fix(deps): update dependency svelte to v4.2.19 [security] (#2739)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [svelte](https://svelte.dev)
([source](https://togithub.com/sveltejs/svelte/tree/HEAD/packages/svelte))
| [`4.2.18` ->
`4.2.19`](https://renovatebot.com/diffs/npm/svelte/4.2.18/4.2.19) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/svelte/4.2.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/svelte/4.2.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/svelte/4.2.18/4.2.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/svelte/4.2.18/4.2.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-45047](https://togithub.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c)

### Summary

A potential XSS vulnerability exists in Svelte for versions prior to
4.2.19.

### Details

Svelte improperly escapes HTML on server-side rendering. It converts
strings according to the following rules:

- If the string is an attribute value:
    - `"` -> `"`
    - `&` -> `&`
    - Other characters -> No conversion
- Otherwise:
    - `<` -> `&lt;`
    - `&` -> `&amp;`
    - Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some
situation the final DOM tree rendered on browsers is different from what
Svelte expects on server-side rendering. This may be leveraged to
perform XSS attacks. More specifically, this can occur when injecting
malicious content into an attribute within a `<noscript>` tag.

### PoC

A vulnerable page (`+page.svelte`):
```html
<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>
```

If a user accesses the following URL,
```
http://localhost:4173/?href=</noscript><script>alert(123)</script>
```
then, `alert(123)` will be executed.

### Impact

XSS, when using an attribute within a noscript tag

---

### Release Notes

<details>
<summary>sveltejs/svelte (svelte)</summary>

###
[`v4.2.19`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.19)

[Compare
Source](https://togithub.com/sveltejs/svelte/compare/[email protected]@4.2.19)

##### Patch Changes

- fix: ensure typings for `<svelte:options>` are picked up
([#&#8203;12902](https://togithub.com/sveltejs/svelte/pull/12902))

- fix: escape `<` in attribute strings
([#&#8203;12989](https://togithub.com/sveltejs/svelte/pull/12989))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/fwouts/previewjs).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41Ni4wIiwidXBkYXRlZEluVmVyIjoiMzguNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]