chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@sveltejs/adapter-node (source)	5.4.0 → 5.5.2			devDependencies	minor
@sveltejs/kit (source)	2.49.5 → 2.50.2			devDependencies	minor
@tsconfig/svelte (source)	5.0.6 → 5.0.7			devDependencies	patch
@types/node (source)	22.19.5 → 22.19.8			devDependencies	patch	22.19.10 (+1)
@types/node (source)	22.19.5 → 22.19.8			dependencies	patch	22.19.10 (+1)
actions/checkout	v6.0.1 → v6.0.2			action	patch
actions/setup-node	v6.1.0 → v6.2.0			action	minor
autoprefixer	10.4.23 → 10.4.24			devDependencies	patch
changesets/action	v1.5.3 → v1.6.0			action	minor
eslint-plugin-n	17.23.1 → 17.23.2			devDependencies	patch
eslint-plugin-prettier	5.5.4 → 5.5.5			devDependencies	patch
globals	17.0.0 → 17.3.0			devDependencies	minor
playwright-core (source)	1.56.1 → 1.58.1			devDependencies	minor	1.58.2
pnpm (source)	10.28.0 → 10.28.2			packageManager	patch	10.29.1
prettier (source)	3.7.4 → 3.8.1			devDependencies	minor
publint (source)	0.3.16 → 0.3.17			devDependencies	patch
sass	1.97.2 → 1.97.3			devDependencies	patch
svelte (source)	5.46.4 → 5.49.2			devDependencies	minor	5.50.0
svelte (source)	5.46.4 → 5.49.2			dependencies	minor	5.50.0
svelte-check	4.3.5 → 4.3.6			devDependencies	patch
typescript-eslint (source)	8.52.0 → 8.54.0			devDependencies	minor
vite (source)	8.0.0-beta.7 → 8.0.0-beta.13			devDependencies	patch
vitest (source)	4.0.16 → 4.0.18			devDependencies	patch

---

Release Notes

sveltejs/kit (@​sveltejs/adapter-node)

v5.5.2

Compare Source

Patch Changes

• fix: disable gzip and brotli when precompress=false (#​15182)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

v5.5.1

Compare Source

Patch Changes

• fix: add validations for protocol, host, and port header values (d9ae9b0)

• Updated dependencies [81cd545, d9ae9b0, 8ed8155]:

  • @​sveltejs/kit@​2.49.5

v5.5.0

Compare Source

Minor Changes

• feat: add env vars for keepAliveTimeout and headersTimeout (#​15125)

sveltejs/kit (@​sveltejs/kit)

v2.50.2

Compare Source

Patch Changes

• fix: ensure inlined CSS follows paths.assets and paths.relative settings (#​15153)

• fix: emit script CSP nonces when unsafe-inline is present if strict-dynamic is also present (#​15221)

• fix: re-export browser/dev from esm-env (#​15206)

• fix: use validated args in batch resolver in both csr and ssr (#​15215)

• fix: ensure CSS inlining includes components that are conditionally rendered (#​15153)

• fix: only match rest params with matchers when the matcher matches (#​15216)

• fix: properly handle percent-encoded anchors (e.g. <a href="#sparkles-%E2%9C%A8">) during prerendering. (#​15231)

v2.50.1

Compare Source

Patch Changes

• fix: include hooks.server and hooks.universal as explicit Vite build inputs to ensure assets imported by hooks files are correctly discovered (#​15178)

• fix: improves fields type for generic components (#​14974)

• fix: preload links if href changes (#​15191)

v2.50.0

Compare Source

Minor Changes

• breaking: remove buttonProps from experimental remote form functions; use e.g. <button {...myForm.fields.action.as('submit', 'register')}>Register</button> button instead (#​15144)

tsconfig/bases (@​tsconfig/svelte)

v5.0.7

Compare Source

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/setup-node (actions/setup-node)

v6.2.0

Compare Source

postcss/autoprefixer (autoprefixer)

v10.4.24

Compare Source

• Made Autoprefixer a little faster (by @​Cherry).

changesets/action (changesets/action)

v1.6.0

Compare Source

Minor Changes

• #​558 342005d Thanks @​harsha-venugopal-ledn! - Upgrade from Node.js 20 to Node.js 24 LTS

eslint-community/eslint-plugin-n (eslint-plugin-n)

v17.23.2

Compare Source

🩹 Fixes

• avoid any type for no-top-level-await listener node (build issue) (#​498) (f071703)
• file-extension-in-import: handle directory index imports (#​499) (754a1a6)
• file-extension-in-import: handle files with dots in basename (#​506) (600f3f2)
• no-sync: resolve full typed names for ignores (#​501) (047301a)

📚 Documentation

• safely disable no-unpublished-bin npm v10+ (#​487) (8af9c86)

🧹 Chores

• no-missing-import: align fixture message with latest resolver output (#​500) (a3719d2)

prettier/eslint-plugin-prettier (eslint-plugin-prettier)

v5.5.5

Compare Source

Patch Changes

• #​772 7264ed0 Thanks @​BPScott! - Bump prettier-linter-helpers dependency to v1.0.1

• #​776 77651a3 Thanks @​aswils! - fix: bump synckit for yarn PnP ESM issue

sindresorhus/globals (globals)

v17.3.0

Compare Source

• Update globals (2026-02-01) (#​336) 295fba9

---

v17.2.0

Compare Source

• jasmine: Add throwUnless and throwUnlessAsync globals (#​335) 97f23a7

---

v17.1.0

Compare Source

• Add webpack and rspack globals (#​333) 65cae73

---

microsoft/playwright (playwright-core)

v1.58.1

Compare Source

Highlights

#​39036 fix(msedge): fix local network permissions
#​39037 chore: update cft download location
#​38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.0

Compare Source

v1.57.0

Compare Source

pnpm/pnpm (pnpm)

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

publint/publint (publint)

v0.3.17

Compare Source

Patch Changes

• Fix packing packages with pnpm when publishConfig.directory is set (#​216)

• Updated dependencies [2dcb107]:

  • @​publint/pack@​0.1.3

sass/dart-sass (sass)

v1.97.3

Compare Source

• Fix a bug where nesting an at-rule within multiple style rules in plain CSS
  could cause outer style rules to be omitted.

sveltejs/svelte (svelte)

v5.49.2

Compare Source

Patch Changes

• chore: remove SvelteKit data attributes from elements.d.ts (#​17613)

• fix: avoid erroneous async derived expressions for blocks (#​17604)

• fix: avoid Cloudflare warnings about not having the "node:crypto" module (#​17612)

• fix: reschedule effects inside unskipped branches (#​17604)

v5.49.1

Compare Source

Patch Changes

• fix: merge consecutive large text nodes (#​17587)

• fix: only create async functions in SSR output when necessary (#​17593)

• fix: properly separate multiline html blocks from each other in print() (#​17319)

• fix: prevent unhandled exceptions arising from dangling promises in <script> (#​17591)

v5.49.0

Compare Source

Minor Changes

• feat: allow passing ShadowRootInit object to custom element shadow option (#​17088)

Patch Changes

• fix: throw for unset createContext get on the server (#​17580)

• fix: reset effects inside skipped branches (#​17581)

• fix: preserve old dependencies when updating reaction inside fork (#​17579)

• fix: more conservative assignment_value_stale warnings (#​17574)

• fix: disregard popover elements when determining whether an element has content (#​17367)

• fix: fire introstart/outrostart events after delay, if specified (#​17567)

• fix: increment signal versions when discarding forks (#​17577)

v5.48.5

Compare Source

Patch Changes

• fix: run boundary onerror callbacks in a microtask, in case they result in the boundary's destruction (#​17561)

• fix: prevent unintended exports from namespaces (#​17562)

• fix: each block breaking with effects interspersed among items (#​17550)

v5.48.4

Compare Source

Patch Changes

• fix: avoid duplicating escaped characters in CSS AST (#​17554)

v5.48.3

Compare Source

Patch Changes

• fix: hydration failing with settled async blocks (#​17539)

• fix: add pointer and touch events to a11y_no_static_element_interactions warning (#​17551)

• fix: handle false dynamic components in SSR (#​17542)

• fix: avoid unnecessary block effect re-runs after async work completes (#​17535)

• fix: avoid using dev-mode array.includes wrapper on internal array checks (#​17536)

v5.48.2

Compare Source

Patch Changes

• fix: export wait function from internal client index (#​17530)

v5.48.1

Compare Source

Patch Changes

• fix: hoist snippets above const in same block (#​17516)

• fix: properly hydrate await in {@​html} (#​17528)

• fix: batch resolution of async work (#​17511)

• fix: account for empty statements when visiting in transform async (#​17524)

• fix: avoid async overhead for already settled promises (#​17461)

• fix: better code generation for const tags with async dependencies (#​17518)

v5.48.0

Compare Source

Minor Changes

• feat: export parseCss from svelte/compiler (#​17496)

Patch Changes

• fix: handle non-string values in svelte:element this attribute (#​17499)

• fix: faster deduplication of dependencies (#​17503)

v5.47.1

Compare Source

Patch Changes

• fix: trigger selectedcontent reactivity (#​17486)

v5.47.0

Compare Source

Minor Changes

• feat: customizable <select> elements (#​17429)

Patch Changes

• fix: mark subtree of svelte boundary as dynamic (#​17468)

• fix: don't reset static elements with debug/snippets (#​17477)

sveltejs/language-tools (svelte-check)

v4.3.6

Compare Source

Patch Changes

• fix: don't hoist type/snippet referencing $store (#​2926)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.54.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.53.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.53.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.0-beta.13

Compare Source

Features

• integrate devtools (#​21331) (acbf507)
• update rolldown to 1.0.0-rc.3 (#​21554) (43358e9)

Bug Fixes

• scanner: respect tsconfig.json (#​21547) (c6c04db)

Miscellaneous Chores

• update rolldown-plugin-dts to 0.22.1 (#​21559) (77aab4b)

Code Refactoring

• deprecate customResolver in resolve.alias (#​21476) (81275c9)
• remove unnecessary @rolldown/pluginutils (#​21560) (c367b62)

Tests

• bundled-dev: add worker test cases (#​21557) (569bc98)

v8.0.0-beta.12

Compare Source

Features

• manifest: add assets field for standalone CSS entry points (#​21015) (f289b9b)

Bug Fixes

• avoid registering customization hook for import meta resolver multiple times (#​21518) (8bb3203)
• config: avoid watching rolldown runtime virtual module (#​21545) (d18b139)
• deps: update all non-major dependencies (#​21540) (9ebaeaa)
• populate originalFileNames when resolving CSS asset paths (#​21542) (8b47ff7)

Miscellaneous Chores

• deps: update dependency rolldown-plugin-dts to ^0.21.8 (#​21539) (33881cb)

v8.0.0-beta.11

Compare Source

Features

• update rolldown to 1.0.0-rc.2 (#​21512) (fa136a9)

Bug Fixes

• deps: update all non-major dependencies (#​21488) (2b32ca2)
• disable tsconfig option when loading config (#​21517) (5025c35)
• optimizer: map relative new URL paths to correct relative file location (#​21434) (ca96cbc)

Documentation

• bulk of typo fixes (#​21507) (80755da)

Miscellaneous Chores

• add missing versions to changelog (#​21515) (4bfb239)
• deps: update rolldown-related dependencies (#​21487) (5863e51)

Code Refactoring

• enable some native plugins even with enable native plugin false (#​21511) (b40292c)
• remove experimental.enableNativePlugin: 'resolver' (#​21510) (f9d9213)
• use import.meta.dirname everywhere (#​21509) (7becf5f)

v8.0.0-beta.10

Compare Source

Bug Fixes

• avoid using deprecated output.inlineDynamicImport option (#​21464) (471ce62)
• use separate hook object for each environment (#​21472) (66347f6)

Documentation

• update build.dynamicImportVarsOptions (#​21477) (54ce2ed)

v8.0.0-beta.9

Compare Source

Features

• bundled-dev: support worker in initial bundle (#​21415) (f3d3149)
• dev: detect port conflicts on wildcard hosts (#​21381) (b0dd5a9)
• shortcuts case insensitive (#​21224) (7796ade)
• update rolldown to 1.0.0-rc.1 (#​21463) (ff9dd7f)
• warn if envPrefix contains spaces (#​21292) (9fcde3c)

Bug Fixes

• deps: update all non-major dependencies (#​21440) (1835995)
• dev: avoid event emitter leak caused by server.listen callback (#​21451) (602d786)
• lazy hook filter should work (#​21443) (bc0c207)
• optimizer: skip rolldownCjsExternalPlugin for platform: neutral (#​21452) (d2fc4be)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​21390) (be9dd4e)
• fix typo in plugin.ts comment (#​21435) (d31fc66)

Code Refactoring

• optimizer: simplify rolldownCjsExternalPlugin (#​21450) (ebda8fd)

v8.0.0-beta.8

Compare Source

⚠ BREAKING CHANGES

• remove import.meta.hot.accept resolution fallback (#​21382)

Features

• update rolldown to 1.0.0-beta.60 (#​21408) (c33aa7c)

Bug Fixes

• deps: update all non-major dependencies (#​21389) (30f48df)
• deps: update esbuild peerDependency version (#​21398) (4266c97)
• hmr: trigger prune event when last import is removed (#​20781) (#​21093) (7576735)
• module-runner: use process.getBuiltinModule instead of import('node:module') (#​21402) (6633bcb)
• support .env file mounts (FIFOs) (#​21365) (6e6f82a)

Code Refactoring

• remove import.meta.hot.accept resolution fallback (#​21382) (71d0797)

vitest-dev/vitest (vitest)

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

v4.0.17

Compare Source

   🚀 Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in #​9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in #​9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in #​9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #​9…  -  by @​plusgut in #​9339 and #​9 (e6a3f)
• Handle null options in addEventHandler #​9371  -  by @​ThibautMarechal in #​9372 and #​9371 (40841)
• Typo in browser.provider error  -  by @​deammer in #​9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in #​9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in #​9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in #​9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in #​9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in #​9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in #​9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in #​9413 and #​837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in #​9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in #​9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in #​9421 [(d390e)]

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.