deps(deps-dev): bump the svelte-ecosystem group with 2 updates

[dependabot]

Bumps the svelte-ecosystem group with 2 updates: @sveltejs/kit and svelte.

Updates @sveltejs/kit from 2.60.1 to 2.61.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.61.1

Patch Changes

• fix: regression where routes starting and ending with a route group are not matched correctly (#15903)

@​sveltejs/kit@​2.61.0

Minor Changes

• breaking: the .run() method has been removed from remote queries on both the client and the server. Use await query() directly instead — it now works everywhere (#15779)

• feat: remote queries can now be awaited in any context (event handlers, module scope, async callbacks), not just inside reactive contexts. The cache is shared across reactive and non-reactive subscribers, so awaiting a query in an event handler will dedupe with components that have already subscribed to the same query. (#15779)

• feat: live query instances are now themselves async-iterable (#15878)

• feat: add programmatic submit method to form remote function instances (#15657)

• feat: pass form remote function instance into enhance callback (#15657)

Patch Changes

• fix: resolve the app payload without using process.env.NODE_ENV (#15852)

• fix: support exactOptionalPropertyTypes for optional route params (#15825)

• fix: correctly send true value to the server for 'submit' and 'hidden' form fields (#15858)

• fix: avoid build warnings about undefined universal hooks (#15895)

• fix: prefer default error page when failing to decode the URL pathname (#15744)

• fix: disable link prefetching on slow internet connections (#15885)

• fix: allow routes ending with optional parameters next to more specific routes (#15861)

• fix: remove reliance on Content-Length header in deserialize_binary_form, which caused failures when proxies (e.g. Vercel, Azure) strip the header and use chunked transfer encoding (#15796)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.61.1

Patch Changes

• fix: regression where routes starting and ending with a route group are not matched correctly (#15903)

2.61.0

Minor Changes

• breaking: the .run() method has been removed from remote queries on both the client and the server. Use await query() directly instead — it now works everywhere (#15779)

• feat: remote queries can now be awaited in any context (event handlers, module scope, async callbacks), not just inside reactive contexts. The cache is shared across reactive and non-reactive subscribers, so awaiting a query in an event handler will dedupe with components that have already subscribed to the same query. (#15779)

• feat: live query instances are now themselves async-iterable (#15878)

• feat: add programmatic submit method to form remote function instances (#15657)

• feat: pass form remote function instance into enhance callback (#15657)

Patch Changes

• fix: resolve the app payload without using process.env.NODE_ENV (#15852)

• fix: support exactOptionalPropertyTypes for optional route params (#15825)

• fix: correctly send true value to the server for 'submit' and 'hidden' form fields (#15858)

• fix: avoid build warnings about undefined universal hooks (#15895)

• fix: prefer default error page when failing to decode the URL pathname (#15744)

• fix: disable link prefetching on slow internet connections (#15885)

• fix: allow routes ending with optional parameters next to more specific routes (#15861)

• fix: remove reliance on Content-Length header in deserialize_binary_form, which caused failures when proxies (e.g. Vercel, Azure) strip the header and use chunked transfer encoding (#15796)

Commits

• b714743 Version Packages (#15904)
• 131fdc7 fix: regression where routes starting and ending with a route group are not f...
• 4f961ab Version Packages (#15853)
• 1817da0 fix: support exactOptionalPropertyTypes for optional route params (#15825)
• 8feb2af chore: dedupe replacer code (#15877)
• 95ca921 fix: remove Content-Length dependency in binary form deserialization (#15796)
• e75024c feat: LiveQuery self-iterability (#15878)
• 0cc67d9 fix: avoid build warnings about undefined hooks on Windows (#15895)
• 1949057 chore(prefetch): disable link prefetching on slow internet connections (#15885)
• 69b5787 fix: prefer the default error page when failing to decode the URL pathname (#...
• Additional commits viewable in compare view

Updates svelte from 5.55.8 to 5.55.9

Release notes

Sourced from svelte's releases.

svelte@5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

Changelog

Sourced from svelte's changelog.

5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

Commits

• b65a3f3 Version Packages (#18240)
• ef319ed chore: bump acorn-typescript/esrap (#18248)
• d654db8 fix: avoid false-positive batch invariant error (#18246)
• 000c594 fix: {#await await ...} and async dependencies fixes (#18243)
• a5df661 fix: avoid unnecessary stringify in server attributes (#18232)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: bun. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two development dependencies are updated to patch versions: @sveltejs/kit to ^2.61.1 and svelte to ^5.55.9. No other configuration or scripts are modified.

Changes

Development dependencies

Layer / File(s)	Summary
Dependency version updates package.json	@sveltejs/kit and svelte devDependencies are updated to their latest patch versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Divkix/Logwell#111: Both PRs modify the svelte devDependency version in package.json.

Suggested labels

javascript

Suggested reviewers

• Divkix

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping dependencies in the svelte-ecosystem group with 2 updates to @sveltejs/kit and svelte.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly describes the dependency updates including package names, versions, and release notes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/bun/svelte-ecosystem-e8a628e26f

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 41: package.json was updated to bump "`@sveltejs/kit`" to ^2.61.1 (and
svelte), but the lockfile still pins older vulnerable versions (e.g.,
package-lock.json showing 2.59.1); regenerate the lockfile so installs pick up
the non-vulnerable releases: run your package manager install (npm install or
bun install) to update package-lock.json (or bun.lock/tpn lock) so
"`@sveltejs/kit`" and "svelte" resolve to the bumped versions, verify the lockfile
now references 2.61.1 (or >=2.60.1) and commit the updated lockfile with the
change.
- Line 58: package-lock.json currently locks svelte at 5.55.7 while package.json
requires svelte ^5.55.9; update package-lock.json (or regenerate it) so the
resolved svelte entry matches 5.55.9 (or remove package-lock.json if you intend
to use Bun-only) to keep the lockfile consistent with the dependency declared in
package.json and your bun.lock resolution.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 26d2a0d3-d8c2-4c65-bc07-73b5336acd34

📥 Commits

Reviewing files that changed from the base of the PR and between 66aafbb and 6949aca.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: E2E Tests
• GitHub Check: Docker Build
• GitHub Check: Build Verification
• GitHub Check: Integration Tests
• GitHub Check: Lint & Type Check

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify `@sveltejs/kit`@2.61.1 exists and check for vulnerabilities

# Check if the version exists on npm
echo "=== Checking `@sveltejs/kit`@2.61.1 exists ==="
npm view `@sveltejs/kit`@2.61.1 version

# Check for security advisories
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "`@sveltejs/kit`") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: Divkix/Logwell

Length of output: 2744

---

Update the lockfile so installs use the bumped, non-vulnerable dependency versions
package.json bumps @sveltejs/kit to ^2.61.1, but package-lock.json still pins @sveltejs/kit to 2.59.1, so installs won’t pick up the intended upgrade. @sveltejs/kit@2.61.1 exists, and advisories indicate versions <= 2.60.0 are affected (patched at 2.60.1), which includes 2.59.1. Regenerate and commit the lockfile (e.g., via bun install / npm install) so it matches package.json (also svelte appears similarly out of sync).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 41, package.json was updated to bump "`@sveltejs/kit`" to
^2.61.1 (and svelte), but the lockfile still pins older vulnerable versions
(e.g., package-lock.json showing 2.59.1); regenerate the lockfile so installs
pick up the non-vulnerable releases: run your package manager install (npm
install or bun install) to update package-lock.json (or bun.lock/tpn lock) so
"`@sveltejs/kit`" and "svelte" resolve to the bumped versions, verify the lockfile
now references 2.61.1 (or >=2.60.1) and commit the updated lockfile with the
change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify svelte@5.55.9 exists and check for vulnerabilities

# Check if the version exists on npm
echo "=== Checking svelte@5.55.9 exists ==="
npm view svelte@5.55.9 version

# Check for security advisories
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "svelte") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: Divkix/Logwell

Length of output: 2641

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate lockfiles
echo "=== Lockfiles present ==="
ls -la package-lock.json bun.lockb 2>/dev/null || true

echo
echo "=== package.json svelte spec ==="
cat package.json | node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{const j=JSON.parse(s);console.log(j.dependencies?.svelte ?? j.devDependencies?.svelte ?? j.svelte)})'

echo
echo "=== svelte versions in package-lock.json ==="
if [ -f package-lock.json ]; then
  rg -n '"svelte"' package-lock.json | head -n 50
  echo
  rg -n '"name": "svelte"|"svelte@' package-lock.json | head -n 50 || true
  echo
  rg -n '"version": "5\.55\.' package-lock.json | head -n 50
fi

echo
echo "=== bun.lockb exists? ==="
if [ -f bun.lockb ]; then
  echo "bun.lockb present (cannot easily parse without bun)."
fi

Repository: Divkix/Logwell

Length of output: 1075

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
node -e 'const fs=require("fs");const j=JSON.parse(fs.readFileSync("package.json","utf8")); console.log("packageManager:", j.packageManager ?? "(none)"); console.log("scripts keys:", j.scripts?Object.keys(j.scripts):[]);'

Repository: Divkix/Logwell

Length of output: 608

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "bun install|bun\.lockb|\bBun\b|package-lock\.json|npm ci|npm install" -S README* package.json .github workflows* 2>/dev/null || true

Repository: Divkix/Logwell

Length of output: 2688

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Does package-lock.json contain 5.55.9? ==="
rg -n "5\.55\.9" package-lock.json || true

echo
echo "=== Does package-lock.json contain svelte spec ^5.55.9? ==="
rg -n "\"svelte\": \"\^5\.55\.9\"" package-lock.json || true

echo
echo "=== Show context around the found svelte version 5.55.7 (line ~6619) ==="
sed -n '6605,6635p' package-lock.json | cat -n

Repository: Divkix/Logwell

Length of output: 1669

---

🌐 Web query:

Bun install --frozen-lockfile uses package-lock.json when bun.lockb missing

💡 Result:

In Bun, bun install --frozen-lockfile does not use package-lock.json as a fallback lockfile when bun.lock/bun.lockb is missing; it is defined to install exact versions from Bun’s own lockfile and fail if the lockfile would need updating, and Bun’s docs describe bun.lock as the lockfile used for --frozen-lockfile. What Bun does instead when bun.lock is missing: - If it detects pnpm-lock.yaml, Bun auto-migrates that into bun.lock during installation (the original pnpm-lock.yaml is preserved). [1] - Separately, Bun will “automatically migrate” other Node lockfiles (including package-lock.json) when running bun install in a project without a Bun lockfile. [2] But that behavior is migration/update behavior; --frozen-lockfile is explicitly for reproducible installs that do not update the lockfile (Bun exits with an error if package.json disagrees with bun.lock, and the lockfile is not updated). [3] So the premise “bun install --frozen-lockfile uses package-lock.json when bun.lockb is missing” is not supported by Bun’s documentation; rather, --frozen-lockfile is about the Bun lockfile, and package-lock.json is (at most) a source that Bun may migrate from during a non-frozen install. [2][3] If you need CI behavior equivalent to “fail unless lockfile matches exactly”, ensure bun.lock is present in the repo (commit it) and use --frozen-lockfile with that. [3]

Citations:

• 1: https://bun.com/docs/pm/lockfile
• 2: --frozen-lockfile is saying changes to lockfile when bun install says there is not oven-sh/bun#20913
• 3: https://bun.com/docs/pm/cli/install

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
ls -la bun.lock bun.lockb 2>/dev/null || true

Repository: Divkix/Logwell

Length of output: 118

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== bun.lock contains 5.55.9? ==="
rg -n "5\.55\.9" bun.lock || true

echo
echo "=== bun.lock contains 5.55.7? ==="
rg -n "5\.55\.7" bun.lock || true

echo
echo "=== bun.lock occurrences for svelte ==="
rg -n "svelte@|\"svelte\"" bun.lock | head -n 50 || true

Repository: Divkix/Logwell

Length of output: 9394

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "npm ci|npm install|package-lock\.json" .github/workflows -S || true

Repository: Divkix/Logwell

Length of output: 249

---

Update package-lock.json to match svelte ^5.55.9 (package.json line 58)

package.json requires svelte ^5.55.9; bun.lock already resolves svelte@5.55.9, but package-lock.json still locks svelte@5.55.7. Update package-lock.json if npm installs are part of your workflow (or remove it if Bun-only).

Security: svelte@5.55.9 exists, and the reported GH advisories are for versions up to 5.55.6 with first patched version 5.55.7, so 5.55.9 is outside those ranges.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 58, package-lock.json currently locks svelte at 5.55.7
while package.json requires svelte ^5.55.9; update package-lock.json (or
regenerate it) so the resolved svelte entry matches 5.55.9 (or remove
package-lock.json if you intend to use Bun-only) to keep the lockfile consistent
with the dependency declared in package.json and your bun.lock resolution.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.