Bump the npm_and_yarn group across 1 directory with 7 updates by dependabot[bot] · Pull Request #12 · Le0X8/website

dependabot · 2026-03-21T11:09:03Z

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
@sveltejs/kit	`2.48.4`	`2.53.3`
svelte	`5.43.2`	`5.53.5`
ajv	`6.12.6`	`6.14.0`
flatted	`3.3.3`	`3.4.2`
minimatch	`3.1.2`	`3.1.5`
rollup	`4.52.5`	`4.59.1`

Updates @sveltejs/kit from 2.48.4 to 2.53.3

Release notes

Sourced from @sveltejs/kit's releases.

@sveltejs/kit@2.53.3

Patch Changes

fix: prevent overlapping file metadata in remote functions form (faba869)

@sveltejs/kit@2.53.2

Patch Changes

fix: server-render nested form value sets (#15378)

fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

fix: provide correct url info to remote functions (#15418)

fix: allow optional types for remote query/command/prerender functions (#15293)

fix: allow commands in more places (#15288)

@sveltejs/kit@2.53.1

Patch Changes

fix: address warning about inlineDynamicImports when using Vite 8 (#15403)

@sveltejs/kit@2.53.0

Minor Changes

feat: support Vite 8 (#15024)

Patch Changes

fix: remove event listeners on form attachment cleanup (#15286)

fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

@sveltejs/kit@2.52.2

Patch Changes

fix: validate form file information to prevent amplification attacks (3e607b3)

chore: upgrade devalue and svelte (#15339)

fix: parse file offset table more strictly (f47c01b)

... (truncated)

Changelog

Sourced from @sveltejs/kit's changelog.

2.53.3

Patch Changes

fix: prevent overlapping file metadata in remote functions form (faba869)

2.53.2

Patch Changes

fix: server-render nested form value sets (#15378)

fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

fix: provide correct url info to remote functions (#15418)

fix: allow optional types for remote query/command/prerender functions (#15293)

fix: allow commands in more places (#15288)

2.53.1

Patch Changes

fix: address warning about inlineDynamicImports when using Vite 8 (#15403)

2.53.0

Minor Changes

feat: support Vite 8 (#15024)

Patch Changes

fix: remove event listeners on form attachment cleanup (#15286)

fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

2.52.2

Patch Changes

fix: validate form file information to prevent amplification attacks (3e607b3)

... (truncated)

Commits

66d88c9 Version Packages (#15440)
faba869 Merge commit from fork
708fc4b chore(deps): bump rollup to 4.59.0 (#15433)
98496fa Version Packages (#15416)
8c5048b fix: provide correct url info to remote functions (#15418)
ce4b57c fix: allow commands in more places (#15288)
7277edb chore: fix CI lint (#15417)
64f484f fix: deep partial .value() and .set(...) types for forms (#14837)
d28d372 fix: allow optional types for remote query/command/prerender functions (#15293)
244838c fix: server-render nested form value sets (#15378)
Additional commits viewable in compare view

Updates svelte from 5.43.2 to 5.53.5

Release notes

Sourced from svelte's releases.

svelte@5.53.5

Patch Changes

fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

svelte@5.53.4

Patch Changes

fix: set server context after async transformError (#17799)

fix: hydrate if blocks correctly (#17784)

fix: handle default parameters scope leaks (#17788)

fix: prevent flushed effects from running again (#17787)

svelte@5.53.3

Patch Changes

fix: render :catch of #await block with correct key (#17769)

chore: pin aria-query@5.3.1 (#17772)

fix: make string coercion consistent to toString (#17774)

svelte@5.53.2

Patch Changes

fix: update expressions on server deriveds (#17767)

fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

svelte@5.53.1

Patch Changes

fix: handle shadowed function names correctly (#17753)

svelte@5.53.0

Minor Changes

feat: allow comments in tags (#17671)

feat: allow error boundaries to work on the server (#17672)

Patch Changes

fix: use TrustedHTML to test for customizable support, where necessary (#17743)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.5

Patch Changes

fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

5.53.4

Patch Changes

fix: set server context after async transformError (#17799)

fix: hydrate if blocks correctly (#17784)

fix: handle default parameters scope leaks (#17788)

fix: prevent flushed effects from running again (#17787)

5.53.3

Patch Changes

fix: render :catch of #await block with correct key (#17769)

chore: pin aria-query@5.3.1 (#17772)

fix: make string coercion consistent to toString (#17774)

5.53.2

Patch Changes

fix: update expressions on server deriveds (#17767)

fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

5.53.1

Patch Changes

fix: handle shadowed function names correctly (#17753)

5.53.0

Minor Changes

feat: allow comments in tags (#17671)

... (truncated)

Commits

ed14b49 Version Packages (#17802)
0df5abc Merge commit from fork
0298e97 Merge commit from fork
96fd3ce Version Packages (#17786)
1b3e660 fix: prevent flushed effects from running again (#17787)
673a1ab fix: set server context after async transformError (#17799)
3a28979 fix: handle default parameters scope leaks (#17788)
fcdc028 fix: hydrate if blocks correctly (#17784)
97f3ac5 Version Packages (#17775)
7deedc5 fix: render :catch of #await block with correct key (#17769)
Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Commits

e3af0a7 6.14.0
b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
72f2286 docs: update v7 info
231e52b Merge pull request #1320 from philsturgeon/patch-1
d3475fc Add spectral, an AJV util from a sponsor
413afe0 docs: v7.0.0-beta.3
11e997b update readme for v7
See full diff in compare view

Updates devalue from 5.4.2 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses

a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

828fa1c: Enable support for custom reducer/reviver for "function" values

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

0f04d4d: fix: Properly handle __proto__

819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

1175584: fix: validate input for ArrayBuffer parsing

e46afa6: fix: validate input for typed arrays

1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses

a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

828fa1c: Enable support for custom reducer/reviver for "function" values

Commits

6cbb3f5 Version Packages (#133)
40f1db1 Merge commit from fork
87c1f3c Merge commit from fork
a4a37d2 Version Packages (#132)
819f1ac Merge commit from fork
0f04d4d Merge commit from fork
fcf4e88 fix tests
1d8a5ea Version Packages (#131)
1175584 Merge commit from fork
e46afa6 Merge commit from fork
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates rollup from 4.52.5 to 4.59.1

Release notes

Sourced from rollup's releases.

v4.59.1

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

#6290: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6291: chore(deps): update dependency @shikijs/vitepress-twoslash to v4 (@renovate[bot])

#6292: chore(deps): lock file maintenance (@renovate[bot])

#6297: chore(deps): update minor/patch updates (@renovate[bot])

#6298: chore(deps): lock file maintenance (@renovate[bot])

#6299: chore(deps): lock file maintenance (@renovate[bot])

#6300: docs: update packagephobia link (@bluwy)

#6301: chore(deps): update dependency lint-staged to ^16.3.3 (@renovate[bot])

#6306: fix: fix chunk assignment for deoptimized module with dynamic import (@JoaoBrlt, @lukastaegert)

#6307: chore(deps): update minor/patch updates (@renovate[bot])

#6308: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6309: chore(deps): update dependency vite to v8 (@renovate[bot])

#6310: chore(deps): lock file maintenance (@renovate[bot])

#6311: chore(deps): lock file maintenance (@renovate[bot])

#6312: chore(deps): lock file maintenance (@renovate[bot])

v4.59.0

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

v4.58.0

4.58.0

2026-02-20

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

#6290: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6291: chore(deps): update dependency @shikijs/vitepress-twoslash to v4 (@renovate[bot])

#6292: chore(deps): lock file maintenance (@renovate[bot])

#6297: chore(deps): update minor/patch updates (@renovate[bot])

#6298: chore(deps): lock file maintenance (@renovate[bot])

#6299: chore(deps): lock file maintenance (@renovate[bot])

#6300: docs: update packagephobia link (@bluwy)

#6301: chore(deps): update dependency lint-staged to ^16.3.3 (@renovate[bot])

#6306: fix: fix chunk assignment for deoptimized module with dynamic import (@JoaoBrlt, @lukastaegert)

#6307: chore(deps): update minor/patch updates (@renovate[bot])

#6308: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6309: chore(deps): update dependency vite to v8 (@renovate[bot])

#6310: chore(deps): lock file maintenance (@renovate[bot])

#6311: chore(deps): lock file maintenance (@renovate[bot])

#6312: chore(deps): lock file maintenance (@renovate[bot])

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

4.58.0

2026-02-20

Features

Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

... (truncated)

Commits

0cba9e0 4.59.1
4eeea29 Pin Vite
1cd49ae fix: fix chunk assignment for deoptimized module with dynamic import (#6306)
c9dabc3 Downgrade Vite
d46200f chore(deps): update dependency vite to v8 (#6309)
aa6c853 chore(deps): update dependency lru-cache to v11 (#6308)
4208811 chore(deps): lock file maintenance (#6312)
5348a82 chore(deps): lock file maintenance (#6311)
c942b8d chore(deps): update minor/patch updates (#6307)
bf9d35c chore(deps): lock file maintenance (#6310)
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) | `2.48.4` | `2.53.3` | | [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.43.2` | `5.53.5` | | [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [rollup](https://github.com/rollup/rollup) | `4.52.5` | `4.59.1` | Updates `@sveltejs/kit` from 2.48.4 to 2.53.3 - [Release notes](https://github.com/sveltejs/kit/releases) - [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md) - [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.53.3/packages/kit) Updates `svelte` from 5.43.2 to 5.53.5 - [Release notes](https://github.com/sveltejs/svelte/releases) - [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.53.5/packages/svelte) Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) Updates `devalue` from 5.4.2 to 5.6.4 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.4.2...v5.6.4) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `rollup` from 4.52.5 to 4.59.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.52.5...v4.59.1) --- updated-dependencies: - dependency-name: "@sveltejs/kit" dependency-version: 2.53.3 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: svelte dependency-version: 5.53.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.59.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

cloudflare-workers-and-pages · 2026-03-21T11:09:05Z

Deploying website with Cloudflare Pages

Latest commit:	`fcb49de`
Status:	✅ Deploy successful!
Preview URL:	https://234e7149.website-5v8.pages.dev
Branch Preview URL:	https://dependabot-npm-and-yarn-npm.website-5v8.pages.dev

View logs

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 21, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 1 directory with 7 updates#12

Bump the npm_and_yarn group across 1 directory with 7 updates#12
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-4cc8e63e19

dependabot bot commented on behalf of github Mar 21, 2026

Uh oh!

cloudflare-workers-and-pages bot commented Mar 21, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 21, 2026

@​sveltejs/kit@​2.53.3

Patch Changes

@​sveltejs/kit@​2.53.2

Patch Changes

@​sveltejs/kit@​2.53.1

Patch Changes

@​sveltejs/kit@​2.53.0

Minor Changes

Patch Changes

@​sveltejs/kit@​2.52.2

Patch Changes

2.53.3

Patch Changes

2.53.2

Patch Changes

2.53.1

Patch Changes

2.53.0

Minor Changes

Patch Changes

2.52.2

Patch Changes

svelte@5.53.5

Patch Changes

svelte@5.53.4

Patch Changes

svelte@5.53.3

Patch Changes

svelte@5.53.2

Patch Changes

svelte@5.53.1

Patch Changes

svelte@5.53.0

Minor Changes

Patch Changes

5.53.5

Patch Changes

5.53.4

Patch Changes

5.53.3

Patch Changes

5.53.2

Patch Changes

5.53.1

Patch Changes

5.53.0

Minor Changes

v5.6.4

Patch Changes

v5.6.3

Patch Changes

v5.6.2

Patch Changes

v5.6.1

Patch Changes

v5.6.0

Minor Changes

v5.5.0

Minor Changes

5.6.4

Patch Changes

5.6.3

Patch Changes

5.6.2

Patch Changes

5.6.1

Patch Changes

5.6.0

Minor Changes

5.5.0

Minor Changes

v4.59.1

4.59.1

Bug Fixes

Pull Requests

v4.59.0

4.59.0

Features

`@sveltejs/kit@2`.53.3

`@sveltejs/kit@2`.53.2

`@sveltejs/kit@2`.53.1

`@sveltejs/kit@2`.53.0

`@sveltejs/kit@2`.52.2

cloudflare-workers-and-pages bot commented Mar 21, 2026 •

edited

Loading