chore(deps): update dependency @sveltejs/adapter-vercel to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/adapter-vercel (source)	^5.4.7 → ^6.0.0

GitHub Vulnerability Alerts

CVE-2026-27118

Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users.

Successful exploitation requires a victim to visit an attacker-controlled link while authenticated.

Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

---

Release Notes

sveltejs/kit (@​sveltejs/adapter-vercel)

v6.3.3

Compare Source

Patch Changes

• fix: ensure build does not copy Vercel build environment system files (#​15400)

v6.3.2

Compare Source

Patch Changes

• fix: 404 for immutable assets that don't match static files (c67da8a)

• Updated dependencies [3e607b3, 62991c8, f47c01b]:

  • @​sveltejs/kit@​2.52.2

v6.3.1

Compare Source

Patch Changes

• feat: show remote function calls under the /_app/remote route in observability (#​15098)

• fix: prevent isr routes from handling remote function calls (#​15098)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

v6.3.0

Compare Source

Minor Changes

• chore: mark RequestContext as deprecated and refer to @vercel/functions (#​14725)

Patch Changes

• Updated dependencies [e67613c, a5c313e, 06de550]:
  • @​sveltejs/kit@​2.49.3

v6.2.0

Compare Source

Minor Changes

• feat: Node 24 support (#​14982)

v6.1.2

Compare Source

Patch Changes

• chore(deps): upgrade to @vercel/nft version 1.0.0 to reduce dependencies (#​14950)

• Updated dependencies [0889a2a, 2ff3951, 5b30755]:

  • @​sveltejs/kit@​2.48.7

v6.1.1

Compare Source

Patch Changes

• chore: improve runtime config parsing (#​14838)

• Updated dependencies [cd72d94, 53b1b73, 2ccc638]:

  • @​sveltejs/kit@​2.48.3

v6.1.0

Compare Source

Minor Changes

• feat: Add experimental support for Bun runtime (#​14817)

Patch Changes

• Updated dependencies [102aecf]:
  • @​sveltejs/kit@​2.48.1

v6.0.0

Compare Source

Major Changes

• breaking: remove Node polyfills (and by extension support for Node 18) (#​14732)

Minor Changes

• feat: parse isr.expiration, allowing it to be a string (#​14691)

Patch Changes

• Updated dependencies [9c933a2, dedda71]:
  • @​sveltejs/kit@​2.47.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
promplate-docs	Ready	Preview, Comment	Apr 15, 2026 9:48am

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.