chore(deps): bump svelte to v5 + kit to 2.61.x for vulnerability fixes

[oskarszoon]

Summary

Bumps ui/dashboard from Svelte v4 to Svelte v5 + SvelteKit ≥ 2.61 + matching tooling. Closes 12 Dependabot alerts identified by the 2026-05-21 triage as fix_class=dep-bump-major:

Closed by svelte v5 upgrade (6)

• integer underflow fix #95 DOM clobbering XSS (GHSA-rcqx-6q8c-2c42) — patched in 5.55.7
• fix: add DoS protection for UTXO deserialization #94 SSR XSS via spread attributes (GHSA-pr6f-5x2q-rwfp) — patched in 5.55.7
• Add block fetch prefetch pipeline and improve shutdown consistency #46 SSR XSS via bind:innerText (GHSA-phwv-c562-gvmh) — patched in 5.53.5
• Add sanity health check for public asset service #34 SSR attribute spreading (GHSA-crpf-4hrx-3jrp) — patched in 5.51.5
• Optimize PR test workflow: Parallelize smoke and sequential tests #31 SSR XSS via spread (GHSA-f7gr-6p89-r883) — patched in 5.51.5
• Add missing new fields to node status messages #30 SSR <svelte:element> injection (GHSA-m56q-vw4c-c2cp) — patched in 5.51.5

Closed by @sveltejs/kit upgrade (1)

• [BUG] UI transaction view page hang #14 SSRF/DoS via prerender host header (GHSA-j62c-4x62-9r35) — patched in 2.49.5; this PR uses 2.61.x

Closed transitively via kit (5)

• Limit number of cleanup operations to same as connection size #93 devalue __proto__ own-property emission (GHSA-mwv9-gp5h-frr4) — patched in 5.6.4
• Disable go-metrics for Kafka to prevent memory leak #53 devalue parse/unflatten proto pollution (GHSA-cfw5-2vxh-hr84) — patched in 5.6.4
• Fix sendrawtransaction to return txid string and validate synchronously #35 devalue uneval proto pollution (GHSA-8qm3-746x-r74r) — patched in 5.6.3
• Docs/fork and pull request guidelines #16 devalue DoS via ArrayBuffer hydration (GHSA-g2pg-6438-jwpf) — patched in 5.6.2
• fix(ui): resolve infinite recursion in transaction viewer #15 devalue DoS via typed array hydration (GHSA-vw5p-8cq8-m7mv) — patched in 5.6.2

Migration depth

Minimum-to-compile. No runes-mode conversion. on:click, $:, export let, <slot> syntax all kept. Goal was to ship the CVE fix, not refactor 88 components.

Tooling bumps required by svelte v5 peer requirements

• @sveltejs/vite-plugin-svelte ^3.1 → ^6 (v6 requires vite ^6 or ^7, svelte ^5)
• vite ^5.4 → ^7
• svelte-check ^3.6 → ^4
• @poppanator/sveltekit-svg 4.1.3 → ^7 (drops legacy css: "none" flag which svelte 5 rejects)

Component changes

Svelte 5 enforces explicit closing of non-void HTML elements (<div></div> instead of <div />). Converted 51 self-closing non-void tags across 33 files via a small mechanical pass; svelte-namespace elements (svelte:component, svelte:window, etc.) left as self-closing per Svelte's namespace rules. No semantic changes.

Test plan

• npm install clean (no peer-dep errors after sveltekit-svg + plugin bumps)
• npm run build — 1714 modules transformed, warnings only (pre-existing a11y + unused CSS)
• npm run test:unit -- --run — 29 vitest tests pass
• docker build -t teranode:latest . succeeds
• Manual smoke test from the Docker image — home, network, viewer, settings, p2p, admin all render with no console errors and interactive elements responding
• go build ./... clean (sanity, no Go changes)
• go vet ./... only flags 4 pre-existing issues in test/utils/

Out of scope

• Runes-mode component migration. Defer to a separate session — 88 components, much larger surface, no CVE-driven urgency.
• Playwright integration tests — covered by CI.

Source: docs/superpowers/specs/2026-05-21-vuln-triage/report.md and docs/superpowers/specs/2026-05-27-svelte-v5-upgrade-design.md.

[github-actions]

🤖 Claude Code Review

Status: Complete

---

Current Review:

No issues found. This is a clean, well-documented security-focused dependency upgrade.

Summary:

• Bumps Svelte v4 → v5.55.9 to close 6 CVEs (integer underflow fix #95, fix: add DoS protection for UTXO deserialization #94, Add block fetch prefetch pipeline and improve shutdown consistency #46, Add sanity health check for public asset service #34, Optimize PR test workflow: Parallelize smoke and sequential tests #31, Add missing new fields to node status messages #30)
• Bumps @sveltejs/kit v2.5.0 → v2.61.1 to close SSRF/DoS CVE ([BUG] UI transaction view page hang #14) and 5 transitive devalue CVEs
• Required tooling updates: vite-plugin-svelte v6, vite v7, svelte-check v4, sveltekit-svg v7
• Component changes are mechanical: 51 self-closing HTML tags converted to explicit closing tags per Svelte 5 requirements
• No runes-mode conversion (legacy syntax preserved: on:click, $:, export let, <slot>)
• Test plan documented and executed (build, unit tests, Docker, smoke tests)

Minor documentation note:
The PR description references docs/superpowers/specs/2026-05-21-vuln-triage/report.md and docs/superpowers/specs/2026-05-27-svelte-v5-upgrade-design.md which do not exist in the repository. This is purely informational and does not affect the correctness of the code changes.

[github-actions]

Benchmark Comparison Report

Baseline: main (unknown)

Current: PR-968 (a8a3ec1)

Summary

• Regressions: 0
• Improvements: 0
• Unchanged: 144
• Significance level: p < 0.05

All benchmark results (sec/op)

Benchmark	Baseline	Current	Change	p-value
_NewBlockFromBytes-4	1.299µ	1.258µ	~	0.700
SplitSyncedParentMap_SetIfNotExists/256_buckets-4	54.90n	54.94n	~	0.600
SplitSyncedParentMap_SetIfNotExists/16_buckets-4	55.01n	55.30n	~	0.300
SplitSyncedParentMap_SetIfNotExists/1_bucket-4	54.93n	54.96n	~	0.700
SplitSyncedParentMap_ConcurrentSetIfNotExists/256_buckets...	25.30n	25.11n	~	1.000
SplitSyncedParentMap_ConcurrentSetIfNotExists/16_buckets_...	42.07n	42.17n	~	0.700
SplitSyncedParentMap_ConcurrentSetIfNotExists/1_bucket_pa...	100.1n	110.1n	~	0.100
MiningCandidate_Stringify_Short-4	166.7n	168.2n	~	0.100
MiningCandidate_Stringify_Long-4	1.250µ	1.254µ	~	0.300
MiningSolution_Stringify-4	653.1n	656.9n	~	0.200
BlockInfo_MarshalJSON-4	1.342µ	1.354µ	~	0.700
NewFromBytes-4	134.5n	133.5n	~	0.400
AddTxBatchColumnar_Validation-4	2.622µ	2.562µ	~	1.000
OffsetValidationLoop-4	641.3n	639.8n	~	1.000
Mine_EasyDifficulty-4	60.16µ	60.55µ	~	0.100
Mine_WithAddress-4	7.546µ	6.778µ	~	0.700
BlockAssembler_AddTx-4	0.02908n	0.02618n	~	0.400
AddNode-4	11.05	10.72	~	0.100
AddNodeWithMap-4	11.88	11.30	~	0.100
DirectSubtreeAdd/4_per_subtree-4	57.64n	57.56n	~	0.400
DirectSubtreeAdd/64_per_subtree-4	29.29n	28.82n	~	0.100
DirectSubtreeAdd/256_per_subtree-4	27.75n	28.37n	~	0.400
DirectSubtreeAdd/1024_per_subtree-4	26.52n	26.58n	~	0.700
DirectSubtreeAdd/2048_per_subtree-4	26.12n	26.19n	~	0.700
SubtreeProcessorAdd/4_per_subtree-4	296.1n	296.5n	~	1.000
SubtreeProcessorAdd/64_per_subtree-4	297.4n	282.0n	~	0.100
SubtreeProcessorAdd/256_per_subtree-4	290.7n	284.7n	~	0.100
SubtreeProcessorAdd/1024_per_subtree-4	281.6n	274.9n	~	0.100
SubtreeProcessorAdd/2048_per_subtree-4	285.0n	275.3n	~	0.100
SubtreeProcessorRotate/4_per_subtree-4	282.2n	281.2n	~	0.700
SubtreeProcessorRotate/64_per_subtree-4	280.9n	277.2n	~	0.100
SubtreeProcessorRotate/256_per_subtree-4	280.9n	280.1n	~	0.800
SubtreeProcessorRotate/1024_per_subtree-4	279.3n	280.2n	~	0.200
SubtreeNodeAddOnly/4_per_subtree-4	55.11n	55.37n	~	0.400
SubtreeNodeAddOnly/64_per_subtree-4	36.11n	36.12n	~	0.700
SubtreeNodeAddOnly/256_per_subtree-4	35.15n	35.08n	~	0.100
SubtreeNodeAddOnly/1024_per_subtree-4	34.51n	34.46n	~	0.200
SubtreeCreationOnly/4_per_subtree-4	110.8n	110.6n	~	0.500
SubtreeCreationOnly/64_per_subtree-4	349.5n	346.0n	~	0.100
SubtreeCreationOnly/256_per_subtree-4	1.219µ	1.215µ	~	0.700
SubtreeCreationOnly/1024_per_subtree-4	3.780µ	3.776µ	~	1.000
SubtreeCreationOnly/2048_per_subtree-4	6.818µ	6.720µ	~	0.100
SubtreeProcessorOverheadBreakdown/64_per_subtree-4	278.2n	280.5n	~	0.100
SubtreeProcessorOverheadBreakdown/1024_per_subtree-4	281.2n	280.2n	~	0.600
ParallelGetAndSetIfNotExists/1k_nodes-4	2.000m	1.989m	~	0.200
ParallelGetAndSetIfNotExists/10k_nodes-4	5.164m	5.103m	~	0.700
ParallelGetAndSetIfNotExists/50k_nodes-4	7.324m	7.013m	~	0.100
ParallelGetAndSetIfNotExists/100k_nodes-4	10.000m	9.602m	~	0.100
SequentialGetAndSetIfNotExists/1k_nodes-4	1.779m	1.798m	~	0.100
SequentialGetAndSetIfNotExists/10k_nodes-4	4.476m	4.419m	~	0.200
SequentialGetAndSetIfNotExists/50k_nodes-4	13.81m	13.76m	~	1.000
SequentialGetAndSetIfNotExists/100k_nodes-4	24.91m	25.14m	~	0.100
ProcessOwnBlockSubtreeNodesParallel/1k_nodes-4	2.056m	2.054m	~	1.000
ProcessOwnBlockSubtreeNodesParallel/10k_nodes-4	8.372m	8.302m	~	0.400
ProcessOwnBlockSubtreeNodesParallel/100k_nodes-4	13.34m	13.07m	~	0.100
ProcessOwnBlockSubtreeNodesSequential/1k_nodes-4	1.789m	1.814m	~	1.000
ProcessOwnBlockSubtreeNodesSequential/10k_nodes-4	7.972m	8.366m	~	0.100
ProcessOwnBlockSubtreeNodesSequential/100k_nodes-4	42.89m	43.64m	~	0.700
DiskTxMap_SetIfNotExists-4	4.258µ	4.163µ	~	0.100
DiskTxMap_SetIfNotExists_Parallel-4	3.984µ	3.862µ	~	0.100
DiskTxMap_ExistenceOnly-4	400.3n	482.4n	~	0.700
Queue-4	211.0n	204.8n	~	0.700
AtomicPointer-4	8.165n	8.133n	~	0.400
ReorgOptimizations/DedupFilterPipeline/Old/10K-4	839.3µ	832.9µ	~	0.100
ReorgOptimizations/DedupFilterPipeline/New/10K-4	746.1µ	736.7µ	~	0.700
ReorgOptimizations/AllMarkFalse/Old/10K-4	121.4µ	129.0µ	~	0.100
ReorgOptimizations/AllMarkFalse/New/10K-4	58.55µ	58.61µ	~	1.000
ReorgOptimizations/HashSlicePool/Old/10K-4	57.14µ	62.59µ	~	0.100
ReorgOptimizations/HashSlicePool/New/10K-4	11.79µ	11.80µ	~	0.400
ReorgOptimizations/NodeFlags/Old/10K-4	5.001µ	5.226µ	~	0.100
ReorgOptimizations/NodeFlags/New/10K-4	1.700µ	1.920µ	~	0.100
ReorgOptimizations/DedupFilterPipeline/Old/100K-4	12.14m	12.69m	~	0.100
ReorgOptimizations/DedupFilterPipeline/New/100K-4	12.65m	12.81m	~	0.700
ReorgOptimizations/AllMarkFalse/Old/100K-4	1.210m	1.283m	~	0.200
ReorgOptimizations/AllMarkFalse/New/100K-4	735.4µ	735.9µ	~	0.400
ReorgOptimizations/HashSlicePool/Old/100K-4	574.6µ	574.9µ	~	1.000
ReorgOptimizations/HashSlicePool/New/100K-4	320.9µ	318.2µ	~	0.700
ReorgOptimizations/NodeFlags/Old/100K-4	50.73µ	50.53µ	~	0.700
ReorgOptimizations/NodeFlags/New/100K-4	17.67µ	17.49µ	~	0.400
TxMapSetIfNotExists-4	52.39n	52.45n	~	0.400
TxMapSetIfNotExistsDuplicate-4	48.13n	48.18n	~	0.700
ChannelSendReceive-4	713.7n	688.0n	~	0.100
CalcBlockWork-4	253.2n	257.1n	~	0.700
CalculateWork-4	340.9n	346.5n	~	0.100
BuildBlockLocatorString_Helpers/Size_10-4	1.319µ	1.311µ	~	0.500
BuildBlockLocatorString_Helpers/Size_100-4	14.96µ	15.30µ	~	0.700
BuildBlockLocatorString_Helpers/Size_1000-4	124.7µ	123.8µ	~	0.400
CatchupWithHeaderCache-4	104.3m	104.4m	~	1.000
_BufferPoolAllocation/16KB-4	3.966µ	4.965µ	~	0.100
_BufferPoolAllocation/32KB-4	10.823µ	8.577µ	~	0.700
_BufferPoolAllocation/64KB-4	17.83µ	17.40µ	~	0.200
_BufferPoolAllocation/128KB-4	35.97µ	32.04µ	~	0.100
_BufferPoolAllocation/512KB-4	125.9µ	124.8µ	~	0.700
_BufferPoolConcurrent/32KB-4	20.11µ	19.84µ	~	1.000
_BufferPoolConcurrent/64KB-4	34.07µ	31.21µ	~	0.100
_BufferPoolConcurrent/512KB-4	161.7µ	158.0µ	~	0.200
_SubtreeDeserializationWithBufferSizes/16KB-4	673.3µ	726.8µ	~	0.100
_SubtreeDeserializationWithBufferSizes/32KB-4	670.2µ	733.8µ	~	0.100
_SubtreeDeserializationWithBufferSizes/64KB-4	668.4µ	734.7µ	~	0.100
_SubtreeDeserializationWithBufferSizes/128KB-4	668.2µ	734.2µ	~	0.100
_SubtreeDeserializationWithBufferSizes/512KB-4	646.9µ	651.5µ	~	0.100
_SubtreeDataDeserializationWithBufferSizes/16KB-4	37.57m	38.56m	~	0.400
_SubtreeDataDeserializationWithBufferSizes/32KB-4	37.67m	37.54m	~	0.700
_SubtreeDataDeserializationWithBufferSizes/64KB-4	37.32m	37.71m	~	0.200
_SubtreeDataDeserializationWithBufferSizes/128KB-4	37.72m	37.55m	~	0.200
_SubtreeDataDeserializationWithBufferSizes/512KB-4	36.99m	37.40m	~	0.200
_PooledVsNonPooled/Pooled-4	662.6n	746.9n	~	0.100
_PooledVsNonPooled/NonPooled-4	8.869µ	8.525µ	~	0.100
_MemoryFootprint/Current_512KB_32concurrent-4	7.182µ	6.929µ	~	0.100
_MemoryFootprint/Proposed_32KB_32concurrent-4	12.85µ	12.24µ	~	0.100
_MemoryFootprint/Alternative_64KB_32concurrent-4	10.49µ	10.39µ	~	0.700
_prepareTxsPerLevel-4	427.4m	423.4m	~	1.000
_prepareTxsPerLevelOrdered-4	4.051m	4.660m	~	0.100
_prepareTxsPerLevel_Comparison/Original-4	415.2m	430.6m	~	0.200
_prepareTxsPerLevel_Comparison/Optimized-4	4.036m	3.889m	~	0.700
SubtreeSizes/10k_tx_4_per_subtree-4	1.434m	1.443m	~	1.000
SubtreeSizes/10k_tx_16_per_subtree-4	332.4µ	331.3µ	~	1.000
SubtreeSizes/10k_tx_64_per_subtree-4	81.09µ	80.42µ	~	0.400
SubtreeSizes/10k_tx_256_per_subtree-4	19.98µ	20.24µ	~	0.700
SubtreeSizes/10k_tx_512_per_subtree-4	9.904µ	9.899µ	~	0.700
SubtreeSizes/10k_tx_1024_per_subtree-4	4.885µ	4.937µ	~	1.000
SubtreeSizes/10k_tx_2k_per_subtree-4	2.468µ	2.454µ	~	0.400
BlockSizeScaling/10k_tx_64_per_subtree-4	77.87µ	78.96µ	~	0.100
BlockSizeScaling/10k_tx_256_per_subtree-4	19.86µ	19.58µ	~	0.200
BlockSizeScaling/10k_tx_1024_per_subtree-4	4.971µ	4.964µ	~	1.000
BlockSizeScaling/50k_tx_64_per_subtree-4	393.1µ	393.5µ	~	0.700
BlockSizeScaling/50k_tx_256_per_subtree-4	97.34µ	98.18µ	~	0.700
BlockSizeScaling/50k_tx_1024_per_subtree-4	24.70µ	24.44µ	~	0.400
SubtreeAllocations/small_subtrees_exists_check-4	162.3µ	162.0µ	~	0.700
SubtreeAllocations/small_subtrees_data_fetch-4	171.8µ	168.9µ	~	0.100
SubtreeAllocations/small_subtrees_full_validation-4	331.6µ	330.4µ	~	0.700
SubtreeAllocations/medium_subtrees_exists_check-4	9.932µ	9.867µ	~	0.400
SubtreeAllocations/medium_subtrees_data_fetch-4	10.71µ	10.55µ	~	0.400
SubtreeAllocations/medium_subtrees_full_validation-4	20.53µ	20.23µ	~	1.000
SubtreeAllocations/large_subtrees_exists_check-4	2.409µ	2.439µ	~	0.400
SubtreeAllocations/large_subtrees_data_fetch-4	2.654µ	2.617µ	~	0.700
SubtreeAllocations/large_subtrees_full_validation-4	5.153µ	5.120µ	~	1.000
StoreBlock_Sequential/BelowCSVHeight-4	255.2µ	253.8µ	~	0.400
StoreBlock_Sequential/AboveCSVHeight-4	259.0µ	253.9µ	~	0.100
GetUtxoHashes-4	257.6n	256.6n	~	1.000
GetUtxoHashes_ManyOutputs-4	42.11µ	42.22µ	~	0.400
_NewMetaDataFromBytes-4	227.5n	227.0n	~	1.000
_Bytes-4	407.6n	393.7n	~	0.700
_MetaBytes-4	138.0n	135.4n	~	0.100

---

Threshold: >10% with p < 0.05 | Generated: 2026-05-28 08:56 UTC

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ordishs]

Approving — surgical, well-scoped fix for 12 CVEs. Tag-closing conversions are HTML5-spec-correct and semantically identical; tooling bumps chain together coherently; vite.config.ts already omits the removed css: "none" knob so the @poppanator/sveltekit-svg v4→v7 jump is clean.

One ask before merge: please pin the Node floor in ui/dashboard/package.json — Vite 7 requires Node 20.19+ / 22.12+ and there's no engines field, .nvmrc, or version pin anywhere in the dashboard build path (Makefile:157 just calls npm install inside teranode-base:build-latest). Add:

"engines": { "node": ">=20.19.0" }

so npm install fails fast if the base image ever drifts to an older Node, instead of producing a cryptic Vite/Rollup error downstream.

Non-blocking follow-ups:

• File an issue tracking the deferred runes-mode migration so deprecation warnings for <slot>, $$slots, export let, $:, and on:event don't get lost in prod console logs.
• Quick npm ls eslint-plugin-storybook to confirm no peer-dep complaints on Svelte 5.

LGTM otherwise.

[oskarszoon]

Engines pin added in 02247ad1c. Build clean.

npm ls eslint-plugin-storybook is clean — installed at 0.6.15, no UNMET peers, no svelte in its peerDependencies. The plugin lints *.stories.* files and is JS-framework-agnostic on the Svelte 5 axis.

Filed #977 to track the deferred runes-mode migration so the deprecation warnings don't get lost in prod console logs.