Skip to content

Bump the npm_and_yarn group across 1 directory with 11 updates#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-1448da784b
Open

Bump the npm_and_yarn group across 1 directory with 11 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-1448da784b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 14, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
@sveltejs/kit 1.7.1 2.59.1
lodash 4.17.21 4.18.1
svelte 3.55.1 5.55.5
@sveltejs/adapter-vercel 1.0.0-next.47 removed
braces 3.0.2 3.0.3
picomatch 2.3.1 2.3.2

Updates @sveltejs/kit from 1.7.1 to 2.59.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.59.1

Patch Changes

  • fix: resolve paths to route files with the letter drive on Windows (#15793)

@​sveltejs/kit@​2.59.0

Minor Changes

  • feat: support query.batch in requested(...) (#15751)

  • breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

  • feat: experimental query.live function (#15705)

Patch Changes

  • fix: unwrap Promise in RemoteCommand output type (#15771)

  • fix: empty call to .updates() on a command/form invocation means "don't update anything" (#15705)

  • fix: form.fields.foo.as('checkbox', default_value) now works (#15752)

  • fix: remote forms with default values defined by field.as('text', defaultValue) now correctly reset to the provided default values once submitted (#15753)

  • fix: make sure queries always get started correctly (#15705)

  • fix: allow plain functions as overrides in updates (#15705)

@​sveltejs/kit@​2.58.0

Minor Changes

  • breaking: require limit in requested (as originally intended) (#15739)

  • feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#15739)

  • breaking: requested now yields { arg, query } entries instead of the validated argument (#15739)

Patch Changes

  • fix: allow query().current, .error, .loading, and .ready to work in non-reactive contexts (#15699)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.59.1

Patch Changes

  • fix: resolve paths to route files with the letter drive on Windows (#15793)

2.59.0

Minor Changes

  • feat: support query.batch in requested(...) (#15751)

  • breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

  • feat: experimental query.live function (#15705)

Patch Changes

  • fix: unwrap Promise in RemoteCommand output type (#15771)

  • fix: empty call to .updates() on a command/form invocation means "don't update anything" (#15705)

  • fix: form.fields.foo.as('checkbox', default_value) now works (#15752)

  • fix: remote forms with default values defined by field.as('text', defaultValue) now correctly reset to the provided default values once submitted (#15753)

  • fix: make sure queries always get started correctly (#15705)

  • fix: allow plain functions as overrides in updates (#15705)

2.58.0

Minor Changes

  • breaking: require limit in requested (as originally intended) (#15739)

  • feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#15739)

  • breaking: requested now yields { arg, query } entries instead of the validated argument (#15739)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​sveltejs/kit since your current version.


Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates postcss from 8.4.19 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

  • Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

  • Fixed package.jsonexports compatibility with some tools (by @​JounQin).

8.5.4

8.5.3

... (truncated)

Commits
  • 3ec1394 Release 8.5.14 version
  • f2bb827 Update dependencies
  • d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
  • 68bd213 fix: always call raw to retrieve raw values
  • af58cf1 Release 8.5.13 version
  • f227dbd Temporary ignore pnpm 11 config
  • d3abd40 Update dependencies
  • dd06c3e Revert stringifier changes because of the conflict with postcss-scss
  • ae889c8 Try to fix CI
  • e0093e4 Move to pnpm 11
  • Additional commits viewable in compare view

Updates svelte from 3.55.1 to 5.55.5

Release notes

Sourced from svelte's releases.

svelte@5.55.5

Patch Changes

  • fix: don't mark deriveds while an effect is updating (#18124)

  • fix: do not dispatch introstart event with animation of animate directive (#18122)

svelte@5.55.4

Patch Changes

  • fix: never mark a child effect root as inert (#18111)

  • fix: reset context after waiting on blockers of @const expressions (#18100)

  • fix: keep flushing new eager effects (#18102)

svelte@5.55.3

Patch Changes

  • fix: ensure proper HMR updates for dynamic components (#18079)

  • fix: correctly calculate @const blockers (#18039)

  • fix: freeze deriveds once their containing effects are destroyed (#17921)

  • fix: defer error boundary rendering in forks (#18076)

  • fix: avoid false positives for reactivity loss warning (#18088)

svelte@5.55.2

Patch Changes

  • fix: invalidate @const tags based on visible references in legacy mode (#18041)

  • fix: handle parens in template expressions more robustly (#18075)

  • fix: disallow -- in idPrefix (#18038)

  • fix: correct types for ontoggle on <details> elements (#18063)

  • fix: don't override $destroy/set/on instance methods in dev mode (#18034)

  • fix: unskip branches of earlier batches after commit (#18048)

  • fix: never set derived.v inside fork (#18037)

  • fix: skip rebase logic in non-async mode (#18040)

  • fix: don't reset status of uninitialized deriveds (#18054)

... (truncated)

Changelog

Sourced from svelte's changelog.

svelte

4.2.3

Patch Changes

  • fix: improve a11y-click-events-have-key-events message (#9358)

  • fix: more robust hydration of html tag (#9184)

4.2.2

Patch Changes

  • fix: support camelCase properties on custom elements (#9328)

  • fix: add missing plaintext-only value to contenteditable type (#9242)

  • chore: upgrade magic-string to 0.30.4 (#9292)

  • fix: ignore trailing comments when comparing nodes (#9197)

4.2.1

Patch Changes

  • fix: update style directive when style attribute is present and is updated via an object prop (#9187)

  • fix: css sourcemap generation with unicode filenames (#9120)

  • fix: do not add module declared variables as dependencies (#9122)

  • fix: handle svelte:element with dynamic this and spread attributes (#9112)

  • fix: silence false positive reactive component warning (#9094)

  • fix: head duplication when binding is present (#9124)

  • fix: take custom attribute name into account when reflecting property (#9140)

  • fix: add indeterminate to the list of HTMLAttributes (#9180)

  • fix: recognize option value on spread attribute (#9125)

4.2.0

Minor Changes

  • feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for svelte since your current version.


Removes @sveltejs/adapter-vercel

Updates braces from 3.0.2 to 3.0.3

Commits

Updates cookie from 0.5.0 to 0.6.0

Release notes

Sourced from cookie's releases.

0.6.0

  • Add partitioned option
Changelog

Sourced from cookie's changelog.

0.6.0 / 2023-11-06

  • Add partitioned option
Commits

Updates devalue from 4.3.0 to 5.8.0

Release notes

Sourced from devalue's releases.

v5.8.0

Minor Changes

  • c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

  • 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

  • df2e284: feat: use native alternatives to encode/decode base64
  • 498656e: feat: add DataView support
  • a210130: feat: whitelist Float16Array
  • df2e284: feat: simplify TypedArray slices

Patch Changes

  • 5590634: fix: get uneval type handling up to parity with stringify
  • 57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

... (truncated)

Changelog

Sourced from devalue's changelog.

5.8.0

Minor Changes

  • c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

  • 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

  • df2e284: feat: use native alternatives to encode/decode base64
  • 498656e: feat: add DataView support
  • a210130: feat: whitelist Float16Array
  • df2e284: feat: simplify TypedArray slices

Patch Changes

  • 5590634: fix: get uneval type handling up to parity with stringify
  • 57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for devalue since your current version.


Updates esbuild from 0.14.27 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
    console.log(string)
  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

v0.27.7

  • Fix lowering of define semantics for TypeScript parameter properties (#4421)

    The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

    // Original code
    class Foo {
      constructor(public x = 1) {}
      y = 2
    }
    // Old output (with --loader=ts --target=es2021)
    class Foo {
    constructor(x = 1) {
    this.x = x;
    __publicField(this, "y", 2);
    }
    x;
    }
    // New output (with --loader=ts --target=es2021)
    class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

  • Loader defaults to js for extensionless files (#2776)

    Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

    • CLI:

      esbuild --bundle --loader:=css
      
    • JS:

      esbuild.build({
        bundle: true,
        loader: { '': 'css' },
      })
    • Go:

      api.Build(api.BuildOptions{
        Bundle: true,
        Loader: map[string]api.Loader{"": api.LoaderCSS},
      })

    In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

  • Avoid a syntax error in the presence of direct eval (#2761)

    The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

    // Original code
    if (true) {
      function foo() {}
      console.log(!!foo)
      foo = null
      console.log(!!foo)
    }

... (truncated)

Commits
  • 6a794df publish 0.28.0 to npm
  • 64ee0ea fix #4435: support with { type: text } imports
  • ef65aee fix sort order in snapshots_packagejson.txt
  • 1a26a8e try to fix test-old-ts, also shuffle CI tasks
  • 556ce6c use '' instead of null to omit build hashes
  • 8e675a8 ci: allow missing binary hashes for tests
  • 7067763 Reapply "update go 1.25.7 => 1.26.1"
  • 39473a9 fix #4343: integrity check for binary download
  • 2025c9f publish 0.27.7 to npm
  • c6b586e fix typo in Makefile for @esbuild/win32-x64
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.


Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

  • Changelogs are for humans, not machines.
  • There should be an entry for every single version.
  • The same types of changes should be grouped.
  • Versions and sections should be linkable.
  • The latest version comes first.
  • The release date of each versions is displayed.
  • Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

  • Added for new features.
  • Changed for changes in existing functionality.
  • Deprecated for soon-to-be removed features.
  • Removed for now removed features.
  • Fixed for any bug fixes.
  • Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

... (truncated)

Commits

Updates vite from 4.1.1 to 8.0.13

Release notes

Sourced from vite's releases.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.2

Please refer to CHANGELOG.md for details.

create-vite@8.0.1

Please refer to CHANGELOG.md for details.

v8.0.1

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.13 (2026-05-14)

Features

  • bundled-dev: add lazy bundling support (#21406) (4f0949f)
  • optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
  • update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

  • build: copy public directory after building same environment with write=false (#22328) (158e8ae)
  • css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
  • css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
  • make isBundled per environment (#22257) (a576326)
  • ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

  • remove irrelevant commits from changelog (#22430) (6ea3838)Description has been truncated

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) | `1.7.1` | `2.59.1` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `3.55.1` | `5.55.5` |
| [@sveltejs/adapter-vercel](https://github.com/sveltejs/kit/tree/HEAD/packages/adapter-vercel) | `1.0.0-next.47` | `removed` |
| [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` |



Updates `@sveltejs/kit` from 1.7.1 to 2.59.1
- [Release notes](https://github.com/sveltejs/kit/releases)
- [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.59.1/packages/kit)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `postcss` from 8.4.19 to 8.5.14
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.19...8.5.14)

Updates `svelte` from 3.55.1 to 5.55.5
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG-pre-5.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.55.5/packages/svelte)

Removes `@sveltejs/adapter-vercel`

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `cookie` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/jshttp/cookie/releases)
- [Changelog](https://github.com/jshttp/cookie/blob/v0.6.0/HISTORY.md)
- [Commits](jshttp/cookie@v0.5.0...v0.6.0)

Updates `devalue` from 4.3.0 to 5.8.0
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v4.3.0...v5.8.0)

Updates `esbuild` from 0.14.27 to 0.28.0
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2022.md)
- [Commits](evanw/esbuild@v0.14.27...v0.28.0)

Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...2.3.2)

Updates `vite` from 4.1.1 to 8.0.13
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.13/packages/vite)

---
updated-dependencies:
- dependency-name: "@sveltejs/kit"
  dependency-version: 2.59.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.14
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: svelte
  dependency-version: 5.55.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@sveltejs/adapter-vercel"
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-version: 3.0.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cookie
  dependency-version: 0.6.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.8.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: picomatch
  dependency-version: 2.3.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 8.0.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants