Skip to content

chore(patch): update devalue to 5.6.4 #patch#132

Open
public-glueops-renovatebot[bot] wants to merge 1 commit into
mainfrom
renovate/npm-devalue-vulnerability
Open

chore(patch): update devalue to 5.6.4 #patch#132
public-glueops-renovatebot[bot] wants to merge 1 commit into
mainfrom
renovate/npm-devalue-vulnerability

Conversation

@public-glueops-renovatebot
Copy link
Copy Markdown
Contributor

@public-glueops-renovatebot public-glueops-renovatebot Bot commented Mar 31, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
devalue 5.6.25.6.4 age confidence

devalue unevaled code can create objects with polluted prototypes when evaled

GHSA-8qm3-746x-r74r

More information

Details

Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.

Severity

  • CVSS Score: 2.1 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

devalue has prototype pollution in devalue.parse and devalue.unflatten

CVE-2026-30226 / GHSA-cfw5-2vxh-hr84

More information

Details

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Sveltejs devalue's devalue.parse and devalue.unflatten emit objects with __proto__ own properties

GHSA-mwv9-gp5h-frr4

More information

Details

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sveltejs/devalue (devalue)

v5.6.4

Compare Source

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Compare Source

Patch Changes
  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@public-glueops-renovatebot public-glueops-renovatebot Bot changed the title chore(patch): update devalue to 5.6.4 #patch chore(patch): update devalue to 5.6.4 #patch - autoclosed Apr 27, 2026
@public-glueops-renovatebot public-glueops-renovatebot Bot deleted the renovate/npm-devalue-vulnerability branch April 27, 2026 17:38
@public-glueops-renovatebot public-glueops-renovatebot Bot changed the title chore(patch): update devalue to 5.6.4 #patch - autoclosed chore(patch): update devalue to 5.6.4 #patch Apr 27, 2026
@public-glueops-renovatebot public-glueops-renovatebot Bot force-pushed the renovate/npm-devalue-vulnerability branch 2 times, most recently from d60147b to 7565f39 Compare April 27, 2026 19:18
@public-glueops-renovatebot public-glueops-renovatebot Bot changed the title chore(patch): update devalue to 5.6.4 #patch chore(patch): update devalue to 5.6.4 #patch - autoclosed Apr 27, 2026
@public-glueops-renovatebot public-glueops-renovatebot Bot changed the title chore(patch): update devalue to 5.6.4 #patch - autoclosed chore(patch): update devalue to 5.6.4 #patch Apr 27, 2026
@public-glueops-renovatebot public-glueops-renovatebot Bot force-pushed the renovate/npm-devalue-vulnerability branch 2 times, most recently from 7565f39 to c61de07 Compare April 27, 2026 21:37
@public-glueops-renovatebot
Copy link
Copy Markdown
Contributor Author

public-glueops-renovatebot Bot commented May 7, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@public-glueops-renovatebot public-glueops-renovatebot Bot force-pushed the renovate/npm-devalue-vulnerability branch from c61de07 to d7c7fa2 Compare May 10, 2026 04:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-update include-in-release-notes patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants