chore(deps): update npm

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@lucide/svelte (source)	^0.553.0 -> ^0.554.0
@sveltejs/adapter-vercel (source)	^6.1.1 -> ^6.1.2
@sveltejs/kit (source)	^2.48.5 -> ^2.49.0
bits-ui	^2.14.3 -> ^2.14.4
marked (source)	^17.0.0 -> ^17.0.1
pnpm (source)	10.22.0 -> 10.23.0
posthog-js (source)	^1.292.0 -> ^1.297.2
posthog-node (source)	^5.11.2 -> ^5.13.2
svelte (source)	^5.43.6 -> ^5.43.14
typescript-eslint (source)	^8.46.4 -> ^8.47.0
vite (source)	^7.2.2 -> ^7.2.4
vite-plugin-lucide-preprocess	^1.4.5 -> ^1.4.6

---

Release Notes

lucide-icons/lucide (@​lucide/svelte)

v0.554.0: Version 0.554.0

Compare Source

What's Changed

• fix(icons): Rename fingerprint icon to fingerprint-pattern by @​ericfennis in #​3767
• feat(docs): added lucide-rails third-party package by @​theiereman in #​3769
• fix(icons): changed ampersand icon by @​jguddas in #​3771
• fix(icons): changed folder-git-2 icon by @​jguddas in #​3790
• fix(icons): update anchor icon by @​jamiemlaw in #​2523
• feat(icons): added calendars icon by @​jguddas in #​3788

Breaking change

For lucide-react and lucide-solid, imports for Fingerprint icon are changed to FingerprintPattern.

Lucide React

- import { Fingerprint } from "lucide-react";
+ import { FingerprintPattern } from "lucide-react";

Lucide Solid

- import { Fingerprint } from "lucide/solid";
+ import { FingerprintPattern } from "lucide/solid";

// Or

- import Fingerprint from "lucide/solid/icons/fingerprint";
+ import FingerprintPattern from "lucide/solid/icons/fingerprint-pattern";

New Contributors

• @​theiereman made their first contribution in #​3769

Full Changelog: lucide-icons/lucide@0.553.0...0.554.0

sveltejs/kit (@​sveltejs/adapter-vercel)

v6.1.2

Compare Source

Patch Changes

• chore(deps): upgrade to @vercel/nft version 1.0.0 to reduce dependencies (#​14950)

• Updated dependencies [0889a2a, 2ff3951, 5b30755]:

  • @​sveltejs/kit@​2.48.7

sveltejs/kit (@​sveltejs/kit)

v2.49.0

Compare Source

Minor Changes

• feat: stream file uploads inside form remote functions allowing form data to be accessed before large files finish uploading (#​14775)

v2.48.8

Compare Source

Patch Changes

• breaking: invalid now must be imported from @sveltejs/kit (#​14768)

• breaking: remove submitter option from experimental form validate() method, always provide default submitter (#​14762)

v2.48.7

Compare Source

Patch Changes

• fix: allow multiple server-timing headers (#​14700)

• fix: allow access to root-level issues in schema-less forms (#​14893)

• fix: allow hosting hash-based apps from non-index.html files (#​14825)

v2.48.6

Compare Source

Patch Changes

• fix: clear issues upon passing validation (#​14683)

• fix: don't use fork of unrelated route (#​14947)

• fix: prevent type errors when optional @opentelemetry/api dependency isn't installed (#​14949)

• fix: preserve this when invoking standard validator (#​14943)

• fix: treat client/universal hooks as entrypoints for illegal server import detection (#​14876)

• fix: correct query .set and .refresh behavior in commands (#​14877)

• fix: improved the accuracy of the types of the output of field.as('...') (#​14908)

huntabyte/bits-ui (bits-ui)

v2.14.4

Compare Source

Patch Changes

• fix(Command): scroll initial selected into view (#​1896)

markedjs/marked (marked)

v17.0.1

Compare Source

pnpm/pnpm (pnpm)

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:[email protected]) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

PostHog/posthog-js (posthog-js)

v1.297.2

Compare Source

1.297.2

Patch Changes

• Updated dependencies [83f5d07]:
  • @​posthog/core@​1.5.5

v1.297.1

Compare Source

1.297.1

Patch Changes

• Updated dependencies [c242702]:
  • @​posthog/core@​1.5.4

v1.297.0

Compare Source

1.297.0

Minor Changes

• #​2578 91f41ee Thanks @​rafaeelaudibert! - Output confirmation log message to the user when overriding feature flags to improve user feedback on whether the action actually did something or not
  (2025-11-19)

Patch Changes

• #​2575 8acd88f Thanks @​hpouillot! - fix frame platform property for $exception events
  (2025-11-19)
• Updated dependencies [8acd88f]:
  • @​posthog/core@​1.5.3

v1.296.1

Compare Source

1.296.1

Patch Changes

• #​2590 ab85422 Thanks @​pauldambra! - fix: don't rely on order of method calls to gate calling url

v1.296.0

Compare Source

1.296.0

Minor Changes

• #​2595 17d12f5 Thanks @​adboio! - fix(surveys): clean up popover surveys from dom on close

v1.295.0

Compare Source

1.295.0

Minor Changes

• #​2572 ab6cc9e Thanks @​adboio! - survey html rendering bugfix

v1.294.0

Compare Source

1.294.0

Minor Changes

• #​2573 f9260de Thanks @​adboio! - feat: add survey feedback button custom positions

v1.293.0

Compare Source

1.293.0

Minor Changes

• #​2565 f2426db Thanks @​pauldambra! - feat: ignore rageclicks by content.

Patch Changes

• #​2570 de80a41 Thanks @​pauldambra! - fix: rageclick detection should use event timestamp not current time

PostHog/posthog-js (posthog-node)

v5.13.2

Compare Source

Patch Changes

• Updated dependencies [83f5d07]:
  • @​posthog/core@​1.5.5

v5.13.1

Compare Source

Patch Changes

• Updated dependencies [c242702]:
  • @​posthog/core@​1.5.4

v5.13.0

Compare Source

Minor Changes

• #​2600 8972000 Thanks @​dustinbyrne! - fix: fetch is called without a bound context

  This prevents issues in edge runtimes such as Cloudflare (2025-11-19)

Patch Changes

• #​2575 8acd88f Thanks @​hpouillot! - fix frame platform property for $exception events
  (2025-11-19)
• Updated dependencies [8acd88f]:
  • @​posthog/core@​1.5.3

v5.12.0

Compare Source

Minor Changes

• #​2594 4ad3678 Thanks @​dustinbyrne! - feat: Add FlagDefinitionCacheProvider interface and client configuration option

sveltejs/svelte (svelte)

v5.43.14

Compare Source

Patch Changes

• fix: correctly migrate named self closing slots (#​17199)

• fix: error at compile time instead of at runtime on await expressions inside bindings/transitions/animations/attachments (#​17198)

• fix: take async blockers into account for bindings/transitions/animations/attachments (#​17198)

v5.43.13

Compare Source

Patch Changes

• fix: don't set derived values during time traveling (#​17200)

v5.43.12

Compare Source

Patch Changes

• fix: maintain correct linked list of effects when updating each blocks (#​17191)

v5.43.11

Compare Source

Patch Changes

• perf: don't use tracing overeager during dev (#​17183)

• fix: don't cancel transition of already outroing elements (#​17186)

v5.43.10

Compare Source

Patch Changes

• fix: avoid other batches running with queued root effects of main batch (#​17145)

v5.43.9

Compare Source

Patch Changes

• fix: correctly handle functions when determining async blockers (#​17137)

• fix: keep deriveds reactive after their original parent effect was destroyed (#​17171)

• fix: ensure eager effects don't break reactions chain (#​17138)

• fix: ensure async @const in boundary hydrates correctly (#​17165)

• fix: take blockers into account when creating #await blocks (#​17137)

• fix: parallelize async @consts in the template (#​17165)

v5.43.8

Compare Source

Patch Changes

• fix: each block losing reactivity when items removed while promise pending (#​17150)

v5.43.7

Compare Source

Patch Changes

• fix: properly defer document title until async work is complete (#​17158)

• fix: ensure deferred effects can be rescheduled later on (#​17147)

• fix: take blockers of components into account (#​17153)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.47.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v7.2.4

Compare Source

Bug Fixes

• revert "perf(deps): replace debug with obug (#​21107)" (2d66b7b)

v7.2.3

Compare Source

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#​21103) (5909efd)
• deps: update all non-major dependencies (#​21096) (6a34ac3)
• deps: update all non-major dependencies (#​21128) (4f8171e)

Performance Improvements

• deps: replace debug with obug (#​21107) (acfe939)

Miscellaneous Chores

• deps: update dependency @​rollup/plugin-commonjs to v29 (#​21099) (02ceaec)
• deps: update rolldown-related dependencies (#​21095) (39a0a15)
• deps: update rolldown-related dependencies (#​21127) (5029720)

WarningImHack3r/vite-plugin-lucide-preprocess (vite-plugin-lucide-preprocess)

v1.4.6: - Automated release

Compare Source

• Add support for newly renamed components in Lucide v0.554.0

[!NOTE]
This is a fully-automated release.
Despite its content being manually checked after its release, it might be incorrect or potentially break some compatibility with Lucide.
If you happen to notice any issue I might not be aware of or actively working on, please open an issue.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
svelte-changelog	Ready	Preview	Comment	Nov 21, 2025 6:08pm

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}