chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@sveltejs/adapter-node (source)	5.4.0 → 5.5.3			devDependencies	minor
@sveltejs/eslint-config	8.3.4 → 8.3.5			devDependencies	patch
@tsconfig/svelte (source)	5.0.6 → 5.0.8			devDependencies	patch
@types/node (source)	22.19.5 → 22.19.11			devDependencies	patch
@types/node (source)	22.19.5 → 22.19.11			dependencies	patch
actions/checkout	v6.0.1 → v6.0.2			action	patch
actions/setup-node	v6.1.0 → v6.2.0			action	minor
autoprefixer	10.4.23 → 10.4.24			devDependencies	patch
changesets/action	v1.5.3 → v1.7.0			action	minor
eslint-plugin-n	17.23.1 → 17.24.0			devDependencies	minor
eslint-plugin-prettier	5.5.4 → 5.5.5			devDependencies	patch
eslint-plugin-svelte (source)	3.14.0 → 3.15.0			devDependencies	minor
globals	17.0.0 → 17.3.0			devDependencies	minor
playwright-core (source)	1.56.1 → 1.58.2			devDependencies	minor
pnpm (source)	10.28.0 → 10.30.0			packageManager	minor	10.30.1
prettier (source)	3.7.4 → 3.8.1			devDependencies	minor
prettier-plugin-svelte	3.4.1 → 3.5.0			devDependencies	minor
publint (source)	0.3.16 → 0.3.17			devDependencies	patch
sass	1.97.2 → 1.97.3			devDependencies	patch
svelte (source)	5.51.5 → 5.53.0			devDependencies	minor	5.53.2 (+1)
svelte (source)	5.51.5 → 5.53.0			dependencies	minor	5.53.2 (+1)
svelte-check	4.3.5 → 4.4.1			devDependencies	minor	4.4.3 (+1)
typescript-eslint (source)	8.52.0 → 8.56.0			devDependencies	minor
vite (source)	8.0.0-beta.7 → 8.0.0-beta.15			devDependencies	patch
vitest (source)	4.0.16 → 4.0.18			devDependencies	patch

---

Release Notes

sveltejs/kit (@​sveltejs/adapter-node)

v5.5.3

Compare Source

Patch Changes

• fix: validate ORIGIN env var at startup (#​15045)

• chore(deps): update dependency @rollup/plugin-commonjs to v29 (#​14856)

• Updated dependencies [37293a5, 5d05ca6, ed69b77, b1fc959, 159aece, c690579, dc8cf2d, ace2116, 0f38f49]:

  • @​sveltejs/kit@​2.51.0

v5.5.2

Compare Source

Patch Changes

• fix: disable gzip and brotli when precompress=false (#​15182)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

v5.5.1

Compare Source

Patch Changes

• fix: add validations for protocol, host, and port header values (d9ae9b0)

• Updated dependencies [81cd545, d9ae9b0, 8ed8155]:

  • @​sveltejs/kit@​2.49.5

v5.5.0

Compare Source

Minor Changes

• feat: add env vars for keepAliveTimeout and headersTimeout (#​15125)

sveltejs/eslint-config (@​sveltejs/eslint-config)

v8.3.5

Compare Source

Patch Changes

• chore: upgrade to globals 17 (9a6909c979d6b15714863cec4dcf7d199bd5e6a2)

tsconfig/bases (@​tsconfig/svelte)

v5.0.8

Compare Source

v5.0.7

Compare Source

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/setup-node (actions/setup-node)

v6.2.0

Compare Source

postcss/autoprefixer (autoprefixer)

v10.4.24

Compare Source

• Made Autoprefixer a little faster (by @​Cherry).

changesets/action (changesets/action)

v1.7.0

Compare Source

Minor Changes

• #​564 935fe87 Thanks @​Andarist! - Automatically use the GitHub-provided token to allow most users to avoid explicit GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} configuration.

Patch Changes

• #​545 54220dd Thanks @​ryanbas21! - The .npmrc generation now intelligently handles both traditional NPM token authentication and trusted publishing scenarios by only appending the auth token when NPM_TOKEN is defined. This prevents 'undefined' from being written to the registry configuration when using OIDC tokens from GitHub Actions trusted publishing.

• #​563 6af4a7e Thanks @​Andarist! - Don't error on already committed symlinks and executables that stay untouched

v1.6.0

Compare Source

Minor Changes

• #​558 342005d Thanks @​harsha-venugopal-ledn! - Upgrade from Node.js 20 to Node.js 24 LTS

eslint-community/eslint-plugin-n (eslint-plugin-n)

v17.24.0

Compare Source

🌟 Features

• add prefer-global/crypto rule (#​514) (2ea0f22)
• add prefer-global/timers rule (#​515) (10b24ae)

🧹 Chores

• add v17.x to release-please (9c5e437)

v17.23.2

Compare Source

🩹 Fixes

• avoid any type for no-top-level-await listener node (build issue) (#​498) (f071703)
• file-extension-in-import: handle directory index imports (#​499) (754a1a6)
• file-extension-in-import: handle files with dots in basename (#​506) (600f3f2)
• no-sync: resolve full typed names for ignores (#​501) (047301a)

📚 Documentation

• safely disable no-unpublished-bin npm v10+ (#​487) (8af9c86)

🧹 Chores

• no-missing-import: align fixture message with latest resolver output (#​500) (a3719d2)

prettier/eslint-plugin-prettier (eslint-plugin-prettier)

v5.5.5

Compare Source

Patch Changes

• #​772 7264ed0 Thanks @​BPScott! - Bump prettier-linter-helpers dependency to v1.0.1

• #​776 77651a3 Thanks @​aswils! - fix: bump synckit for yarn PnP ESM issue

sveltejs/eslint-plugin-svelte (eslint-plugin-svelte)

v3.15.0

Compare Source

Minor Changes

• #​1472 a314e4f Thanks @​copilot-swe-agent! - feat: add support for ESLint v10

• #​1461 d8e1dc1 Thanks @​marekdedic! - feat(no-navigation-without-resolve): for links, the rule now reports on the whole attribute

sindresorhus/globals (globals)

v17.3.0

Compare Source

• Update globals (2026-02-01) (#​336) 295fba9

---

v17.2.0

Compare Source

• jasmine: Add throwUnless and throwUnlessAsync globals (#​335) 97f23a7

---

v17.1.0

Compare Source

• Add webpack and rspack globals (#​333) 65cae73

---

microsoft/playwright (playwright-core)

v1.58.2

Compare Source

v1.58.1

Compare Source

Highlights

#​39036 fix(msedge): fix local network permissions
#​39037 chore: update cft download location
#​38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.0

Compare Source

v1.57.0

Compare Source

pnpm/pnpm (pnpm)

v10.30.0: pnpm 10.30

Compare Source

Minor Changes

• pnpm why now shows a reverse dependency tree. The searched package appears at the root with its dependents as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.

Patch Changes

• Revert pnpm why dependency pruning to prefer correctness over memory consumption. Reverted PR: #​7122.
• Optimize pnpm why and pnpm list performance in workspaces with many importers by sharing the dependency graph and materialization cache across all importers instead of rebuilding them independently for each one #​10596.

Platinum Sponsors

Gold Sponsors

v10.29.3

Compare Source

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

v10.28.2: pnpm 10.28.2

Compare Source

Patch Changes

• Security fix: prevent path traversal in directories.bin field.

• When pnpm installs a file: or git: dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked into node_modules.

  This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g., /etc/passwd, ~/.ssh/id_rsa) and have their contents copied when the package is installed.

  Note: This only affects file: and git: dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.

• Fixed optional dependencies to request full metadata from the registry to get the libc field, which is required for proper platform compatibility checks #​9950.

Platinum Sponsors

Gold Sponsors

v10.28.1

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

sveltejs/prettier-plugin-svelte (prettier-plugin-svelte)

v3.5.0

Compare Source

publint/publint (publint)

v0.3.17

Compare Source

Patch Changes

• Fix packing packages with pnpm when publishConfig.directory is set (#​216)

• Updated dependencies [2dcb107]:

  • @​publint/pack@​0.1.3

sass/dart-sass (sass)

v1.97.3

Compare Source

• Fix a bug where nesting an at-rule within multiple style rules in plain CSS
  could cause outer style rules to be omitted.

sveltejs/svelte (svelte)

v5.53.0

Compare Source

Minor Changes

• feat: allow comments in tags (#​17671)

• feat: allow error boundaries to work on the server (#​17672)

Patch Changes

• fix: use TrustedHTML to test for customizable <select> support, where necessary (#​17743)

• fix: ensure head effects are kept in the effect tree (#​17746)

• chore: deactivate current_batch by default in unset_context (#​17738)

v5.52.0

Compare Source

Minor Changes

• feat: support TrustedHTML in {@​html} expressions (#​17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#​17737)

• fix: re-run non-render-bound deriveds on the server (#​17674)

sveltejs/language-tools (svelte-check)

v4.4.1

Compare Source

Patch Changes

• fix: handle relative imports reaching outside working directory when using --incremental/--tsgo flags (#​2942)

• fix: support SvelteKit zero types in svelte-check --incremental (#​2939)

v4.4.0

Compare Source

Minor Changes

• feat: provide --incremental and --tsgo flags (#​2932)

Patch Changes

• fix: ignore Unix domain sockets in file watcher to prevent crashes (#​2931)

• fix: properly use machine output by default for Claude Code (e9f58d2)

v4.3.6

Compare Source

Patch Changes

• fix: don't hoist type/snippet referencing $store (#​2926)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.56.0

Compare Source

🚀 Features

• support ESLint v10 (#​12057)

❤️ Thank You

• Brad Zacher @​bradzacher
• Joshua Chen

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.55.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.54.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.53.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.53.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.0-beta.15

Compare Source

Features

• update rolldown to 1.0.0-rc.5 (#​21660) (b3ddbc5)

Bug Fixes

• dev: only treat EADDRINUSE as port conflict in wildcard pre-check (#​21642) (e54e25f)
• dev: prevent concurrent server restarts (#​21636) (8ce23a3)
• dev: return "502 Bad Gateway" on proxy failures instead of 500 (#​21652) (e240df2)

Performance Improvements

• ssr: skip circular import check for already-evaluated modules (#​21632) (235140b)
• use tsconfig cache for oxc transform in dev (#​21643) (57ff177)

Miscellaneous Chores

• deps: remove fdir and @rollup/plugin-commonjs (#​21639) (5abffd5)
• deps: update dependency @​rollup/plugin-alias to v6 (#​21097) (44b5bdf)

v8.0.0-beta.14

Compare Source

Features

• update rolldown to 1.0.0-rc.4 (#​21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#​21102) (216a3b5)

Bug Fixes

• clear tsconfig cache only when tsconfig.json is cached (#​21622) (50c9675)
• deps: update all non-major dependencies (#​21594) (becdc5d)
• lib: CSS injection point error with nested name IIFE output (#​21606) (5003de6)
• module-runner: incorrect column with sourcemapInterceptor: "prepareStackTrace" (#​21562) (416c095)
• module-runner: prevent crash on negative column in stacktrace (#​21585) (a075590)
• rolldownOptions/rollupOptions merging at environment level (#​21612) (db2ecc7)

Miscellaneous Chores

• fix broken link for future deprecations (#​21603) (25f4501)
• update customResolver deprecation message to mention enforce: 'pre' (#​21576) (2ce34d5)

Code Refactoring

• enable some native plugins even with enable native plugin false (#​21608) (5a4f692)
• use rolldown/utils (#​21577) (e56103f)
• use internal devtools config (#​21609) (9aea20f)
• use parseEnv (#​21586) (f859d2c)
• wasm: remove native wasm helper plugin usage (#​21566) (71a86be)

Tests

• test case for catching invalid package resolution error (#​21601) (c9b9359)

v8.0.0-beta.13

Compare Source

Features

• integrate devt

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.