[Snyk] Upgrade @sveltejs/vite-plugin-svelte from 3.1.1 to 6.1.0

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade @sveltejs/vite-plugin-svelte from 3.1.1 to 6.1.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 28 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	57	Proof of Concept
	Incorrect Authorization SNYK-JS-VITE-9653016	57	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	57	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	57	Proof of Concept
	Directory Traversal SNYK-JS-SUPABASEAUTHJS-10255365	57	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-SVELTEJSKIT-9690586	57	Proof of Concept
	Information Exposure SNYK-JS-VITE-8023174	57	Proof of Concept
	Origin Validation Error SNYK-JS-VITE-8648411	57	Proof of Concept
	Incorrect Authorization SNYK-JS-VITE-9512410	57	Mature
	Access Control Bypass SNYK-JS-VITE-9576207	57	Proof of Concept
	Information Exposure SNYK-JS-VITE-9685035	57	Proof of Concept
	Directory Traversal SNYK-JS-VITE-9919777	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	57	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-SVELTEJSKIT-8400875	57	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-SVELTEJSKIT-8400876	57	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-VITE-8022916	57	Proof of Concept

Release notes

Package name: @sveltejs/vite-plugin-svelte

• 6.1.0 - 2025-07-15
  

  Minor Changes

  • feat: add support for the new experimental.async option and apply dynamicCompileOptions when compiling Svelte modules (#1176)

  Patch Changes

  • skip comment blocks when reporting compiler errors that might be caused by a preprocessor issue (#1166)

  • increase logLevel to info for "no Svelte config found" message (#1179)

• 6.0.0 - 2025-07-10
  

  Major Changes

  • drop support for node18 and update exports map to use default export. cjs is supported via require esm in node 20.19+ (#1129)

  • Remove experimental "advanced raw queries" feature. Basic File.svelte?raw is still supported. (#1145)

  • Using the typescript preprocessor now requires a tsconfig.json with verbatimModuleSyntax enabled, eg @ tsconfig/svelte (#1135)

  • remove support for loading commonjs svelte config files (#1142)

  • bump vite peer dependency to ^6.3.0 || ^7.0.0 (#1130)

  • define filters using object hook syntax and optimize the filter for resolveId (#1132)

    NOTE
    include logic has changed to files matching svelteConfig.include OR svelteConfig.extensions. Previously only files matching both were loaded and transformed.

  • split preprocess and compile into separate plugins (#1145)

    It allows vite plugins to transform code between preprocess and compile, see docs and is the recommended way to replace plugin.api.sveltePreprocess usage in other vite plugins.
    You can also use vite-plugin-inspect now to inspect the result of svelte.preprocess by checking the transform of vite-plugin-svelte:preprocess

    NOTE
    This can be a breaking change in case you have other plugins besides vite-plugin-svelte transforming your svelte code
    To fix this, read the docs on how to order plugins in relation to preprocess and compile

  Minor Changes

  • Add experimental support for rolldown-vite (#1135)

  • replace esbuild optimizer with rolldown optimizer if rolldown-vite is used (#1135)

  • add support for loading TypeScript Svelte config files in runtimes that support it (#1142)

    NOTE
    This change only applies to vite-plugin-svelte.

    To use svelte.config.ts in SvelteKit, with the Svelte VS Code extension or other tools reading the Svelte config file, you have to wait until support is implemented there.

  Patch Changes

  • reduce deprecation logging to info and allow disabling it with a flag (#1158)

  • refactor internal caching to reduce code, memory use and avoid perEnvironmentCache (#1154)

  • fix: crawl local workspace private packages devDependencies for generating vite config ssr.noExternal (#1155)

  • log known-issues link when using rolldown-vite (#1144)

  • use vite environment api internally (#1145)

  • remove vite7 beta releases from peerDependency range. (#1151)

  • deprecate plugin.api.sveltePreprocess (#1145)

• 6.0.0-next.3 - 2025-07-04
  

  Patch Changes

  • reduce deprecation logging to info and allow disabling it with a flag (#1158)

  • refactor internal caching to reduce code, memory use and avoid perEnvironmentCache (#1154)

  • fix: crawl local workspace private packages devDependencies for generating vite config ssr.noExternal (#1155)

• 6.0.0-next.2 - 2025-07-02
• 6.0.0-next.1 - 2025-06-23
• 6.0.0-next.0 - 2025-06-13
• 5.1.1 - 2025-07-11
  

  Patch Changes

  • fix: prevent accidental pollution of svelteconfig.extensions (#1171)
• 5.1.0 - 2025-06-03
• 5.0.3 - 2024-12-18
• 5.0.2 - 2024-12-12
• 5.0.1 - 2024-11-26
  

  Patch Changes

  • docs: update usage instructions in readme and link to docs (#1197)
• 5.0.0 - 2024-11-26
  

  Major Changes

  • drop support for node18 and update exports map to use default export. cjs is supported via require esm in node 20.19+ (#1129)

  • bump vite peer dependency to ^6.3.0 || ^7.0.0 (#1130)

  Patch Changes

  • use vite environment api internally (#1145)

  • remove vite7 beta releases from peerDependency range. (#1151)

  • Updated dependencies [63d1fc6, 47e8a9f, a494b03, 74e701f, 7cd6064, 7cd6064, 7cd6064, b875b0c, fac52a4, bac3e1c, 74e701f, 921ba4e, 59e082e, b875b0c, 7af3cd2, 74e701f, 74e701f]:

    • @ sveltejs/[email protected]
• 5.0.0-next.0 - 2024-11-25
• 4.0.4 - 2024-12-18
• 4.0.3 - 2024-12-12
• 4.0.2 - 2024-11-25
• 4.0.1 - 2024-11-15
• 4.0.0 - 2024-10-19
• 4.0.0-next.8 - 2024-10-10
• 4.0.0-next.7 - 2024-09-04
• 4.0.0-next.6 - 2024-08-05
• 4.0.0-next.5 - 2024-07-27
• 4.0.0-next.4 - 2024-07-11
• 4.0.0-next.3 - 2024-05-27
• 4.0.0-next.2 - 2024-05-25
• 4.0.0-next.1 - 2024-05-14
• 4.0.0-next.0 - 2024-05-09
• 3.1.2 - 2024-08-22
• 3.1.1 - 2024-05-29

from @sveltejs/vite-plugin-svelte GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs