chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
@sveltejs/kit	2.53.4	2.65.0
svelte	5.53.8	5.56.3
vite	7.3.1	8.0.16
flatted	3.4.1	3.4.2
lodash-es	4.17.23	4.18.1

Updates @sveltejs/kit from 2.53.4 to 2.65.0

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.65.0

Minor Changes

• feat: allow queries to refresh other queries (#16012)

Patch Changes

• fix: dedupe remote data (#15991)

• fix: skip client build if all routes have CSR disabled (#15936)

@​sveltejs/kit@​2.64.0

Minor Changes

• feat: allow commands to receive File objects (#15978)

Patch Changes

• fix: avoid server components from being bundled if SSR is turned off for a route (#15982)

@​sveltejs/kit@​2.63.1

Patch Changes

• fix: use SSE for query.live (#15957)

• fix: use forward slashes in the generated env.d.ts import path on Windows (#15977)

• fix: allow $app/environment with a warning when explicitEnvironmentVariables is enabled (#15980)

• fix: avoid importing Vite while validating explicit environment variables (#15953)

• docs: adjust the release version of explicit env vars (#15968)

• fix: ensure version is defined when importing from $app/env with explicit environment variables (#15971)

@​sveltejs/kit@​2.63.0

Minor Changes

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.65.0

Minor Changes

• feat: allow queries to refresh other queries (#16012)

Patch Changes

• fix: dedupe remote data (#15991)

• fix: skip client build if all routes have CSR disabled (#15936)

2.64.0

Minor Changes

• feat: allow commands to receive File objects (#15978)

Patch Changes

• fix: avoid server components from being bundled if SSR is turned off for a route (#15982)

2.63.1

Patch Changes

• fix: use SSE for query.live (#15957)

• fix: use forward slashes in the generated env.d.ts import path on Windows (#15977)

• fix: allow $app/environment with a warning when explicitEnvironmentVariables is enabled (#15980)

• fix: avoid importing Vite while validating explicit environment variables (#15953)

• docs: adjust the release version of explicit env vars (#15968)

• fix: ensure version is defined when importing from $app/env with explicit environment variables (#15971)

2.63.0

Minor Changes

... (truncated)

Commits

• ce77bf3 Version Packages (#15988)
• 372a6a6 fix: dedupe remote data (#15991)
• 607713e fix: copy public directory assets if client build is skipped (#16004)
• 3968fb9 fix: skip client build if all routes have CSR disabled (#15936)
• 1c30797 Version Packages (#15984)
• c630529 feat: allow commands to receive File objects (#15978)
• 1a2c1fd fix: avoid adding the component to the server node if SSR is turned off (#15982)
• 33dec0e Version Packages (#15962)
• 0fd507c fix: allow $app/environment with a warning when `explicitEnvironmentVariabl...
• a31fdc6 docs: fix explicit env vars docs version (#15968)
• Additional commits viewable in compare view

Updates svelte from 5.53.8 to 5.56.3

Release notes

Sourced from svelte's releases.

svelte@5.56.3

Patch Changes

• fix: ignore errors that occur in destroyed effects (#18384)

• fix: type BigInts in $state.snapshot(...) return values (#18388)

svelte@5.56.2

Patch Changes

• fix: properly track effect end node for async sibling component (#18371)

• fix: prevent false-positive reactivity loss warning (#18373)

• chore: bump esrap dependency (#18372)

• fix: ignore declaration tags for animation directive (#18366)

• fix: reject pending async deriveds on discard (#18308)

svelte@5.56.1

Patch Changes

• fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

• fix: parse declaration tag contents more robustly (#18353)

• fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

• fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

• fix: tolerate whitespace before let/const in declaration tags (#18348)

• fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

• fix: more robust parsing of declaration tags with regards to type (#18330)

• fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

• fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

• fix: check references for blockers on server, too (#18352)

svelte@5.56.0

Minor Changes

• feat: allow declarations in the template (#18282)

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.56.3

Patch Changes

• fix: ignore errors that occur in destroyed effects (#18384)

• fix: type BigInts in $state.snapshot(...) return values (#18388)

5.56.2

Patch Changes

• fix: properly track effect end node for async sibling component (#18371)

• fix: prevent false-positive reactivity loss warning (#18373)

• chore: bump esrap dependency (#18372)

• fix: ignore declaration tags for animation directive (#18366)

• fix: reject pending async deriveds on discard (#18308)

5.56.1

Patch Changes

• fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

• fix: parse declaration tag contents more robustly (#18353)

• fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

• fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

• fix: tolerate whitespace before let/const in declaration tags (#18348)

• fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

• fix: more robust parsing of declaration tags with regards to type (#18330)

• fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

• fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

• fix: check references for blockers on server, too (#18352)

5.56.0

Minor Changes

... (truncated)

Commits

• a9f4854 Version Packages (#18389)
• 71a6515 fix: check boundary exists before calling error handler in async derived (#18...
• 3d83c9a fix: add bigint to Primitive type for $state.snapshot (#18388)
• 51baf1c Version Packages (#18357)
• 3d5c4ab fix: prevent false-positive reactivity loss warning (#18373)
• bdb1a0f fix: ensure async block assigns correct nodes to effect (#18371)
• e4bfc5f chore: bump esrap dependency (#18372)
• 1b4c43b fix: ignore declaration tags for animation directive (#18366)
• 85dcb91 chore: upgrade to vitest v4 (#18265)
• a81f965 fix: reject pending async deriveds on discard (#18308)
• Additional commits viewable in compare view

Updates vite from 7.3.1 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

Updates devalue from 5.6.3 to 5.8.1

Release notes

Sourced from devalue's releases.

v5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

v5.8.0

Minor Changes

• c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Changelog

Sourced from devalue's changelog.

5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

5.8.0

Minor Changes

• c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Commits

• 796ea83 Version Packages (#152)
• 206ca67 Merge commit from fork
• 14933f7 Version Packages (#151)
• c5115b0 feat: stringifyAsync (#150)
• 67dad45 docs: update README to reflect serialization stability non-goal (#147)
• 6eb920a Version Packages (#146)
• 8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
• 2eee2e4 Version Packages (#144)
• 498656e DataView support (#143)
• 5590634 Improve platform types support (#142)
• Additional commits viewable in compare view

Updates flatted from 3.4.1 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• See full diff in compare view

Updates lodash-es from 4.17.23 to 4.18.1

Release notes

Sourced from lodash-es's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates postcss from 8.5.8 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Commits

• eae46db Release 8.5.15 version
• 79508ff Update CI actions
• b128e21 Speed up declaration parsing by avoiding creating new array on each token
• 9825dca Fix code format
• 55789c8 Update dependencies
• 84fbbe9 Install older pnpm action for old Node.js
• 9f860bd Revert pnpm action for old Node.js
• 0877198 Update CI actions
• b2d1a33 Fix linter warnings
• 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.