chore(deps): update dependency svelte to v5.53.5 [security]

[ham-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.51.5 → 5.53.5

GitHub Vulnerability Alerts

CVE-2026-27901

The contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server.

---

Release Notes

sveltejs/svelte (svelte)

v5.53.5

Compare Source

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

v5.53.4

Compare Source

Patch Changes

• fix: set server context after async transformError (#​17799)

• fix: hydrate if blocks correctly (#​17784)

• fix: handle default parameters scope leaks (#​17788)

• fix: prevent flushed effects from running again (#​17787)

v5.53.3

Compare Source

Patch Changes

• fix: render :catch of #await block with correct key (#​17769)

• chore: pin aria-query@​5.3.1 (#​17772)

• fix: make string coercion consistent to toString (#​17774)

v5.53.2

Compare Source

Patch Changes

• fix: update expressions on server deriveds (#​17767)

• fix: further obfuscate node:crypto import from overzealous static analysis (#​17763)

v5.53.1

Compare Source

Patch Changes

• fix: handle shadowed function names correctly (#​17753)

v5.53.0

Compare Source

Minor Changes

• feat: allow comments in tags (#​17671)

• feat: allow error boundaries to work on the server (#​17672)

Patch Changes

• fix: use TrustedHTML to test for customizable <select> support, where necessary (#​17743)

• fix: ensure head effects are kept in the effect tree (#​17746)

• chore: deactivate current_batch by default in unset_context (#​17738)

v5.52.0

Compare Source

Minor Changes

• feat: support TrustedHTML in {@​html} expressions (#​17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#​17737)

• fix: re-run non-render-bound deriveds on the server (#​17674)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/npm-svelte-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}