Skip to content

Update dependency @builder.io/qwik to v1.19.1 [SECURITY]#394

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-builder.io-qwik-vulnerability
Open

Update dependency @builder.io/qwik to v1.19.1 [SECURITY]#394
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-builder.io-qwik-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@builder.io/qwik (source) 1.12.11.19.1 age confidence

Qwik vulnerable to Unauthenticated RCE via server$ Deserialization

CVE-2026-27971 / GHSA-p9x5-jp3h-96mm

More information

Details

Summary

qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime.

Impact
  • Remote Code Execution

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

QwikDev/qwik (@​builder.io/qwik)

v1.19.1

Compare Source

Patch Changes
  • 🐞🩹 support Deno as package manager for production builds. The Vite plugin now recognizes Deno as a Node-compatible runtime for manifest passing, and SSG delegates to the Node implementation instead of stubbing out. (by @​ianlet in #​8385)

  • 🐞🩹 the optimizer was not using the binary builds (by @​wmertens in #​8360)

  • 🐞🩹 resolve 404 error for virtual CSS modules during dev SSR (by @​jantimon in #​8351)

v1.19.0

Compare Source

Minor Changes
  • untrack() now accepts signals and stores directly, as well as accepting arguments when you pass a function. This makes retrieving values without subscribing to them more efficient. (by @​wmertens in #​8247)
Patch Changes
  • 🐞🩹 we now prevent merging useVisibleTask$ code together with other segments to prevent overpreloading when their entry contains a lot of transitive imports. (by @​maiieul in #​8275)

  • 🐞🩹 duplicated preload bundles in SSR preload (by @​chebanenko in #​8248)

  • ⚡️: the core.js and preloader.js references in q-manifest and bundle-graph are now filtered out for smaller outputs. (by @​maiieul in #​8278)

v1.18.0

Compare Source

Minor Changes
  • PERF: Computed signals now only trigger listeners if their value has changed (by @​wmertens in #​8148)
Patch Changes
  • execute cleanup cb for all component tree while calling dispose.cleanup method returned by render fn (by @​sashkashishka in #​8164)

  • 🐞🩹 useResource's onRejected now catches errors again; preventing unhandled errors in test environments. (by @​maiieul in #​8197)

  • qwik add compiled-i18 now adds easy i18n to your app. (by @​wmertens in #​8177)

v1.17.2

Compare Source

v1.17.1

Compare Source

Patch Changes
  • 🐞🩹 the bunding won't lead to circular dependencies in qwik-astro apps anymore. (by @​maiieul in #​8052)

  • ✨ The optimizer is now built with a recent Rust toolchain. Fresher bits! (by @​wmertens in #​8040)

v1.17.0

Compare Source

Minor Changes
  • 🐞🩹 Qwik now leverages Rollup's new output.onlyExplicitManualChunks feature, which improves preloading performance and reduces cache invalidation for a snappier user experience. (by @​maiieul in #​7982)

  • ✨ the qwikloader can now be inlined again if required (for testing or specific network conditions). Pass qwikLoader: 'inline' to the render options. (by @​wmertens in #​8008)

Patch Changes

v1.16.1

Compare Source

Patch Changes
  • 🐞🩹 The entry.ssr renderToStream preloader.preloadProbability option is now deprecated because this could cause performance issues with bundles fetched on click instead of being preloaded ahead of time. (The preloader still relies on probabilities to know preload the most likely bundles first) (by @​maiieul in #​7847)

  • 🐞🩹 Link prefetch now always preloads Link prefetch bundles on monorepos (by @​maiieul in #​7835)

  • 🐞🩹 Rollup's hoistTranstiveImports is now set to false because the hoisting added unnecessary bundles to be preloaded to the bundle-graph static imports graph. This could lead to a suboptimal preloading experience. (by @​maiieul in #​7850)

  • 🛠 Add check-client command to verify bundle freshness (by @​JerryWu1234 in #​7517)

  • ✨ All qwik packages are now marked as side effect free in their package.json. This should remove a few unecessary empty imports added by rollup and then not tree-shaken like import "./preloader.js". (by @​maiieul in #​7908)

  • 🐞🩹 unmount qwikify react root alongside with qwik component (by @​sashkashishka in #​7864)

  • 🐞🩹 preloader now preloads bundles as long as they are part of the current viewport's bundles graph, even if their probability is very small (by @​maiieul in #​7836)

  • ✨ maxIdlePreloads is now constant over time so you know for sure how many bundles will be preloaded concurrently during idle. (by @​maiieul in #​7846)

  • 🛠 use patched domino instead of qwik-dom (by @​gioboa in #​7842)

  • 🐞🩹 Qwik is now smarter at bundling non QRL source files and qwik libraries modules (e.g. helpers, enums, inline components, etc.) together. (by @​maiieul in #​7888)

v1.16.0

Compare Source

Minor Changes
Patch Changes
  • 🐞🩹 Keeping the service worker components now properly unregisters them. (by @​maiieul in #​7781)

  • 🛠 remove a grace period before unregistering events from qwikloader (by @​Varixo in #​7818)

  • 🐞🩹 Keeping the service worker components now also removes their associated Cache storage. (by @​maiieul in #​7782)

  • 🐞🩹 fix up open in editor feature (by @​LazyClicks in #​7785)

  • 🐞🩹 SSR was missing some places with nonce for CSP. Now CSP should work even when strict-dynamic (by @​wmertens in #​7776)

v1.15.0

Compare Source

Minor Changes
  • 🐞🩹 the preloader bundle graph file is now built as an asset. This is cleaner and avoids i18n translation of the file. (by @​wmertens in #​7650)
Patch Changes
  • 🐞🩹 Use correct working directory for Deno environment (by @​siguici in #​7699)

  • ⚡ the qwikloader is no longer embedded in the SSR results. Instead, the same techniques are used as for the preloader to ensure that the qwikloader is active as soon as possible, loaded from a separate bundle. This reduces SSR page size by several kB end ensures that subsequent qwikloader loads are nearly instant. (by @​wmertens in #​7613)

  • 🐞🩹 Removed backdrop-filter of vite-error-overlay to prevent perf issues with multiple errors (by @​intellix in #​7676)

  • 🐞🩹 assetsDir and debug:true will no longer break your application. (by @​maiieul in #​7638)

  • 🐞🩹 We now also output the preloader as .cjs for non esm environments (e.g. jest 29 and below). (by @​maiieul in #​7736)

  • 🐞🩹 cypress component tests became slow in 1.9.1. This is now fixed. (by @​maiieul in #​7736)

  • ✨ q-manifest.json now also includes the generated assets (by @​wmertens in #​7650)

  • 🐞🩹 support q-manifest resolution under Bun runtime (#​7565) (by @​siguici in #​7669)

  • 🐞🩹 set correct script type for qwik loader (by @​Varixo in #​7710)

  • 🛠 update devDependencies and configurations (by @​JerryWu1234 in #​7695)

v1.14.1

Compare Source

v1.14.0

Compare Source

Minor Changes
  • ✨ Major improvements to prefetching with automatic bundle preloading (by @​wmertens in #​7453)

    • This removes the need for service workers, and instead utilize modulepreload link tags for better browser integration.
    • Improves initial load performance by including dynamic imports in the prefetch
    • Reduces complexity while maintaining similar (and even better) functionality
    • Enables some preloading capabilities in dev mode (SSR result only)
    • Includes path-to-bundle mapping in bundle graph (this improves the experience using the <Link> component, AKA "single page app" mode)
    • Server now has built-in manifest support (so no need to pass manifest around)
    • Moves insights-related build code to insights plugin

    ⚠️ ATTENTION:

    • Keep your service worker code as is (either <ServiceWorkerRegister/> or <PrefetchServiceWorker/>).
    • Configure your server to provide long caching headers.

    Service Worker:

    This new implementation will use it to uninstall the current service worker to reduce the unnecessary duplication.

    The builtin service workers components are deprecated but still exist for backwards compatibility.

    ⚠️ IMPORTANT: Caching Headers:

    The files under build/ and assets/ are named with their content hash and may therefore be cached indefinitely. Typically you should serve build/* and assets/* with Cache-Control: public, max-age=31536000, immutable.

    However, if you changed the rollup configuration for output filenames, you will have to adjust the caching configuration accordingly.


    You can configure the preload behavior in your SSR configuration:

    // entry.ssr.ts
    export default function (opts: RenderToStreamOptions) {
      return renderToStream(<Root />, {
        preload: {
          // Enable debug logging for preload operations
          debug: true,
          // Maximum simultaneous preload links
          maxIdlePreloads: 5,
          // Minimum probability threshold for preloading
          preloadProbability: 0.25
          // ...and more, see the type JSDoc on hover
        },
        ...opts,
      });
    }
Optional for legacy apps:

For legacy apps that still need service worker functionality, you can add it back using:

npm run qwik add service-worker

This will add a basic service worker setup that you can customize for specific caching strategies, offline support, or other PWA features beyond just prefetching.

Patch Changes

v1.13.0

Compare Source

Minor Changes
  • The useTask# @&#8203;builder.io/qwik function's eagerness` option is deprecated and will be removed in version 2. (by @​sreeisalso in #​7345)
Patch Changes
  • 🐞🩹 Error boundary ErrorBoundary and fix useErrorBoundary (by @​damianpumar in #​7342)

  • 🐞 🩹 The qwik-city ServiceWorkerRegister and qwik PrefetchServiceWorker now prefetch all their qrls to prevent under-prefetching (by @​maiieul in #​7417)

  • 🐞🩹 When csr is true, it causes a crash because resolve cannot be null as the second parameter (by @​JerryWu1234 in #​7420)

  • updated drizzle to latest version (by @​sreeisalso in #​7288)

  • 🐞 fix(rollup): improve manualChunks logic to minimize over-prefetching (by @​maiieul in #​7362)

  • ✨ Add the ability to see chunks names in preview/production environments to facilitate debugging of production-only bugs (by @​maiieul in #​7293)

  • Emit an CustomEvent qviewTransition when view transition starts. (by @​GrandSchtroumpf in #​7237)

  • ✨ Ability to keep using tailwind v3 through the cli (by @​maiieul in #​7403)

  • dev server now correctly handles css and js importers, also hmr persistence (by @​thejackshelton in #​7389)

  • 🐞🩹 set default value of lint to false to improve the execution performance (by @​JerryWu1234 in #​7425)

  • 🐞🩹 manual QRL grouping now works again. This is needed for Insights to work. (by @​wmertens in #​7444)


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title Update dependency @builder.io/qwik to v1.19.1 [SECURITY] Update dependency @builder.io/qwik to v1.19.1 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-builder.io-qwik-vulnerability branch March 27, 2026 01:30
@renovate renovate Bot changed the title Update dependency @builder.io/qwik to v1.19.1 [SECURITY] - autoclosed Update dependency @builder.io/qwik to v1.19.1 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-vulnerability branch 2 times, most recently from 8c88965 to e9a58f0 Compare March 30, 2026 17:47
@renovate renovate Bot changed the title Update dependency @builder.io/qwik to v1.19.1 [SECURITY] Update dependency @builder.io/qwik to v1.19.1 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency @builder.io/qwik to v1.19.1 [SECURITY] - autoclosed Update dependency @builder.io/qwik to v1.19.1 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-vulnerability branch 2 times, most recently from e9a58f0 to 6bfd4a7 Compare April 27, 2026 23:06
@codacy-production

codacy-production Bot commented Apr 27, 2026

Copy link
Copy Markdown

Not up to standards ⛔

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-vulnerability branch 2 times, most recently from 5144461 to 19bc4b4 Compare May 18, 2026 14:58
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-vulnerability branch 2 times, most recently from e77f921 to 0dd1014 Compare June 1, 2026 21:47
@renovate renovate Bot force-pushed the renovate/npm-builder.io-qwik-vulnerability branch from 0dd1014 to 7d6bbf2 Compare June 11, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants