fix(deps): vuln minor upgrades — 15 packages (minor: 1 · patch: 14)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (pnpm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
storybook	8.6.15	8.6.18	patch	Direct	2 HIGH
@sveltejs/kit	2.53.0	2.57.1	minor	Direct	1 HIGH, 1 MODERATE, 1 LOW
vite	6.4.1	6.4.2	patch	Direct	1 HIGH, 1 MODERATE
svelte	5.53.3	5.53.13	patch	Direct	4 MODERATE
@axe-core/playwright	4.11.0	4.11.2	patch	Direct	-
@babel/core	7.28.5	7.28.6	patch	Direct	-
@codemirror/autocomplete	6.20.0	6.20.1	patch	Direct	-
@codemirror/commands	6.10.1	6.10.3	patch	Direct	-
@codemirror/state	6.5.2	6.5.4	patch	Direct	-
@codemirror/view	6.39.4	6.39.17	patch	Direct	-
@eslint/js	9.39.2	9.39.4	patch	Direct	-
@storybook/addon-a11y	8.6.15	8.6.18	patch	Direct	-
@storybook/addon-actions	8.6.15	8.6.18	patch	Direct	-
@storybook/addon-docs	8.6.15	8.6.18	patch	Direct	-
@storybook/addon-essentials	8.6.14	8.6.18	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@sveltejs/kit	GHSA-2crg-3p73-43xp	HIGH	@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass	2.53.0	2.57.1
storybook	GHSA-mjf5-7g4m-gx5w	HIGH	Storybook Dev Server is Vulnerable to WebSocket Hijacking	8.6.15	8.6.17
storybook	CVE-2026-27148	HIGH	Storybook Dev Server Vulnerable to WebSocket Hijacking	8.6.15	-
vite	GHSA-p9ff-h696-f583	HIGH	Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket	6.4.1	8.0.5

ℹ️ Other Vulnerabilities (7)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@sveltejs/kit	GHSA-3f6h-2hrp-w5wx	MODERATE	@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service	2.53.0	2.57.1
svelte	GHSA-phwv-c562-gvmh	MODERATE	Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent	5.53.3	5.53.5
svelte	CVE-2026-27901	MODERATE	Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent	5.53.3	-
svelte	GHSA-qgvg-pr8v-6rr3	MODERATE	Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers	5.53.3	5.53.5
svelte	CVE-2026-27902	MODERATE	Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers	5.53.3	-
vite	GHSA-4w7w-66w2-5vf9	MODERATE	Vite Vulnerable to Path Traversal in Optimized Deps .map Handling	6.4.1	8.0.5
@sveltejs/kit	GHSA-fpg4-jhqr-589c	LOW	SvelteKit has deserialization expansion in unvalidated form remote function leading to Denial of Service (experimental only)	2.53.0	2.53.3

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

storybook (8.6.15 → 8.6.18) — GitHub Release

v8.6.18

8.6.18

• Add request validation

v8.6.17

8.6.17

• Harden websocket connection

v8.6.16

8.6.16

• No-op release. No changes.

vite (6.4.1 → 6.4.2) — GitHub Release

Please refer to CHANGELOG.md for details.

@axe-core/playwright (4.11.0 → 4.11.2) — GitHub Release

v4.11.2

Bug Fixes

• Update axe-core to v4.11.3 (fix: Update axe-core to v4.11.3 dequelabs/axe-core-npm#1306) (71c4179)
• wdio: support v9 wdio switchFrame and switchWindow (fix(wdio): support v9 wdio switchFrame and switchWindow dequelabs/axe-core-npm#1302) (4689273), closes WDIO v9 deprecates switchToFrame and switchToWindow dequelabs/axe-core-npm#1164

v4.11.1

Bug Fixes

• reorder exports to place types first (fix: reorder exports to place types first dequelabs/axe-core-npm#1261) (40d22e3), closes Fix export list order dequelabs/axe-core-npm#1243
• Update axe-core to v4.11.1 (fix: Update axe-core to v4.11.1 dequelabs/axe-core-npm#1271) (77f577e)

@babel/core (7.28.5 → 7.28.6) — GitHub Release

v7.28.6 (2026-01-12)

Thanks @kadhirash and @kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • https://github.com/babel/babel/issues/17589 Improve Unicode handling in code-frame tokenizer (@JLHwung)
• babel-plugin-transform-regenerator
  • https://github.com/babel/babel/issues/17556 fix: transform-regenerator correctly handles scope (@liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • https://github.com/babel/babel/issues/17538 fix: Keep jsx comments (@liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • https://github.com/babel/babel/issues/17606 Polish(standalone): improve message on invalid preset/plugin (@JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • https://github.com/babel/babel/issues/17580 Allow Babel 8 in compatible Babel 7 plugins (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-react-jsx
  • https://github.com/babel/babel/issues/17555 perf: Use lighter traversal for jsx __source,__self (@liuxingbaoyu)

Committers: 7

• Babel Bot (@babel-bot)
• Eliot Pontarelli (@kolvian)
• Huáng Jùnliàng (@JLHwung)

(truncated — see source for full notes)

@codemirror/autocomplete (6.20.0 → 6.20.1) — Changelog

Bug fixes

Clicking the horizontal dots at the top/bottom of a list of completion options now moves the selection there, so that more completions become visible.

@codemirror/commands (6.10.1 → 6.10.3) — Changelog

Bug fixes

Make sure selection-extending commands preserve the associativity of the selection head.

@codemirror/state (6.5.2 → 6.5.4) — Changelog

Bug fixes

Make SelectionRange.eq return false when the ranges have different goal columns.

@codemirror/view (6.39.4 → 6.39.17) — Changelog

Bug fixes

Improve touch tap-selection on line wrapping boundaries.

Make drawSelection draw our own selection handles on iOS.

Fix an issue where posAtCoords, when querying line wrapping points, got confused by extra empty client rectangles produced by Safari.

@eslint/js (9.39.2 → 9.39.4) — GitHub Release

v9.39.4

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (fix: update dependency minimatch to ^3.1.5 eslint/eslint#20564) (Milos Djermanovic)
• a3c868f fix: update dependency @eslint/eslintrc to ^3.3.4 (fix: update dependency @eslint/eslintrc to ^3.3.4 eslint/eslint#20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (fix: minimatch security vulnerability patch for v9.x eslint/eslint#20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (fix: update ajv to 6.14.0 to address security vulnerabilities eslint/eslint#20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (docs: add deprecation notice partial eslint/eslint#20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (chore: update dependencies for ESLint v9.39.4 eslint/eslint#20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (ci: pin Node.js 25.6.1 eslint/eslint#20563) (Milos Djermanovic)

v9.39.3

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (fix: restore TypeScript 4.0 compatibility in types eslint/eslint#20504) (sethamus)

Chores

• 8594a43 chore: upgrade @eslint/js@9.39.3 (chore: upgrade @eslint/js@9.39.3 eslint/eslint#20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (chore: ignore /docs/v9.x in link checker eslint/eslint#20453) (Milos Djermanovic)

@storybook/addon-a11y (8.6.15 → 8.6.18) — GitHub Release

v8.6.18

8.6.18

• Add request validation

v8.6.17

8.6.17

• Harden websocket connection

v8.6.16

8.6.16

• No-op release. No changes.

@storybook/addon-actions (8.6.15 → 8.6.18) — GitHub Release

v8.6.18

8.6.18

• Add request validation

v8.6.17

8.6.17

• Harden websocket connection

v8.6.16

8.6.16

• No-op release. No changes.

@storybook/addon-docs (8.6.15 → 8.6.18) — GitHub Release

v8.6.18

8.6.18

• Add request validation

v8.6.17

8.6.17

• Harden websocket connection

v8.6.16

8.6.16

• No-op release. No changes.

@storybook/addon-essentials (8.6.14 → 8.6.18) — GitHub Release

v8.6.18

8.6.18

• Add request validation

v8.6.17

8.6.17

• Harden websocket connection

v8.6.16

8.6.16

• No-op release. No changes.

v8.6.15

8.6.15

• Core: Fix .env-file parsing, thanks @JReinhold!

---

Generated by ADMS Sources: 9 GitHub Releases, 4 Changelogs, 2 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.