chore(deps): update dependency @sveltejs/adapter-vercel to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/adapter-vercel (source)	4.0.5 → 6.3.2

GitHub Vulnerability Alerts

CVE-2026-27118

Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users.

Successful exploitation requires a victim to visit an attacker-controlled link while authenticated.

Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible.

---

Release Notes

sveltejs/kit (@​sveltejs/adapter-vercel)

v6.3.2

Compare Source

Patch Changes

• fix: 404 for immutable assets that don't match static files (c67da8a)

• Updated dependencies [3e607b3, 62991c8, f47c01b]:

  • @​sveltejs/kit@​2.52.2

v6.3.1

Compare Source

Patch Changes

• feat: show remote function calls under the /_app/remote route in observability (#​15098)

• fix: prevent isr routes from handling remote function calls (#​15098)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

v6.3.0

Compare Source

Minor Changes

• chore: mark RequestContext as deprecated and refer to @vercel/functions (#​14725)

Patch Changes

• Updated dependencies [e67613c, a5c313e, 06de550]:
  • @​sveltejs/kit@​2.49.3

v6.2.0

Compare Source

Minor Changes

• feat: Node 24 support (#​14982)

v6.1.2

Compare Source

Patch Changes

• chore(deps): upgrade to @vercel/nft version 1.0.0 to reduce dependencies (#​14950)

• Updated dependencies [0889a2a, 2ff3951, 5b30755]:

  • @​sveltejs/kit@​2.48.7

v6.1.1

Compare Source

Patch Changes

• chore: improve runtime config parsing (#​14838)

• Updated dependencies [cd72d94, 53b1b73, 2ccc638]:

  • @​sveltejs/kit@​2.48.3

v6.1.0

Compare Source

Minor Changes

• feat: Add experimental support for Bun runtime (#​14817)

Patch Changes

• Updated dependencies [102aecf]:
  • @​sveltejs/kit@​2.48.1

v6.0.0

Compare Source

Major Changes

• breaking: remove Node polyfills (and by extension support for Node 18) (#​14732)

Minor Changes

• feat: parse isr.expiration, allowing it to be a string (#​14691)

Patch Changes

• Updated dependencies [9c933a2, dedda71]:
  • @​sveltejs/kit@​2.47.0

v5.10.3

Compare Source

Patch Changes

• chore: update "homepage" field in package.json (#​14579)

v5.10.2

Compare Source

Patch Changes

• fix: ensure read works in an edge function that has deployment protection. Protection bypass automation must be enabled (#​14147)

• Updated dependencies [c8f7ac3, 107f767]:

  • @​sveltejs/kit@​2.33.1

v5.10.1

Compare Source

Patch Changes

• chore: deprecate runtime config (#​14253)

v5.10.0

Compare Source

Minor Changes

• feat: use web standard fetch export (#​14251)

Patch Changes

• Updated dependencies [1d04a77, 5db4cd4]:
  • @​sveltejs/kit@​2.32.0

v5.9.1

Compare Source

Patch Changes

• fix: avoid erroring on builder properties that only exist on the latest version of SvelteKit (#​14233)

• Updated dependencies [f2db41c]:

  • @​sveltejs/kit@​2.31.1

v5.9.0

Compare Source

Minor Changes

• feat: add instrumentation.server.ts for tracing and observability setup (#​13899)

Patch Changes

• Updated dependencies [f635678, f635678]:
  • @​sveltejs/kit@​2.31.0

v5.8.2

Compare Source

Patch Changes

• chore: add .git to the end of package.json repository url (#​14134)

• Updated dependencies [c968aef]:

  • @​sveltejs/kit@​2.27.3

v5.8.1

Compare Source

Patch Changes

• chore(deps): update dependency @​vercel/nft to ^0.30.0 (#​14033)

v5.8.0

Compare Source

Minor Changes

• feat: add support for read imported from $app/server in edge functions (#​13859)

Patch Changes

• Updated dependencies [e5ce8bb, cf88369]:
  • @​sveltejs/kit@​2.25.0

v5.7.2

Compare Source

Patch Changes

• chore(deps): upgrade to esbuild 0.25.4 (#​13770)

v5.7.1

Compare Source

Patch Changes

• chore(deps): upgrade esbuild to 0.25.2 (#​13716)

• fix: include the edge-light bundling condition when building edge functions (#​13720)

• Updated dependencies [c51fb554416e0c4a21655c1d79e834f69743d1d5]:

  • @​sveltejs/kit@​2.20.8

v5.7.0

Compare Source

Minor Changes

• feat: create symlink functions for each route, for better observability (#​13679)

Patch Changes

• Updated dependencies [7fd7bcb7142e7d0d2dd64174fa1a94d56a45d643]:
  • @​sveltejs/kit@​2.20.4

v5.6.3

Compare Source

Patch Changes

• chore(deps): upgrade @​vercel/nft to fix glob deprecation warnings (b1e9781a6dff41841d8e1509311d948421956746)

v5.6.2

Compare Source

Patch Changes

• fix: change server-side route resolution endpoint (#​13461)

• Updated dependencies [9612a60a0277aef0ab4723a0e7ed8dd03a7ffb95, 3d88ae33fc14b08a1d48c2cb7315739c8cfcd9fd]:

  • @​sveltejs/kit@​2.17.2

v5.6.1

Compare Source

Patch Changes

• fix: correct edge function path for route resolution endpoint (#​13409)

v5.6.0

Compare Source

Minor Changes

• feat: generate edge function dedicated to server side route resolution when using that option in SvelteKit (#​13379)

Patch Changes

• Updated dependencies [09296d0f19c8d1ff57d699e637bd1beabb69d438, d62ed39a431f0db3db4dd90bf6b17ed2a2a2de79, f30352f874790b9de0bd0eba985a21aef23e158e, 180fa3467e195065c0a25206c6328a908e6952d7, 5906e9708965b848b468d0014999c36272dc8d50, d62ed39a431f0db3db4dd90bf6b17ed2a2a2de79]:
  • @​sveltejs/kit@​2.17.0

v5.5.3

Compare Source

Patch Changes

• fix: include ambient type declarations (#​12088)

• Updated dependencies [d440c68acac67ed64eea4b9bda267e229303db7b, 6774ebc34330b12ae8c0cae08e98b577d819fffb, 777c8ef11f17d2ab48aee0f2347c051663da5826, f451f6c4a3dbbc73dc86667c6ff89ab2f46ca9d2, 34a03ff16af29e917abebb649b31eadfc40a98a0, 1c77e283896058084c1cb5752d9ec207987a585e, 04958cca5905aaeeff367c9e4a5ce6e90fc64779, 9dc5c0e3e01a3c07010e9996688169be68e1dde8, 00e1a7621de554054d068e4525a9e505d1c2e588, 9fcd1e7574197fa6e7ac000a030378d877cb8837, e541a4057a00f5ab6740fb51b7f88f17776da50a, 37f72fbb075b481de8263f62c77125333735f382, b60707ca8e755be95c86490122aa1b792b9bd6be, 699f4405c752261cf46c1ad32e4dbadceaffc75b, e2a4538c48295cde06f64fb8c7f0b333fbf95496, a91ba1f326b6e244503de9a010771d942b461dad]:

  • @​sveltejs/kit@​2.16.0

v5.5.2

Compare Source

Patch Changes

• chore: upgrade @vercel/nft to 0.27.9 (#​13129)

• Updated dependencies [9fc5ff3339e543b956f7ce5eb31267fa73ee332a, 85b57168189fa16fe966434ec50cc19425cab275]:

  • @​sveltejs/kit@​2.10.0

v5.5.1

Compare Source

Patch Changes

• chore: upgrade @​vercel/nft to 0.27.7 (#​13082)

• Updated dependencies [78404dfe1eb346723eefc183278b85f25485b419]:

  • @​sveltejs/kit@​2.9.1

v5.5.0

Compare Source

Minor Changes

• chore: upgrade esbuild to 0.24.0 (#​12270)

Patch Changes

• Updated dependencies [d030f4bb285e70844d09b3f0c87809bae43014b8, 67dd214863cbc5852eb0e8512efbb7bad5358e8a]:
  • @​sveltejs/kit@​2.9.0

v5.4.8

Compare Source

Patch Changes

• chore: support building with Node 22 (#​13043)

• Updated dependencies [570562b74d9e9f295d9b617478088a650f51e96b, 1358cccd52190df3c74bdd8970dbfb06ffc4ec72]:

  • @​sveltejs/kit@​2.8.2

v5.4.7

Compare Source

Patch Changes

• fix: disregard presence/absence of trailing slash in prerendered redirect (#​12966)

• Updated dependencies [92b2686314a7dbebee1761c3da7719d599f003c7]:

  • @​sveltejs/kit@​2.8.0

v5.4.6

Compare Source

Patch Changes

• docs: update URLs for new svelte.dev site (#​12857)

• Updated dependencies [dcbe4222a194c5f90cfc0fc020cf065f7a4e4c46, 4cdbf76fbbf0c0ce7f574ef69c8daddcf954d39d, 3a9b78f04786898ca93f6d4b75ab18d26bc45192, 723eb8b31e6a22c82f730c30e485386c8676b746, 8ec471c875345b751344e67580ff1b772ef2735b]:

  • @​sveltejs/kit@​2.7.3

v5.4.5

Compare Source

Patch Changes

• fix: updated @default annotation for runtime (#​12717)

• Updated dependencies [3591411e880ed5337123c66365433afe8c2f747b, 2292170ecba27c70600fae0c2adc473ac9d938e8, 809983f377f0b18c4651a8a4f3af7b69c0df20ab]:

  • @​sveltejs/kit@​2.6.3

v5.4.4

Compare Source

Patch Changes

• fix: import node:process instead of using globals (#​12641)

• Updated dependencies [e798ef718f163bed4f93e1918bd8294f765376ad]:

  • @​sveltejs/kit@​2.5.28

v5.4.3

Compare Source

Patch Changes

• chore: configure provenance in a simpler manner (#​12570)

• Updated dependencies [087a43d391fc38b8c008fb39a804dc6988974101]:

  • @​sveltejs/kit@​2.5.22

v5.4.2

Compare Source

Patch Changes

• chore: package provenance (#​12567)

• Updated dependencies [4930a8443caa53bcecee7b690cd28e429b1c8a20]:

  • @​sveltejs/kit@​2.5.21

v5.4.1

Compare Source

Patch Changes

• fix: copy .eot, .otf, .ttf, .woff, and woff2 font files when bundling (#​12439)

v5.4.0

Compare Source

Minor Changes

• chore(deps): upgrade to esbuild 0.21 (#​12415)

Patch Changes

• Updated dependencies [84298477a014ec471839adf7a4448d91bc7949e4, 5645614f497931f587b7cb8b3c885fce892a6a72, 84298477a014ec471839adf7a4448d91bc7949e4]:
  • @​sveltejs/kit@​2.5.18

v5.3.2

Compare Source

Patch Changes

• fix: remove images from route-level config (#​12280)

• chore: add keywords for discovery in npm search (#​12330)

• Updated dependencies [25acb1d9fce998dccd8050b93cf4142c2b082611, 642c4a4aff4351b786fe6274aa2f0bf7d905faf9, 0a0e9aa897123ebec50af08e9385b2ca4fc5bb28]:

  • @​sveltejs/kit@​2.5.11

v5.3.1

Compare Source

Patch Changes

• chore(deps): upgrade to @vercel/nft version 0.27.1 (#​12274)

v5.3.0

Compare Source

Minor Changes

• chore(deps): upgrade esbuild (#​12118)

Patch Changes

• Updated dependencies [bbab296f6fcc05af6b999182798bcdedabbaa4c9]:
  • @​sveltejs/kit@​2.5.6

v5.2.0

Compare Source

Minor Changes

• feat: add framework metadata in Vercel build output files (#​11800)

• feat: implement version skew protection (#​11987)

v5.1.1

Compare Source

Patch Changes

• fix: handle optional and rest routes for incremental static regeneration (ISR) correctly (#​11928)

v5.1.0

Compare Source

Minor Changes

• feat: allow compatible subset of Node.js built-in modules when targeting edge functions (#​11675)

Patch Changes

• Updated dependencies [36dc54ac740b8b4c6a2b904a1d0aadd8923a875c, 5dae3676b8cc6f8ee0def57340e6a6e591bafecd, ada595908b5501b8f4ac30c89c0d6314f364fde3, e228f8997840b89c6248e1c5df6f3108008a06be]:
  • @​sveltejs/kit@​2.4.1

v5.0.0

Compare Source

Major Changes

• breaking: update peer dependency on @sveltejs/kit (#​11649)

Minor Changes

• feat: support read from $app/server (#​11649)

Patch Changes

• Updated dependencies [288f731c8a5b20cadb9e219f9583f3f16bf8c7b8]:
  • @​sveltejs/kit@​2.4.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
code-block-embed	Error		Apr 1, 2026 8:11pm

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview