fix(deps): update dependency devalue to v5.6.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
devalue	5.5.0 → 5.6.2

GitHub Vulnerability Alerts

CVE-2026-22774

Summary

Certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array.

Details

The parser's typed array hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system.

Impact

This is a denial of service vulnerability affecting systems that use devalue.parse to handle data from potentially untrusted sources.

Affected systems should upgrade to patched versions immediately.

CVE-2026-22775

Summary

Certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input.

Details

The parser's ArrayBuffer hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system.

Impact

This is a denial of service vulnerability affecting systems that use devalue.parse to handle data from potentially untrusted sources.

Affected systems should upgrade to patched versions immediately.

---

Release Notes

sveltejs/devalue (devalue)

v5.6.2

Compare Source

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Compare Source

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Compare Source

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	devalue@​5.5.0 ⏵ 5.6.2	+1	+22	+1	-1

View full report