Update ui deps sync

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@rollup/plugin-alias (source)	^5.0.0 -> ^5.1.1
@rollup/plugin-commonjs (source)	^28.0.0 -> ^28.0.6
@rollup/plugin-json (source)	^6.0.0 -> ^6.1.0
@rollup/plugin-node-resolve (source)	^16.0.0 -> ^16.0.2
@rollup/plugin-replace (source)	^6.0.0 -> ^6.0.2
@rollup/plugin-typescript (source)	^12.0.0 -> ^12.1.4
@types/file-saver (source)	^2.0.1 -> ^2.0.7
@types/node (source)	^20.0.0 -> ^20.19.19
@types/resize-observer-browser (source)	^0.1.5 -> ^0.1.11
@types/semver (source)	^7.5.7 -> ^7.7.1
@upstash/redis	1.25.2 -> 1.35.5
@upstash/redis	1.25.2 -> 1.35.5
autoprefixer	^10.4.2 -> ^10.4.21
ava (source)	^6.1.2 -> ^6.4.1
highlight.js (source)	^11.0.0 -> ^11.11.1
highlightjs-solidity (source)	^2.0.0 -> ^2.0.6
openai	5.13.1 -> 5.23.2
openai	5.13.1 -> 5.23.2
postcss (source)	^8.2.8 -> ^8.5.6
postcss-load-config	^6.0.0 -> ^6.0.1
rollup (source)	^4.0.0 -> ^4.52.4
rollup-plugin-livereload	^2.0.0 -> ^2.0.5
rollup-plugin-svelte	^7.0.0 -> ^7.2.3
rollup-plugin-terser	^7.0.0 -> ^7.0.2
semver	^7.6.0 -> ^7.7.3
sirv-cli	^3.0.0 -> ^3.0.1
svelte-check	^3.0.1 -> ^3.8.6
svelte-preprocess	^5.0.0 -> ^5.1.4
tailwindcss (source)	^3.0.15 -> ^3.4.18
tippy.js (source)	^6.3.1 -> ^6.3.7
tslib (source)	^2.0.0 -> ^2.8.1
typescript (source)	^5.0.0 -> ^5.9.3
util	^0.12.4 -> ^0.12.5

---

Release Notes

rollup/plugins (@​rollup/plugin-node-resolve)

v16.0.2

2025-10-04

Bugfixes

• fix: error thrown with empty entry (#​1893)

upstash/upstash-redis (@​upstash/redis)

v1.35.5

Compare Source

What's Changed

• Update function fromEnv() summary to also include Vercels naming convention by @​Ruitjes in upstash/redis-js#1390
• DX-2161: fall back to returning the message string if message is not parsable by @​CahidArda in upstash/redis-js#1391

New Contributors

• @​Ruitjes made their first contribution in upstash/redis-js#1390

Full Changelog: upstash/redis-js@v1.35.4...v1.35.5

v1.35.4

Compare Source

What's Changed

• chore: correct typo 'cound' to 'count' in http.ts comment by @​builtbylane in upstash/redis-js#1385
• fix: adhere to deserialization setting by @​joschan21 in upstash/redis-js#1388

New Contributors

• @​builtbylane made their first contribution in upstash/redis-js#1385

Full Changelog: upstash/redis-js@v1.35.3...v1.35.4

v1.35.3

Compare Source

What's Changed

• feat: add Upstash Console as platform value for telemetry by @​mehmettokgoz in upstash/redis-js#1384

New Contributors

• @​mehmettokgoz made their first contribution in upstash/redis-js#1384

Full Changelog: upstash/redis-js@v1.35.2...v1.35.3

v1.35.2

Compare Source

What's Changed

• fix: exclude exec command from autopipelining by @​alitariksahin in upstash/redis-js#1382
• fix: deprecate block option in xread by @​alitariksahin in upstash/redis-js#1383

New Contributors

• @​alitariksahin made their first contribution in upstash/redis-js#1382

Full Changelog: upstash/redis-js@v1.35.1...v1.35.2

v1.35.1

Compare Source

What's Changed

• DX-1938: update signal parameter to accept function by @​CahidArda in upstash/redis-js#1379

Full Changelog: upstash/redis-js@v1.35.0...v1.35.1

v1.35.0

Compare Source

What's Changed

Features:

• feat: add withtypes option to the scan command by @​ytkimirti in upstash/redis-js#1376

Fixes:

• feat: use uncrypto instead of crypto-js by @​ytkimirti in upstash/redis-js#1375

Full Changelog: upstash/redis-js@v1.34.9...v1.35.0

v1.34.9

Compare Source

What's Changed

Fixes:

• DX-1839: exclude some commands from auto pipeline by @​CahidArda in upstash/redis-js#1373

Full Changelog: upstash/redis-js@v1.34.8...v1.34.9

v1.34.8

Compare Source

What's Changed

• DX-1780: add hash expiration commands by @​CahidArda in upstash/redis-js#1371

Full Changelog: upstash/redis-js@v1.34.7...v1.34.8

v1.34.7

Compare Source

What's Changed

Features:

• DX-1660: Add EVAL_RO and EVALSHA_RO commands by @​yunusemreozdemir in upstash/redis-js#1365
• DX-1780: Add HEXPIRE by @​CahidArda in upstash/redis-js#1367
• Add json.merge command by @​CahidArda in upstash/redis-js#1368

Fixes:

• Add expire options to PEXPIREAT, PEXPIRE, EXPIREAT by @​CahidArda in upstash/redis-js#1370

Full Changelog: upstash/redis-js@v1.34.6...v1.34.7

v1.34.6

Compare Source

What's Changed

• Don't use Array.shift in custom deserializers by @​mdumandag in upstash/redis-js#1364

New Contributors

• @​mdumandag made their first contribution in upstash/redis-js#1364

Full Changelog: upstash/redis-js@v1.34.5...v1.34.6

v1.34.5

Compare Source

What's Changed

• Introduce SUBSCRIBE and PSUBSCRIBE Command by @​fahreddinozcan in upstash/redis-js#1360

Full Changelog: upstash/redis-js@v1.34.4...v1.34.5

v1.34.4

Compare Source

What's Changed

Features:

• Added command: getex by @​SomajitDey in upstash/redis-js#1358

Fixes:

• Add install ci version to vercel deployed tests by @​CahidArda in upstash/redis-js#1328
• Remove sleep after the last retry attempt by @​CahidArda in upstash/redis-js#1342
• DX-1382: Generic EXEC command by @​fahreddinozcan in upstash/redis-js#1346
• fix: remove test.only from auto-pipeline by @​arjunattam in upstash/redis-js#1356

New Contributors

• @​arjunattam made their first contribution in upstash/redis-js#1356
• @​SomajitDey made their first contribution in upstash/redis-js#1358

Full Changelog: upstash/redis-js@v1.34.3...v1.34.4

v1.34.3

Compare Source

What's Changed

• Accept vercel kv env variables by @​CahidArda in upstash/redis-js#1315
• In auto pipeline, throw errors seperately by @​CahidArda in upstash/redis-js#1305
• Replace throw on missing env with warning by @​CahidArda in upstash/redis-js#1311

Changes

Vercel Env Variables

@​upstash/redis sdk now also works when the env variables of Vercel KV are set:

KV_REST_API_URL
KV_REST_API_TOKEN

Granular Auto Pipeline Errors

When the pipeline of the auto pipeline failed, it threw an error for all commands in the auto pipeline. This is not ideal for the use case of auto pipeline. Now, they are raised seperately.

This required changing the exec method of Pipeline. It's not possible to return the errors instead of raising them. See the docstring for more details.

Remove throw on missing URL/Token

We updated the SDK to throw error if the URL or the token is not set in v1.31.1, in PR #​1065. This causes the Vercel builds in Turbo repo to fail unless the turbo.json is updated.

Now, we only print warning logs if the credentials are missing, instead of throwing.

Full Changelog: upstash/redis-js@v1.34.2...v1.34.3

v1.34.2

Compare Source

What's Changed

• Unify exports by @​ytkimirti in upstash/redis-js#1290

Full Changelog: upstash/redis-js@v1.34.1...v1.34.2

v1.34.1

Compare Source

What's Changed

• Revisit SDK Examples by @​yunusemreozdemir in upstash/redis-js#1196
• Fix TS5084 Error in Bitfield SubCommandArgs by @​CahidArda in upstash/redis-js#1235
• Change signature of SADD by @​ytkimirti in upstash/redis-js#1250
• Redis Eslint Update by @​fahreddinozcan in upstash/redis-js#1278
• Add sync token set/get methods by @​CahidArda in upstash/redis-js#1299

New Contributors

• @​yunusemreozdemir made their first contribution in upstash/redis-js#1196

Full Changelog: upstash/redis-js@v1.34.0...v1.34.1

v1.34.0

Compare Source

What's Changed

• feat: add json mset command by @​ogzhanolguncu in upstash/redis-js#1197
• ci: remove stale command by @​ogzhanolguncu in upstash/redis-js#1205
• Dx 1102 by @​ogzhanolguncu in upstash/redis-js#1213
• DX-1019: Read Your Writes Support by @​fahreddinozcan in upstash/redis-js#1175

Full Changelog: upstash/redis-js@v1.33.0...v1.34.0

v1.33.0

Compare Source

What's Changed

• Enable auto pipelining by default by @​CahidArda in upstash/redis-js#1187

Full Changelog: upstash/redis-js@v1.32.0...v1.33.0

v1.32.0

Compare Source

What's Changed

• DX-1023: Add regex for base url by @​CahidArda in upstash/redis-js#1157
• feat: add bitfield command by @​lewxdev in upstash/redis-js#1159
• Resolve Auto Pipeline Arrappend Issue by @​CahidArda in upstash/redis-js#1165

New Contributors

• @​lewxdev made their first contribution in upstash/redis-js#1159

Full Changelog: upstash/redis-js@v1.31.6...v1.32.0

v1.31.6

Compare Source

What's Changed

• feat: add keepAlive parameter by @​CahidArda in upstash/redis-js#1138

Full Changelog: upstash/redis-js@v1.31.5...v1.31.6

v1.31.5

Compare Source

What's Changed

• fix: add Pipeline to exports by @​CahidArda in upstash/redis-js#1121

Full Changelog: upstash/redis-js@v1.31.4...v1.31.5

v1.31.4

Compare Source

What's Changed

• DX-997: Make cursor field in scan commands string by @​CahidArda in upstash/redis-js#1115

After this patch, cursor field in the SCAN, HSCAN, SSCAN and ZSCAN will always be string even if deserialization is enabled.

Full Changelog: upstash/redis-js@v1.31.3...v1.31.4

v1.31.3

Compare Source

What's Changed

• hotfix: use two Promise.resolve statements in deferExecution by @​CahidArda in upstash/redis-js#1083

Full Changelog: upstash/redis-js@v1.31.2...v1.31.3

v1.31.2

Compare Source

What's Changed

• Fix Auto-pipeline Proxy Json Issue by @​CahidArda in upstash/redis-js#1080

Full Changelog: upstash/redis-js@v1.31.1...v1.31.2

v1.31.1

Compare Source

What's Changed

• feat: add lmpop command by @​ogzhanolguncu in upstash/redis-js#1061
• Allow undefined constructor values by @​joschan21 in upstash/redis-js#1065
• add enableAutoPipelining parameter by @​CahidArda in upstash/redis-js#1062

New Contributors

• @​CahidArda made their first contribution in upstash/redis-js#1062

Full Changelog: upstash/redis-js@v1.31.0...v1.31.1

v1.31.0

Compare Source

What's Changed

• DX 593 - Auto executed pipeline by @​ogzhanolguncu in #​1039

Full Changelog: upstash/redis-js@v1.30.1...v1.31.0

v1.30.1

Compare Source

What's Changed

• fix: filter falsy values before sending request by @​joschan21 in #​1049
• Fix detection unsafe integer by @​PlutoyDev in #​1048

New Contributors

• @​joschan21 made their first contribution in #​1049
• @​PlutoyDev made their first contribution in #​1048

Full Changelog: upstash/redis-js@v1.30.0...v1.30.1

v1.30.0

Compare Source

What's Changed

• fix: add missing type to hrandfield by @​ogzhanolguncu in #​1028

Full Changelog: upstash/redis-js@v1.29.0...v1.30.0

v1.29.0

Compare Source

What's Changed

• Update README.md by @​enesakar in #​900
• chore: add setup-bun action to workflows by @​aykutkardas in #​896
• Upgrade GH Action Runner by @​fahreddinozcan in #​924
• Opt-in per-line logging by @​ogzhanolguncu in #​958

New Contributors

• @​aykutkardas made their first contribution in #​896

Full Changelog: upstash/redis-js@v1.28.4...v1.29.0

v1.28.4

Compare Source

What's Changed

• Fix: Geo Commands' Export by @​fahreddinozcan in #​889
• DX 691 by @​ogzhanolguncu in #​893

Full Changelog: upstash/redis-js@v1.28.3...v1.28.4

v1.28.3

Compare Source

What's Changed

• Dx 630 by @​ogzhanolguncu in #​872

Full Changelog: upstash/redis-js@v1.28.2...v1.28.3

• Added generics for JSONMGet and JSONGet
• Run formatter for the entire project
• Add husky for hooks

v1.28.2

Compare Source

What's Changed

• Fix exports map by @​ytkimirti in #​843

Full Changelog: upstash/redis-js@v1.28.1...v1.28.2

v1.28.1

Compare Source

What's Changed

• Add support for export maps by @​ytkimirti in #​825

Full Changelog: upstash/redis-js@v1.28.0...v1.28.1

v1.28.0

Compare Source

What's Changed

• Dx 569 by @​ogzhanolguncu in #​809

Full Changelog: upstash/redis-js@v1.27.1...v1.28.0

v1.27.1

Compare Source

What's Changed

• Add missing expiry options to EXPIRE command by @​ogzhanolguncu in #​793

Full Changelog: upstash/redis-js@v1.27.0...v1.27.1

v1.27.0

Compare Source

What's Changed

• DX 533 by @​ogzhanolguncu in #​786

Full Changelog: upstash/redis-js@v1.26.0...v1.27.0

openai/openai-node (openai)

v5.23.2

Compare Source

Full Changelog: v5.23.2...v6.0.0

⚠ BREAKING CHANGES

• api: ResponseFunctionToolCallOutputItem.output and ResponseCustomToolCallOutput.output now return string | Array<ResponseInputText | ResponseInputImage | ResponseInputFile> instead of string only. This may break existing callsites that assume output is always a string.

Features

• api: Support images and files for function call outputs in responses, BatchUsage (abe56f8)

Chores

• compat with zod v4 (#​1658) (94569a0)

v5.23.1

Compare Source

Full Changelog: v5.23.1...v5.23.2

Chores

• env-tests: upgrade jest-fixed-jsdom 0.0.9 -> 0.0.10 (6d6d0b0)
• internal: codegen related update (1b684af)
• internal: ignore .eslintcache (da9e146)

v5.23.0

Compare Source

Full Changelog: v5.23.0...v5.23.1

Bug Fixes

• realtime: remove beta header from GA classes (a5e9e70)

Performance Improvements

• faster formatting (d56f309)

Chores

• internal: fix incremental formatting in some cases (166d28f)
• internal: remove deprecated compilerOptions.baseUrl from tsconfig.json (dfab408)

v5.22.1

Compare Source

Full Changelog: v5.22.1...v5.23.0

Features

• api: gpt-5-codex (2e4ece6)

v5.22.0

Compare Source

Full Changelog:

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		[email protected] has a High CVE. CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH) Affected versions: >= 1.0.0 < 1.12.0; < 0.30.2 Patched version: 1.12.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a global module loader hook that prepends a require('amdefine')(module) shim to nearly all .js modules before they are compiled. This is not directly overtly malicious, but it is a high-impact supply-chain/style modification: it alters every module load, can obscure behavior from static analysis, and increases attack surface if an attacker can modify this package or the amdefine module. Use of this module should be considered a risk in environments that require strict control of execution semantics or provenance; review and pin amdefine and this loader carefully. No clear evidence of direct data exfiltration or backdoor in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: No direct malicious actions (network exfiltration, reverse shells, or hard-coded credentials) are present in this fragment. However, the module intentionally monkeypatches Node's module loader and VM APIs to transform and execute code at load time. Those capabilities are high-risk: if a malicious transformer/matcher is supplied (or if the package itself is replaced with a malicious version), it can inject arbitrary code into any loaded module, enabling supply-chain attacks, data theft, or backdoors. Reviewers should treat usage of this module as a high-privilege operation, ensure transformers are trusted, and limit hook usage to controlled environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​6.1.0

View full report