Skip to content

fix(deps): update all non-major dependencies#733

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#733
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Aug 25, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@babel/types (source) ^7.28.2^7.29.0 age confidence devDependencies minor
@​ryoppippi/eslint-config ^0.0.23^0.0.28 age confidence devDependencies patch
@sveltejs/kit (source) ^2.34.1^2.57.1 age confidence devDependencies minor 2.58.0
@types/node (source) ^24.3.0^24.12.2 age confidence devDependencies minor
actions/checkout v6.0.0v6.0.2 age confidence action patch
actions/setup-node v6.0.0v6.4.0 age confidence action minor
budoux (source) ^0.6.4^0.8.1 age confidence peerDependencies minor
budoux (source) ^0.6.4^0.8.1 age confidence devDependencies minor
defu ^6.1.4^6.1.7 age confidence dependencies patch
eslint (source) ^9.14.0^9.39.4 age confidence devDependencies minor
eslint-plugin-svelte (source) ^3.11.0^3.17.0 age confidence devDependencies minor 3.17.1
magic-string ^0.30.17^0.30.21 age confidence dependencies patch
node-html-parser ^7.0.1^7.1.0 age confidence dependencies minor
pnpm (source) 10.15.010.33.0 age confidence packageManager minor 10.33.2 (+1)
publint (source) ^0.3.12^0.3.18 age confidence devDependencies patch
svelte (source) >= 5.38.2>= 5.55.4 age confidence peerDependencies minor 5.55.5
svelte (source) 5.38.25.55.4 age confidence devDependencies minor 5.55.5
svelte-eslint-parser ^1.3.1^1.6.0 age confidence devDependencies minor
tsdown (source) ^0.13.4^0.21.9 age confidence devDependencies minor 0.21.10
typescript (source) ^5.9.2^5.9.3 age confidence devDependencies patch
unplugin-unused ^0.5.2^0.5.7 age confidence devDependencies patch
zimmerframe ^1.1.2^1.1.4 age confidence dependencies patch

Release Notes

babel/babel (@​babel/types)

v7.29.0

Compare Source

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature
🐛 Bug Fix
  • babel-parser
  • babel-traverse
    • #​17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
  • babel-plugin-transform-block-scoping, babel-traverse
    • #​17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)
🏃‍♀️ Performance
Committers: 6

v7.28.6

Compare Source

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix
  • babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • babel-plugin-transform-regenerator
  • babel-plugin-transform-react-jsx
💅 Polish
  • babel-core, babel-standalone
🏠 Internal
  • babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
🏃‍♀️ Performance
Committers: 7

v7.28.5

Compare Source

👓 Spec Compliance
🐛 Bug Fix
  • babel-plugin-proposal-destructuring-private
  • babel-parser
  • babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring
  • babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-plugin-transform-block-scoping, babel-plugin-transform-optional-chaining, babel-traverse, babel-types
  • babel-traverse
🏠 Internal
🏃‍♀️ Performance

v7.28.4

Compare Source

🏠 Internal
sveltejs/kit (@​sveltejs/kit)

v2.57.1

Compare Source

Patch Changes

  • fix: better validation for redirect inputs (10d7b44)

  • fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

  • fix: use default values as fallbacks (#​15680)

  • fix: relax form typings for union types (#​15687)

v2.57.0

Compare Source

Minor Changes
  • feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#​15530)
Patch Changes

  • fix: use array type for select fields that accept multiple values (#​15591)

  • fix: silently 404 Chrome DevTools workspaces request in dev and preview (#​15656)

  • fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#​15323)

  • fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#​15647)

  • fix: reimplement treeshaking non-dynamic prerendered remote functions (#​15447)

v2.56.1

Compare Source

Patch Changes

v2.56.0

Compare Source

Minor Changes

  • breaking: rework client-driven refreshes (#​15562)

  • breaking: stabilize remote function caching by sorting object keys (#​15570)

  • breaking: add run() method to queries, disallow awaiting queries outside render (#​15533)

  • feat: support TypeScript 6.0 (#​15595)

  • breaking: isolate command-triggered query refresh failures per-query (#​15562)

  • feat: use hydratable for remote function transport (#​15533)

  • feat: allow form fields to specify a default value (field.as(type, value)) (#​15577)

Patch Changes

  • fix: don't request new data when .refresh is called on a query with no cache entry (#​15533)

  • fix: allow using multiple remote functions within one async derived (#​15561)

  • fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#​15623)

  • fix: manage queries in their own $effect.root (#​15533)

  • fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#​15550)

  • fix: correctly escape backticks when precomputing CSS (#​15593)

  • fix: discard obsolete forks before finishing navigation (#​15634)

  • chore: tighten up override implementation (#​15562)

  • fix: ensure the default Svelte 5 error.svelte file uses runes mode (#​15609)

  • fix: deduplicate same-cache-key batch calls during SSR (#​15533)

  • fix: decrement pending_count when form callback doesn't call submit() (#​15520)

v2.55.0

Compare Source

Minor Changes
  • feat: page and layout params with matchers are now type narrowed in $app/types, leading to better type safety when working with params in $app/types, $app/state, and hooks. (#​15502)

v2.54.0

Compare Source

Minor Changes
  • feat: allow error boundaries to catch errors on the server (#​15308)
Patch Changes

  • chore: upgrade devalue (#​15535)

  • fix: don't wait for remote functions that are not awaited in the template (#​15280)

  • feat: allow resolve() to accept pathnames with a search string and/or hash (#​15458)

  • chore: remove deprecation warnings for config.kit.files.* options when validating the Svelte config file (#​15482)

  • fix: handles form target attribute in remote form redirects (#​15457)

v2.53.4

Compare Source

Patch Changes
  • fix: avoid Vite warning about unknown codeSplitting option (#​15451)

v2.53.3

Compare Source

Patch Changes
  • fix: prevent overlapping file metadata in remote functions form (faba869)

v2.53.2

Compare Source

Patch Changes

  • fix: server-render nested form value sets (#​15378)

  • fix: use deep partial types for form remote functions .value() and .set(...) (#​14837)

  • fix: provide correct url info to remote functions (#​15418)

  • fix: allow optional types for remote query/command/prerender functions (#​15293)

  • fix: allow commands in more places (#​15288)

v2.53.1

Compare Source

Patch Changes
  • fix: address warning about inlineDynamicImports when using Vite 8 (#​15403)

v2.53.0

Compare Source

Minor Changes
Patch Changes

  • fix: remove event listeners on form attachment cleanup (#​15286)

  • fix: apply queries refreshed in a form remote function when a redirect is thrown (#​15362)

v2.52.2

Compare Source

Patch Changes

  • fix: validate form file information to prevent amplification attacks (3e607b3)

  • chore: upgrade devalue and svelte (#​15339)

  • fix: parse file offset table more strictly (f47c01b)

v2.52.0

Compare Source

Minor Changes
  • feat: match function to map a path back to a route id and params (#​14997)
Patch Changes

  • fix: respect scroll-margin when navigating to a url-supplied anchor (#​15246)

  • fix: resolve will narrow types to follow trailing slash page settings (#​15027)

v2.51.0

Compare Source

Minor Changes

  • feat: add scroll property to NavigationTarget in navigation callbacks (#​15248)

    Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

    • from.scroll: The scroll position at the moment navigation was triggered
    • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

    This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

  • feat: hydratable's injected script now works with CSP (#​15048)

Patch Changes

  • fix: put preloads before styles (#​15232)

  • fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#​15269)

  • fix: fetch not working when URL is same host but different than paths.base (#​15291)

  • fix: navigate to hash link when base element is present (#​15236)

  • fix: avoid triggering handleError when redirecting in a remote function (#​15222)

  • fix: include test directory in generated tsconfig.json alongside existing tests entry (#​15254)

  • fix: generate tsconfig.json using the value of kit.files.src (#​15253)

v2.50.2

Compare Source

Patch Changes

  • fix: ensure inlined CSS follows paths.assets and paths.relative settings (#​15153)

  • fix: emit script CSP nonces when unsafe-inline is present if strict-dynamic is also present (#​15221)

  • fix: re-export browser/dev from esm-env (#​15206)

  • fix: use validated args in batch resolver in both csr and ssr (#​15215)

  • fix: ensure CSS inlining includes components that are conditionally rendered (#​15153)

  • fix: only match rest params with matchers when the matcher matches (#​15216)

  • fix: properly handle percent-encoded anchors (e.g. <a href="#sparkles-%E2%9C%A8">) during prerendering. (#​15231)

v2.50.1

Compare Source

Patch Changes

  • fix: include hooks.server and hooks.universal as explicit Vite build inputs to ensure assets imported by hooks files are correctly discovered (#​15178)

  • fix: improves fields type for generic components (#​14974)

  • fix: preload links if href changes (#​15191)

v2.50.0

Compare Source

Minor Changes
  • breaking: remove buttonProps from experimental remote form functions; use e.g. <button {...myForm.fields.action.as('submit', 'register')}>Register</button> button instead (#​15144)

v2.49.5

Compare Source

Patch Changes

  • fix: avoid overriding Vite default base when running Vitest 4 (#​14866)

  • fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

  • fix: add length checks to remote forms (8ed8155)

v2.49.4

Compare Source

Patch Changes

  • fix: support instrumentation for vite preview (#​15105)

  • fix: support for URLSearchParams.has(name, value) overload (#​15076)

  • fix: put forking behind experimental.forkPreloads (#​15135)

v2.49.3

Compare Source

Patch Changes

  • fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#​15121)

  • fix: add typescript as an optional peer dependency (#​15074)

  • fix: use hasOwn check when deep-setting object properties (#​15127)

v2.49.2

Compare Source

Patch Changes

  • fix: Stop re-loading already-loaded CSS during server-side route resolution (#​15014)

  • fix: posixify the instrumentation file import on Windows (#​14993)

  • fix: Correctly handle shared memory when decoding binary form data (#​15028)

v2.49.1

Compare Source

Patch Changes

  • fix: suppress state_referenced_locally warnings in .svelte-kit/generated/root.svelte (#​15013)

  • fix: TypeError when doing response.clone() in page load (#​15005)

v2.49.0

Compare Source

Minor Changes
  • feat: stream file uploads inside form remote functions allowing form data to be accessed before large files finish uploading (#​14775)

v2.48.8

Compare Source

Patch Changes

  • breaking: invalid now must be imported from @sveltejs/kit (#​14768)

  • breaking: remove submitter option from experimental form validate() method, always provide default submitter (#​14762)

v2.48.7

Compare Source

Patch Changes

  • fix: allow multiple server-timing headers (#​14700)

  • fix: allow access to root-level issues in schema-less forms (#​14893)

  • fix: allow hosting hash-based apps from non-index.html files (#​14825)

v2.48.6

Compare Source

Patch Changes

  • fix: clear issues upon passing validation (#​14683)

  • fix: don't use fork of unrelated route (#​14947)

  • fix: prevent type errors when optional @opentelemetry/api dependency isn't installed (#​14949)

  • fix: preserve this when invoking standard validator (#​14943)

  • fix: treat client/universal hooks as entrypoints for illegal server import detection (#​14876)

  • fix: correct query .set and .refresh behavior in commands (#​14877)

  • fix: improved the accuracy of the types of the output of field.as('...') (#​14908)

v2.48.5

Compare Source

Patch Changes

  • fix: wait an extra microtask in dev before calling $_init_$ (#​14799)

  • fix: discard preload fork before creating a new one (#​14865)

  • fix: delete RemoteFormAllIssue, add path to RemoteFormIssue (#​14864)

v2.48.4

Compare Source

Patch Changes

  • fix: adjust query's promise implementation to properly allow chaining (#​14859)

  • fix: make prerender cache work, including in development (#​14860)

v2.48.3

Compare Source

Patch Changes

  • fix: include hash when using resolve with hash routing enabled (#​14786)

  • fix: afterNavigate callback not running after hydration when experimental async is enabled (#​14644)
    fix: Snapshot restore method not called after reload when experimental async is enabled

  • fix: expose issue.path in .allIssues() (#​14784)

v2.48.2

Compare Source

Patch Changes
  • fix: update DOM before running navigate callbacks (#​14829)

v2.48.1

Compare Source

Patch Changes
  • fix: wait for commit promise instead of settled (#​14818)

v2.48.0

Compare Source

Minor Changes
  • feat: use experimental fork API when available (#​14793)
Patch Changes
  • fix: await for settled instead of tick in navigate (#​14800)

v2.47.3

Compare Source

Patch Changes

  • fix: avoid hanging when error() is used while streaming promises from a server load function (#​14722)

  • chore: treeshake load function code if we know it's unused (#​14764)

  • fix: RecursiveFormFields type for recursive or unknown schemas (#​14734)

  • fix: rework internal representation of form value to be $state (#​14771)

v2.47.2

Compare Source

Patch Changes

  • fix: streamed promise not resolving when another load function returns a fast resolving promise (#​14753)

  • chore: allow to run preflight validation only (#​14744)

  • fix: update overload to set invalid type to schema input (#​14748)

v2.47.1

Compare Source

Patch Changes

  • fix: allow read to be used at the top-level of remote function files (#​14672)

  • fix: more robust remote files generation (#​14682)

v2.47.0

Compare Source

Minor Changes
Patch Changes
  • fix: resolve remote module syntax errors with trailing expressions (#​14728)

v2.46.5

Compare Source

Patch Changes
  • fix: ensure form remote functions' fields.set triggers reactivity (#​14661)

v2.46.4

Compare Source

Patch Changes
  • fix: prevent access of Svelte 5-only untrack function (#​14658)

v2.46.3

Compare Source

Patch Changes

  • fix: merge field.set(...) calls (#​14651)

  • fix: don't automatically reset form after an enhanced submission (#​14626)

  • fix: normalize path strings when updating field values (#​14649)

v2.46.2

Compare Source

Patch Changes
  • fix: prevent code execution order issues around SvelteKit's env modules (#​14637)

v2.46.1

Compare Source

Patch Changes

  • fix: use $derived for form fields (#​14621)

  • docs: remove @example blocks to allow docs to deploy (#​14636)

  • fix: require a value with submit and hidden fields (#​14635)

  • fix: delete hydration cache on effect teardown (#​14611)

v2.46.0

Compare Source

Minor Changes
  • feat: imperative form validation (#​14624)
Patch Changes

  • fix: wait a tick before collecting form data for validation (#​14631)

  • fix: prevent code execution order issues around SvelteKit's env modules (#​14632)

v2.45.0

Compare Source

Minor Changes
  • feat: form.for(id) now implicitly sets id on form object (#​14623)
Patch Changes
  • fix: allow fetch in remote function without emitting a warning (#​14610)

v2.44.0

Compare Source

Minor Changes

  • feat: expose event.route and event.url to remote functions (#​14606)

  • breaking: update experimental form API (#​14481)

Patch Changes
  • fix: don't crawl error responses during prerendering (#​14596)

v2.43.8

Compare Source

Patch Changes

  • fix: HMR for query (#​14587)

  • fix: avoid client modules while traversing dependencies to prevent FOUC during dev (#​14577)

  • fix: skip prebundling of .remote.js files (#​14583)

  • fix: more robust remote file pattern matching (#​14578)

v2.43.7

Compare Source

Patch Changes

  • fix: correctly type the result of form remote functions that do not accept data (#​14573)

  • fix: force remote module chunks to isolate themselves (#​14571)

v2.43.6

Compare Source

Patch Changes

  • fix: ensure cache key is consistent between client/server (#​14563)

  • fix: keep resolve relative to initial base during prerender (#​14533)

  • fix: avoid including HEAD twice when an unhandled HTTP method is used in a request to a +server handler that has both a GET handler and a HEAD handler (#​14564)

  • fix: smoothscroll to deep link (#​14569)

v2.43.5

Compare Source

Patch Changes
  • fix: fall back to non-relative resolution when calling resolve(...) outside an event context (#​14532)

v2.43.4

Compare Source

Patch Changes
  • fix: Webcontainer AsyncLocalStorage workaround (#​14526)

v2.43.3

Compare Source

Patch Changes

  • fix: Webcontainer AsyncLocalStorage workaround (#​14521)

  • fix: include the value of form submitters on form remote functions (#​14475)

v2.43.2

Compare Source

Patch Changes

  • fix: ensure rendering starts off synchronously (#​14517)

  • fix: keep serialized remote data alive until navigation (#​14508)

v2.43.1

Compare Source

Patch Changes
  • fix: consistently use bare import for internals (#​14506)

v2.43.0

Compare Source

Minor Changes
Patch Changes

  • fix: ensure __SVELTEKIT_PAYLOAD__.data is accessed safely (#​14491)

  • fix: create separate cache entries for non-exported remote function queries (#​14499)

v2.42.2

Compare Source

Patch Changes

  • fix: prevent loops in postbuild analysis phase (#​14450)

  • fix: handle nested object fields in form data (#​14469)

  • fix: robustify form helper types (#​14463)

  • fix: avoid running the init hook during builds if there's nothing to prerender (#​14464)

  • fix: ensure SSR rendering gets request store context (#​14476)

v2.42.1

[Compare Source](https://redirect.github.com/s

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Aug 25, 2025
edited
Loading

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 6a5a0d1 to b42e264 Compare August 31, 2025 18:01
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 12 times, most recently from f8e1bed to d937629 Compare September 13, 2025 21:06
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from f25f489 to 80d991e Compare September 19, 2025 02:11
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 56d156b to 874b6be Compare October 2, 2025 19:12
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 13 times, most recently from 93ee5df to f3fe110 Compare October 10, 2025 14:54
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 8 times, most recently from a68eab3 to 60f5ab1 Compare October 16, 2025 10:10
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Nov 23, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm linkedom is 92.0% likely obfuscated

Confidence: 0.92

Location: Package overview

From: pnpm-lock.yamlnpm/budoux@0.8.1npm/linkedom@0.18.12

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/linkedom@0.18.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm svelte is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: examples/hooks-sveltekit/package.jsonnpm/svelte@5.55.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte@5.55.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Feb 27, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​babel/​types@​7.28.2 ⏵ 7.29.098 +110081 +192100
Updated@​types/​node@​24.3.1 ⏵ 24.12.2100 +110081 +195100
Updated@​sveltejs/​kit@​2.37.0 ⏵ 2.57.199 +1100 +2381 +197100
Updatedpublint@​0.3.12 ⏵ 0.3.18100 +110081 +186 -3100
Updatedzimmerframe@​1.1.2 ⏵ 1.1.4100100100 +183100
Updatednode-html-parser@​7.0.1 ⏵ 7.1.09910010084100
Updatedmagic-string@​0.30.18 ⏵ 0.30.21100 +1100100 +186100
Updatedunplugin-unused@​0.5.2 ⏵ 0.5.789 +7100100 +187 -2100
Updatedsvelte@​5.38.2 ⏵ 5.55.488 -11100 +688 +297100
Updatedtsdown@​0.13.5 ⏵ 0.21.109810088 +196100
Updateddefu@​6.1.4 ⏵ 6.1.7100100 +16100 +189100
Updatedbudoux@​0.6.4 ⏵ 0.8.192 -110097 -289 +8100
Updatedeslint@​9.34.0 ⏵ 9.39.489 +110010097100
Updatedtypescript@​5.9.2 ⏵ 5.9.310010090 +110090
Updatedsvelte-eslint-parser@​1.3.1 ⏵ 1.6.09810010092100
Updatedeslint-plugin-svelte@​3.12.2 ⏵ 3.17.19710010098 +3100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants