chore(deps): update dependency @sveltejs/kit to v2.57.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	2.55.0 → 2.57.1

GitHub Vulnerability Alerts

CVE-2026-40073

Under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected.

CVE-2026-40074

redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input.

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.57.1

Compare Source

Patch Changes

• fix: better validation for redirect inputs (10d7b44)

• fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

• fix: use default values as fallbacks (#​15680)

• fix: relax form typings for union types (#​15687)

v2.57.0

Compare Source

Minor Changes

• feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#​15530)

Patch Changes

• fix: use array type for select fields that accept multiple values (#​15591)

• fix: silently 404 Chrome DevTools workspaces request in dev and preview (#​15656)

• fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#​15323)

• fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#​15647)

• fix: reimplement treeshaking non-dynamic prerendered remote functions (#​15447)

v2.56.1

Compare Source

Patch Changes

• chore: update JSDoc (#​15640)

v2.56.0

Compare Source

Minor Changes

• breaking: rework client-driven refreshes (#​15562)

• breaking: stabilize remote function caching by sorting object keys (#​15570)

• breaking: add run() method to queries, disallow awaiting queries outside render (#​15533)

• feat: support TypeScript 6.0 (#​15595)

• breaking: isolate command-triggered query refresh failures per-query (#​15562)

• feat: use hydratable for remote function transport (#​15533)

• feat: allow form fields to specify a default value (field.as(type, value)) (#​15577)

Patch Changes

• fix: don't request new data when .refresh is called on a query with no cache entry (#​15533)

• fix: allow using multiple remote functions within one async derived (#​15561)

• fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#​15623)

• fix: manage queries in their own $effect.root (#​15533)

• fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#​15550)

• fix: correctly escape backticks when precomputing CSS (#​15593)

• fix: discard obsolete forks before finishing navigation (#​15634)

• chore: tighten up override implementation (#​15562)

• fix: ensure the default Svelte 5 error.svelte file uses runes mode (#​15609)

• fix: deduplicate same-cache-key batch calls during SSR (#​15533)

• fix: decrement pending_count when form callback doesn't call submit() (#​15520)

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: fb36d76

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
zag-nextjs	Ready	Preview	Apr 10, 2026 8:16pm
zag-solid	Ready	Preview	Apr 10, 2026 8:16pm
zag-svelte	Ready	Preview	Apr 10, 2026 8:16pm
zag-vue	Ready	Preview	Apr 10, 2026 8:16pm
zag-website	Ready	Preview	Apr 10, 2026 8:16pm