Hmm, I think "release contains bare commits" (as opposed to PR references) is probably a pretty good signal. I don't think there are typically any scenarios where we'd do that if we weren't releasing from a GitHub private fork.
This is legit; super cool. Is there anything we can do from our end to make sure this shows up correctly / doesn't miss security releases?
Thanks Jorian! Glad we got this one fixed and glad you found it.
bsky.app/profile/ell....
Thankfully nothing huge, but yes! The new bug bounty has brought a lot of really good scrutiny to the Svelte ecosystem's projects.
Huge thanks to everyone involved, and a special shoutout for the security team at Vercel for working with us to pay our reporters and managing this new bug bounty!
The `@sveltejs/adapter-vercel` patches are available in 6.3.2. If you're on Vercel, you should upgrade. We deployed WAF protections for most exploit patterns, but the only way to immunize yourself to this one is by upgrading or being lucky enough to have an app configuration that prevents it.
The `devalue` patches are available in version `5.6.3`. It's very, very unlikely you're affected, but you should upgrade anyway!
The `@sveltejs/kit` patches are available in version 2.52.2. Only applications using both `experimental.remoteFunctions` and `form` are vulnerable.
The `svelte` security patches are available in version 5.51.5. All of these had to do with SSR escaping issues. Thankfully, they're all very difficult to exploit in practice. (Most of them would require upstream system compromise along with some level of knowledge of the application's internals).
We just released a number of security patches across the Svelte ecosystem. If you use SvelteKit, the Vercel adapter for SvelteKit, Svelte, or devalue, you should upgrade.
The Vercel OSS Bug Bounty paid out over $14,000 for these reports!
Weβre basically at βWow, this is awesome, and we still have so much work to do!β π Iβm hoping to get the bandwidth to write streaming SSR soon, but weβre also working on SvelteKit 3, so thereβs a lot of juggling going on. Rich and Simon are mostly focusing on async reactivity bug bashing right now.
It's official, you can now get paid up to $10,000 for finding security issues in Svelte and SvelteKit! Big thanks to both the security team at Vercel and the Svelte maintainers' group for coming together to make this possible. Learn more: vercel.com/blog/the-ver...
I also really enjoyed it, thank you! One minor thing: the table of contents is getting way too touchy-feely with the article content π
We've released fixes for 5 CVEs affecting the Svelte ecosystem. Please upgrade your apps!
Read the post to learn if you're affected:
svelte.dev/blog/cves-af...
we'll never know if he's talking about software development or this: www.foodnavigator-usa.com/Article/2023...
Yeah but if you can survive with a global βsingletonβ of the class, you can just export it as `export const myThing = new Thing()`! And you donβt need multiple paradigms for βneeds configβ vs βdoesnβt need configβ
I have typically used a class with state fields and arrow function methods for event handlers. Then you can do `const myThing = new Thing()` and pass `myThing.onclick` to a click handler and Thing still owns all the state.
the svelte docs themselves are a decent example: github.com/sveltejs/sve...
why writing `{foo}` in your HTML will always update the DOM.
something reactive, youβll βloseβ reactivity. `$derived` is your way of telling Svelte βI want this variable to always refer to the current value of an expressionβ.
One caveat here is that variable references in the template (outside of the script block) are automatically made reactive, which is
This is a common mental model problem for React => Svelte devs.
When a Svelte component runs, the script block only runs one single time. So if you write `let foo = bar`, all you get from foo is a variable holding whatever value was in bar at component initialization. This means that if bar was
awed by the svelte community's creativity. no-one does high-concept mischief quite like @kenthropic.com
Advent of Svelte day 3 is all about attachments, the new much more powerful and flexible alternative to actions!
And the demo is just so beautiful π§‘
advent.sveltesociety.dev/2025/3
Not quite, I was rounding π Just a Thanksgiving post! But thank you, I'll come back to this response when my next anniversary comes around π
β¦on my software engineering skills. Iβm so excited for the next year working on the project. I get to learn from some of the best engineers Iβve ever met, and canβt wait to show you all that weβve got planned.
Cheers to the next year, everyone!
These beautiful projects have changed my life for the better β through them, I not only learned web development, but software engineering as a whole. I really have Svelte to thank for my entire career at this point.
Rich and Simon, and many of the other maintainers, have been the #1 influenceβ¦
Really thankful today for @rich-harris.dev, @dummdidumm.bsky.social, and all of the rest of the @svelte.dev team.
Four years ago, when I discovered Svelte and SvelteKit, I never could have known that working on them full time would be paying the bills.
I released it specifically for you
So the wild thing about this is that I have the screenshot saved and it looks nothing like this. idk what ray.so or bsky did to me but it was dirty
(Update: absolutely no clue what illness ray.so contracted in the initial post π)
