chore(deps): update dependency devalue to v5.6.2 [security] (3.x)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
devalue	5.6.1 → 5.6.2

GitHub Vulnerability Alerts

CVE-2026-22774

Summary

Certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array.

Details

The parser's typed array hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system.

Impact

This is a denial of service vulnerability affecting systems that use devalue.parse to handle data from potentially untrusted sources.

Affected systems should upgrade to patched versions immediately.

CVE-2026-22775

Summary

Certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input.

Details

The parser's ArrayBuffer hydration logic does not properly validate input before processing. Specially crafted inputs can cause disproportionate memory allocation or CPU usage on the receiving system.

Impact

This is a denial of service vulnerability affecting systems that use devalue.parse to handle data from potentially untrusted sources.

Affected systems should upgrade to patched versions immediately.

---

Release Notes

sveltejs/devalue (devalue)

v5.6.2

Compare Source

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	devalue@​5.6.1 ⏵ 5.6.2		+22	+1

View full report

[pkg-pr-new]

Open in StackBlitz

@nuxt/kit

npm i https://pkg.pr.new/@nuxt/kit@34089

@nuxt/nitro-server

npm i https://pkg.pr.new/@nuxt/nitro-server@34089

nuxt

npm i https://pkg.pr.new/nuxt@34089

@nuxt/rspack-builder

npm i https://pkg.pr.new/@nuxt/rspack-builder@34089

@nuxt/schema

npm i https://pkg.pr.new/@nuxt/schema@34089

@nuxt/vite-builder

npm i https://pkg.pr.new/@nuxt/vite-builder@34089

@nuxt/webpack-builder

npm i https://pkg.pr.new/@nuxt/webpack-builder@34089

commit: b831566

[codspeed-hq]

Merging this PR will not alter performance

✅ 10 untouched benchmarks

---

_{Comparing renovate/3.x-npm-devalue-vulnerability (b831566) with 3.x (0c3c1b7)}

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^5.6.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.