exists, and advisories indicate versions <= 2.60.0 are affected (patched at 2.60.1), which includes 2.59.1. Regenerate and commit the lockfile (e.g., via bun install / npm install) so it matches package.json (also svelte appears similarly out of sync).

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 41, package.json was updated to bump "`@sveltejs/kit`" to
^2.61.1 (and svelte), but the lockfile still pins older vulnerable versions
(e.g., package-lock.json showing 2.59.1); regenerate the lockfile so installs
pick up the non-vulnerable releases: run your package manager install (npm
install or bun install) to update package-lock.json (or bun.lock/tpn lock) so
"`@sveltejs/kit`" and "svelte" resolve to the bumped versions, verify the lockfile
now references 2.61.1 (or >=2.60.1) and commit the updated lockfile with the
change.

"@sveltejs/vite-plugin-svelte": "^7.1.2",
"@tailwindcss/vite": "^4.3.0",
"@testing-library/jest-dom": "^6.9.1",
Expand All @@ -55,7 +55,7 @@
"jsdom": "^29.1.1",
"knip": "^6.14.1",
"mode-watcher": "^1.1.0",
"svelte": "^5.55.8",
"svelte": "^5.55.9",
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify svelte@5.55.9 exists and check for vulnerabilities

# Check if the version exists on npm
echo "=== Checking svelte@5.55.9 exists ==="
npm view svelte@5.55.9 version

# Check for security advisories
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "svelte") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: Divkix/Logwell

Length of output: 2641

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate lockfiles
echo "=== Lockfiles present ==="
ls -la package-lock.json bun.lockb 2>/dev/null || true

echo
echo "=== package.json svelte spec ==="
cat package.json | node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{const j=JSON.parse(s);console.log(j.dependencies?.svelte ?? j.devDependencies?.svelte ?? j.svelte)})'

echo
echo "=== svelte versions in package-lock.json ==="
if [ -f package-lock.json ]; then
  rg -n '"svelte"' package-lock.json | head -n 50
  echo
  rg -n '"name": "svelte"|"svelte@' package-lock.json | head -n 50 || true
  echo
  rg -n '"version": "5\.55\.' package-lock.json | head -n 50
fi

echo
echo "=== bun.lockb exists? ==="
if [ -f bun.lockb ]; then
  echo "bun.lockb present (cannot easily parse without bun)."
fi

Repository: Divkix/Logwell

Length of output: 1075

🏁 Script executed:

#!/bin/bash
set -euo pipefail
node -e 'const fs=require("fs");const j=JSON.parse(fs.readFileSync("package.json","utf8")); console.log("packageManager:", j.packageManager ?? "(none)"); console.log("scripts keys:", j.scripts?Object.keys(j.scripts):[]);'

Repository: Divkix/Logwell

Length of output: 608

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "bun install|bun\.lockb|\bBun\b|package-lock\.json|npm ci|npm install" -S README* package.json .github workflows* 2>/dev/null || true

Repository: Divkix/Logwell

Length of output: 2688

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Does package-lock.json contain 5.55.9? ==="
rg -n "5\.55\.9" package-lock.json || true

echo
echo "=== Does package-lock.json contain svelte spec ^5.55.9? ==="
rg -n "\"svelte\": \"\^5\.55\.9\"" package-lock.json || true

echo
echo "=== Show context around the found svelte version 5.55.7 (line ~6619) ==="
sed -n '6605,6635p' package-lock.json | cat -n

Repository: Divkix/Logwell

Length of output: 1669

🌐 Web query:

Bun install --frozen-lockfile uses package-lock.json when bun.lockb missing

💡 Result:

In Bun, bun install --frozen-lockfile does not use package-lock.json as a fallback lockfile when bun.lock/bun.lockb is missing; it is defined to install exact versions from Bun’s own lockfile and fail if the lockfile would need updating, and Bun’s docs describe bun.lock as the lockfile used for --frozen-lockfile. What Bun does instead when bun.lock is missing: - If it detects pnpm-lock.yaml, Bun auto-migrates that into bun.lock during installation (the original pnpm-lock.yaml is preserved). [1] - Separately, Bun will “automatically migrate” other Node lockfiles (including package-lock.json) when running bun install in a project without a Bun lockfile. [2] But that behavior is migration/update behavior; --frozen-lockfile is explicitly for reproducible installs that do not update the lockfile (Bun exits with an error if package.json disagrees with bun.lock, and the lockfile is not updated). [3] So the premise “bun install --frozen-lockfile uses package-lock.json when bun.lockb is missing” is not supported by Bun’s documentation; rather, --frozen-lockfile is about the Bun lockfile, and package-lock.json is (at most) a source that Bun may migrate from during a non-frozen install. [2][3] If you need CI behavior equivalent to “fail unless lockfile matches exactly”, ensure bun.lock is present in the repo (commit it) and use --frozen-lockfile with that. [3]

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail
ls -la bun.lock bun.lockb 2>/dev/null || true

Repository: Divkix/Logwell

Length of output: 118

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== bun.lock contains 5.55.9? ==="
rg -n "5\.55\.9" bun.lock || true

echo
echo "=== bun.lock contains 5.55.7? ==="
rg -n "5\.55\.7" bun.lock || true

echo
echo "=== bun.lock occurrences for svelte ==="
rg -n "svelte@|\"svelte\"" bun.lock | head -n 50 || true

Repository: Divkix/Logwell

Length of output: 9394

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "npm ci|npm install|package-lock\.json" .github/workflows -S || true

Repository: Divkix/Logwell

Length of output: 249

Update package-lock.json to match svelte ^5.55.9 (package.json line 58)

package.json requires svelte ^5.55.9; bun.lock already resolves svelte@5.55.9, but package-lock.json still locks svelte@5.55.7. Update package-lock.json if npm installs are part of your workflow (or remove it if Bun-only).

Security: svelte@5.55.9 exists, and the reported GH advisories are for versions up to 5.55.6 with first patched version 5.55.7, so 5.55.9 is outside those ranges.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 58, package-lock.json currently locks svelte at 5.55.7
while package.json requires svelte ^5.55.9; update package-lock.json (or
regenerate it) so the resolved svelte entry matches 5.55.9 (or remove
package-lock.json if you intend to use Bun-only) to keep the lockfile consistent
with the dependency declared in package.json and your bun.lock resolution.

"svelte-adapter-bun": "^1.0.1",
"svelte-check": "^4.4.8",
"svelte-sonner": "^1.1.1",
Expand Down
Loading