From c2d8295b485afefb4ebbf4a7c97694e0162bbae3 Mon Sep 17 00:00:00 2001
From: Ali Jaafer <93264687+i5d6@users.noreply.github.com>
Date: Sun, 8 Feb 2026 01:06:54 +0300
Subject: [PATCH] Update peer dependency for @sveltejs/kit

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
---
 packages/flags/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/flags/package.json b/packages/flags/package.json
index 6ba6da0f..909cde2c 100644
--- a/packages/flags/package.json
+++ b/packages/flags/package.json
@@ -96,7 +96,7 @@
   },
   "peerDependencies": {
     "@opentelemetry/api": "^1.7.0",
-    "@sveltejs/kit": "*",
+    "@sveltejs/kit": "^2.49.5",
     "next": "*",
     "react": "*",
     "react-dom": "*"