Bump the npm-production group in /client with 4 updates

[dependabot]

Bumps the npm-production group in /client with 4 updates: @astrojs/svelte, @tailwindcss/vite, astro and svelte.

Updates @astrojs/svelte from 7.1.0 to 7.1.1

Release notes

Sourced from @​astrojs/svelte's releases.

@​astrojs/svelte@​7.1.1

Patch Changes

• #14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

Changelog

Sourced from @​astrojs/svelte's changelog.

7.1.1

Patch Changes

• #14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

Commits

• aa7bebd [ci] release (#14295)
• d0d7225 chore(deps): update dependency svelte to ^5.38.7 (#14322)
• c24a8f4 fix(vite): update vite to fix CVE (#14326)
• 0b0d9ed fix(deps): update astro client runtimes (#14184)
• c984507 docs: remove experimental notice (#14266)
• 540f27e fix(deps): update astro client runtimes (#14024)
• f1ac805 fix(deps): update astro client runtimes (#13912)
• 07e982d fix(deps): update astro client runtimes (#13882)
• f42ffac fix(deps): update astro client runtimes (#13853)
• See full diff in compare view

Updates @tailwindcss/vite from 4.1.12 to 4.1.13

Release notes

Sourced from @​tailwindcss/vite's releases.

v4.1.13

Changed

• Drop warning from browser build (#18731)
• Drop exact duplicate declarations when emitting CSS (#18809)

Fixed

• Don't transition visibility when using transition (#18795)
• Discard matched variants with unknown named values (#18799)
• Discard matched variants with non-string values (#18799)
• Show suggestions for known matchVariant values (#18798)
• Replace deprecated clip with clip-path in sr-only (#18769)
• Hide internal fields from completions in matchUtilities (#18820)
• Ignore .vercel folders by default (can be overridden by @source … rules) (#18855)
• Consider variants starting with @- to be invalid (e.g. @-2xl:flex) (#18869)
• Do not allow custom variants to start or end with a - or _ (#18867, #18872)
• Upgrade: Migrate aria theme keys to @custom-variant (#18815)
• Upgrade: Migrate data theme keys to @custom-variant (#18816)
• Upgrade: Migrate supports theme keys to @custom-variant (#18817)

Changelog

Sourced from @​tailwindcss/vite's changelog.

[4.1.13] - 2025-09-03

Changed

• Drop warning from browser build (#18731)
• Drop exact duplicate declarations when emitting CSS (#18809)

Fixed

• Don't transition visibility when using transition (#18795)
• Discard matched variants with unknown named values (#18799)
• Discard matched variants with non-string values (#18799)
• Show suggestions for known matchVariant values (#18798)
• Replace deprecated clip with clip-path in sr-only (#18769)
• Hide internal fields from completions in matchUtilities (#18820)
• Ignore .vercel folders by default (can be overridden by @source … rules) (#18855)
• Consider variants starting with @- to be invalid (e.g. @-2xl:flex) (#18869)
• Do not allow custom variants to start or end with a - or _ (#18867, #18872)
• Upgrade: Migrate aria theme keys to @custom-variant (#18815)
• Upgrade: Migrate data theme keys to @custom-variant (#18816)
• Upgrade: Migrate supports theme keys to @custom-variant (#18817)

Commits

• 1334c99 Prepare v4.1.13 release (#18868)
• See full diff in compare view

Updates astro from 5.13.3 to 5.13.7

Release notes

Sourced from astro's releases.

[email protected]

Patch Changes

• #14330 72e14ab Thanks @​ascorbic! - Removes pinned package that is no longer needed.

• #14335 17c7b03 Thanks @​florian-lefebvre! - Bumps sharp minimal version to 0.34.0

[email protected]

Patch Changes

• #14294 e005855 Thanks @​martrapp! - Restores the ability to use Google Analytics History change trigger with the <ClientRouter />.

• #14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

• #14108 218e070 Thanks @​JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity

• #14327 c1033be Thanks @​ascorbic! - Pins simple-swizzle to avoid compromised version

[email protected]

Patch Changes

• #14286 09c5db3 Thanks @​ematipico! - BREAKING CHANGES only to the experimental CSP feature

  The following runtime APIs of the Astro global have been renamed:

  • Astro.insertDirective to Astro.csp.insertDirective
  • Astro.insertStyleResource to Astro.csp.insertStyleResource
  • Astro.insertStyleHash to Astro.csp.insertStyleHash
  • Astro.insertScriptResource to Astro.csp.insertScriptResource
  • Astro.insertScriptHash to Astro.csp.insertScriptHash

  The following runtime APIs of the APIContext have been renamed:

  • ctx.insertDirective to ctx.csp.insertDirective
  • ctx.insertStyleResource to ctx.csp.insertStyleResource
  • ctx.insertStyleHash to ctx.csp.insertStyleHash
  • ctx.insertScriptResource to ctx.csp.insertScriptResource
  • ctx.insertScriptHash to ctx.csp.insertScriptHash

• #14283 3224637 Thanks @​ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.

• #14275 3e2f20d Thanks @​florian-lefebvre! - Adds support for experimental CSP when using experimental fonts

  Experimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as font-src directives.

  No action is required to benefit from it.

• #14280 4b9fb73 Thanks @​ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences

• #14276 77281c4 Thanks @​ArmandPhilippot! - Adds a missing export for resolveSrc, a documented image services utility.

... (truncated)

Changelog

Sourced from astro's changelog.

5.13.7

Patch Changes

• #14330 72e14ab Thanks @​ascorbic! - Removes pinned package that is no longer needed.

• #14335 17c7b03 Thanks @​florian-lefebvre! - Bumps sharp minimal version to 0.34.0

5.13.6

Patch Changes

• #14294 e005855 Thanks @​martrapp! - Restores the ability to use Google Analytics History change trigger with the <ClientRouter />.

• #14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

• #14108 218e070 Thanks @​JusticeMatthew! - Updates dynamic route split regex to avoid infinite retries/exponential complexity

• #14327 c1033be Thanks @​ascorbic! - Pins simple-swizzle to avoid compromised version

5.13.5

Patch Changes

• #14286 09c5db3 Thanks @​ematipico! - BREAKING CHANGES only to the experimental CSP feature

  The following runtime APIs of the Astro global have been renamed:

  • Astro.insertDirective to Astro.csp.insertDirective
  • Astro.insertStyleResource to Astro.csp.insertStyleResource
  • Astro.insertStyleHash to Astro.csp.insertStyleHash
  • Astro.insertScriptResource to Astro.csp.insertScriptResource
  • Astro.insertScriptHash to Astro.csp.insertScriptHash

  The following runtime APIs of the APIContext have been renamed:

  • ctx.insertDirective to ctx.csp.insertDirective
  • ctx.insertStyleResource to ctx.csp.insertStyleResource
  • ctx.insertStyleHash to ctx.csp.insertStyleHash
  • ctx.insertScriptResource to ctx.csp.insertScriptResource
  • ctx.insertScriptHash to ctx.csp.insertScriptHash

• #14283 3224637 Thanks @​ematipico! - Fixes an issue where CSP headers were incorrectly injected in the development server.

• #14275 3e2f20d Thanks @​florian-lefebvre! - Adds support for experimental CSP when using experimental fonts

  Experimental fonts now integrate well with experimental CSP by injecting hashes for the styles it generates, as well as font-src directives.

  No action is required to benefit from it.

• #14280 4b9fb73 Thanks @​ascorbic! - Fixes a bug that caused cookies to not be correctly set when using middleware sequences

... (truncated)

Commits

• 468c845 [ci] release (#14336)
• 72e14ab fix: remove the pinned simple-swizzle (#14330)
• 17c7b03 feat: update sharp (#14335)
• aa7bebd [ci] release (#14295)
• c1033be fix: pin simple-swizzle (#14327)
• c24a8f4 fix(vite): update vite to fix CVE (#14326)
• 218e070 Fix: Dynamic route split regex (#14108)
• 0eba233 fix(deps): update astro dependencies (#14308)
• d63f6bb fix(deps): update astro dependencies (#13749)
• bdc8ce2 fix(deps): update astro dependencies (#14305)
• Additional commits viewable in compare view

Updates svelte from 5.38.7 to 5.38.10

Release notes

Sourced from svelte's releases.

[email protected]

Patch Changes

• fix: flush effects scheduled during boundary's pending phase (#16738)

[email protected]

Patch Changes

• chore: generate CSS hash using the filename (#16740)

• fix: correctly analyze <object.property> components (#16711)

• fix: clean up scheduling system (#16741)

• fix: transform input defaults from spread (#16481)

• fix: don't destroy contents of svelte:boundary unless the boundary is an error boundary (#16746)

[email protected]

Patch Changes

• fix: send $effect.pending count to the correct boundary (#16732)

Changelog

Sourced from svelte's changelog.

5.38.10

Patch Changes

• fix: flush effects scheduled during boundary's pending phase (#16738)

5.38.9

Patch Changes

• chore: generate CSS hash using the filename (#16740)

• fix: correctly analyze <object.property> components (#16711)

• fix: clean up scheduling system (#16741)

• fix: transform input defaults from spread (#16481)

• fix: don't destroy contents of svelte:boundary unless the boundary is an error boundary (#16746)

5.38.8

Patch Changes

• fix: send $effect.pending count to the correct boundary (#16732)

Commits

• df13be8 Version Packages (#16754)
• 72ce753 fix: flush effects scheduled during boundary's pending phase (#16738)
• 96a4b16 Version Packages (#16744)
• 558a3c9 fix: transform input defaults from spread (#16481)
• 2743cd0 fix: correctly analyze \<object.property> components (#16711)
• f09f25e fix: Don't destroy boundary contents on error unless the boundary is an error...
• 68d27f1 chore: generate CSS hash using the filename (#16740)
• f343b00 fix: clean up scheduling system (#16741)
• f778975 Version Packages (#16734)
• 18dd456 fix: send $effect.pending count to the correct boundary (#16732)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for svelte since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.