Skip to content

Bump the npm_and_yarn group across 1 directory with 8 updates#88

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-061cf26c27
Closed

Bump the npm_and_yarn group across 1 directory with 8 updates#88
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-061cf26c27

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
@sveltejs/kit 2.58.0 2.65.1
svelte 5.55.5 5.56.3
vite 7.3.1 8.0.16
vitest 4.0.15 4.1.8
flatted 3.3.3 3.4.2
js-yaml 4.1.0 4.2.0

Updates @sveltejs/kit from 2.58.0 to 2.65.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.65.1

Patch Changes

  • fix: avoid importing the Vite development client code into builds with a non-standard NODE_ENV (#16023)

  • fix: don't emit the unused bundle and stylesheet files when using bundleStrategy: 'inline' (#16025)

  • fix: reset queries before navigating when invalidateAll is set (#16014)

  • fix: regression in loading assets for absolute path apps (#16026)

@​sveltejs/kit@​2.65.0

Minor Changes

  • feat: allow queries to refresh other queries (#16012)

Patch Changes

  • fix: dedupe remote data (#15991)

  • fix: skip client build if all routes have CSR disabled (#15936)

@​sveltejs/kit@​2.64.0

Minor Changes

  • feat: allow commands to receive File objects (#15978)

Patch Changes

  • fix: avoid server components from being bundled if SSR is turned off for a route (#15982)

@​sveltejs/kit@​2.63.1

Patch Changes

  • fix: use SSE for query.live (#15957)

  • fix: use forward slashes in the generated env.d.ts import path on Windows (#15977)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.65.1

Patch Changes

  • fix: avoid importing the Vite development client code into builds with a non-standard NODE_ENV (#16023)

  • fix: don't emit the unused bundle and stylesheet files when using bundleStrategy: 'inline' (#16025)

  • fix: reset queries before navigating when invalidateAll is set (#16014)

  • fix: regression in loading assets for absolute path apps (#16026)

2.65.0

Minor Changes

  • feat: allow queries to refresh other queries (#16012)

Patch Changes

  • fix: dedupe remote data (#15991)

  • fix: skip client build if all routes have CSR disabled (#15936)

2.64.0

Minor Changes

  • feat: allow commands to receive File objects (#15978)

Patch Changes

  • fix: avoid server components from being bundled if SSR is turned off for a route (#15982)

2.63.1

Patch Changes

  • fix: use SSE for query.live (#15957)

  • fix: use forward slashes in the generated env.d.ts import path on Windows (#15977)

... (truncated)

Commits
  • c5382b7 Version Packages (#16016)
  • b82ba81 fix: don't emit the unused bundle and stylesheet files when using `bundleStra...
  • 1f9bc79 fix: regression in loading assets for apps configured with absolute paths (#1...
  • 7e4cade fix: don't emit the dev bootstrap into builds with a non-standard NODE_ENV (#...
  • 9d963e4 fix: reset queries before navigating when invalidateAll is set (#16014)
  • ce77bf3 Version Packages (#15988)
  • 372a6a6 fix: dedupe remote data (#15991)
  • 607713e fix: copy public directory assets if client build is skipped (#16004)
  • 3968fb9 fix: skip client build if all routes have CSR disabled (#15936)
  • 1c30797 Version Packages (#15984)
  • Additional commits viewable in compare view

Updates svelte from 5.55.5 to 5.56.3

Release notes

Sourced from svelte's releases.

svelte@5.56.3

Patch Changes

  • fix: ignore errors that occur in destroyed effects (#18384)

  • fix: type BigInts in $state.snapshot(...) return values (#18388)

svelte@5.56.2

Patch Changes

  • fix: properly track effect end node for async sibling component (#18371)

  • fix: prevent false-positive reactivity loss warning (#18373)

  • chore: bump esrap dependency (#18372)

  • fix: ignore declaration tags for animation directive (#18366)

  • fix: reject pending async deriveds on discard (#18308)

svelte@5.56.1

Patch Changes

  • fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

  • fix: parse declaration tag contents more robustly (#18353)

  • fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

  • fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

  • fix: tolerate whitespace before let/const in declaration tags (#18348)

  • fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

  • fix: more robust parsing of declaration tags with regards to type (#18330)

  • fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

  • fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

  • fix: check references for blockers on server, too (#18352)

svelte@5.56.0

Minor Changes

  • feat: allow declarations in the template (#18282)

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.56.3

Patch Changes

  • fix: ignore errors that occur in destroyed effects (#18384)

  • fix: type BigInts in $state.snapshot(...) return values (#18388)

5.56.2

Patch Changes

  • fix: properly track effect end node for async sibling component (#18371)

  • fix: prevent false-positive reactivity loss warning (#18373)

  • chore: bump esrap dependency (#18372)

  • fix: ignore declaration tags for animation directive (#18366)

  • fix: reject pending async deriveds on discard (#18308)

5.56.1

Patch Changes

  • fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

  • fix: parse declaration tag contents more robustly (#18353)

  • fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

  • fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

  • fix: tolerate whitespace before let/const in declaration tags (#18348)

  • fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

  • fix: more robust parsing of declaration tags with regards to type (#18330)

  • fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

  • fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

  • fix: check references for blockers on server, too (#18352)

5.56.0

Minor Changes

... (truncated)

Commits

Updates vite from 7.3.1 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

8.0.15 (2026-06-01)

Features

Bug Fixes

  • capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
  • deps: update all non-major dependencies (#22511) (2686d7d)
  • dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
  • glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
  • optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
  • resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

Code Refactoring

8.0.14 (2026-05-21)

Features

Bug Fixes

  • deps: update all non-major dependencies (#22471) (98b8163)
  • dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
  • html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
  • optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

  • deps: update rolldown-related dependencies (#22470) (7cb728e)
  • remove irrelevant commits from changelog (2c69495)

Code Refactoring

  • glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

Updates vitest from 4.0.15 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

... (truncated)

Commits
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • a09d472 chore: release v4.1.7
  • a8fd24c chore: release v4.1.6
  • 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
  • 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
  • e399846 chore: release v4.1.5
  • 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
  • 9787ded fix: respect diff config options in soft assertions (#8696)
  • 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
  • Additional commits viewable in compare view

Updates vitest from 4.0.15 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

... (truncated)

Commits
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • a09d472 chore: release v4.1.7
  • a8fd24c chore: release v4.1.6
  • 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
  • 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
  • e399846 chore: release v4.1.5
  • 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
  • 9787ded fix: respect diff config options in soft assertions (#8696)
  • 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
  • Additional commits viewable in compare view

Updates esbuild from 0.27.7 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
console.log(string)

  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

Changelog

Sourced from esbuild's changelog.

0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
console.log(string)

  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

Commits
  • 6a794df publish 0.28.0 to npm
  • 64ee0ea fix #4435: support with { type: text } imports
  • ef65aee fix sort order in snapshots_packagejson.txt
  • 1a26a8e try to fix test-old-ts, also shuffle CI tasks
  • 556ce6c use '' instead of null to omit build hashes
  • 8e675a8 ci: allow missing binary hashes for tests
  • 7067763 Reapply "update go 1.25.7 => 1.26.1"
  • 39473a9 fix #4343: integrity check for binary download
  • See full diff in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates postcss from 8.5.6 to 8.5.15

Release ...

Description has been truncated

@dependabot
Bump the npm_and_yarn group across 1 directory with 8 updates
89de95a 
Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) | `2.58.0` | `2.65.1` |
| [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.55.5` | `5.56.3` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `8.0.16` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.15` | `4.1.8` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.2.0` |



Updates `@sveltejs/kit` from 2.58.0 to 2.65.1
- [Release notes](https://github.com/sveltejs/kit/releases)
- [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.65.1/packages/kit)

Updates `svelte` from 5.55.5 to 5.56.3
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.56.3/packages/svelte)

Updates `vite` from 7.3.1 to 8.0.16
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite)

Updates `vitest` from 4.0.15 to 4.1.8
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest)

Updates `vitest` from 4.0.15 to 4.1.8
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest)

Updates `esbuild` from 0.27.7 to 0.28.0
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.27.7...v0.28.0)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `js-yaml` from 4.1.0 to 4.2.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/commits)

Updates `postcss` from 8.5.6 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.15)

---
updated-dependencies:
- dependency-name: "@sveltejs/kit"
  dependency-version: 2.65.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: svelte
  dependency-version: 5.56.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.0.16
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.8
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: vitest
  dependency-version: 4.1.8
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 14, 2026
@ryanatkn ryanatkn closed this Jun 14, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-061cf26c27 branch June 14, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryanatkn