chore(deps): Bump the npm-dependencies group across 1 directory with 9 updates

[dependabot]

Bumps the npm-dependencies group with 9 updates in the /frontend directory:

Package	From	To
dompurify	3.2.6	3.3.1
marked	16.0.0	17.0.1
socket.io-client	4.8.1	4.8.3
@types/node	24.3.1	25.0.3
esbuild	0.25.9	0.27.2
gts	6.0.2	7.0.0
jsdom	27.2.0	27.4.0
typescript	5.9.2	5.9.3
vitest	4.0.10	4.0.16

Updates dompurify from 3.2.6 to 3.3.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

Commits

• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• 4c76b6f Use correct ESM import syntax (#1173)
• 27e8496 Merge pull request #1168 from MariusRumpf/add-forbid-contents
• a920096 Add ADD_FORBID_CONTENTS setting to extend default list
• ac64660 Merge pull request #1163 from cure53/dependabot/github_actions/actions/setup-...
• Additional commits viewable in compare view

Updates marked from 16.0.0 to 17.0.1

Release notes

Sourced from marked's releases.

v17.0.1

17.0.1 (2025-11-20)

Bug Fixes

• fix block elements in task item (#3828) (921ee22)

v17.0.0

17.0.0 (2025-11-07)

Bug Fixes

• only create tokens inside tokenizers (#3755) (7b19231)

BREAKING CHANGES

• Change how consecutive text tokens work in lists
• Simplify listItem renderer
• Checkbox token is added in list tokenizer
• Checkbox token add type and raw property
• Change loose list text tokens to paragraph type in the list tokenizer

v16.4.2

16.4.2 (2025-11-06)

Bug Fixes

• Avoid RegExp lookbehind assertions (#3816) (#3817) (c056df0)

v16.4.1

16.4.1 (2025-10-17)

Bug Fixes

• resolve even-numbered backtick precedence issue (#3776) (#3786) (1da8fb5)

v16.4.0

16.4.0 (2025-10-07)

Bug Fixes

... (truncated)

Commits

• 16209f5 chore(release): 17.0.1 [skip ci]
• 921ee22 fix: fix block elements in task item (#3828)
• 1e47df2 chore(deps-dev): Bump @​semantic-release/npm from 13.1.1 to 13.1.2 (#3841)
• 8a355d1 chore(deps-dev): Bump @​markedjs/eslint-config from 1.0.13 to 1.0.14 (#3835)
• c43a67e chore(deps-dev): Bump eslint from 9.39.0 to 9.39.1 (#3834)
• de635d8 chore(deps-dev): Bump esbuild from 0.25.12 to 0.27.0 (#3833)
• 554cd8d chore(deps-dev): Bump marked-highlight from 2.2.2 to 2.2.3 (#3832)
• 1711dbb chore(deps-dev): Bump @​semantic-release/github from 12.0.1 to 12.0.2 (#3831)
• 23b9d01 docs: Modernize Docs UI with Tailwind, Dark Mode, and Improved Layout (#3814)
• 9657f0b chore(release): 17.0.0 [skip ci]
• Additional commits viewable in compare view

Updates socket.io-client from 4.8.1 to 4.8.3

Release notes

Sourced from socket.io-client's releases.

socket.io-client@4.8.2

Bug Fixes

• bundle: do not mangle the "_placeholder" attribute (bis) (cdae019)
• drain queue before emitting "connect" (#5259) (d19928e)

Dependencies

• engine.io-client@~6.6.1 (no change)
• ws@~8.17.1 (no change)

Commits

• e9e5bed chore(release): socket.io-client@4.8.3
• 9581f9b fix(sio): do not throw when calling io.close() on a stopped server
• 579d43f refactor: remove unused files
• ee9aac3 chore(release): socket.io-parser@4.2.5
• 968277c chore(release): socket.io-adapter@2.5.6
• 2bf16bd chore(release): engine.io-client@6.6.4
• ad61607 docs(eio): fix link in the release notes
• dd71792 chore(release): socket.io@4.8.2
• bb0b480 fix(sio): improve io.close() function (#5344)
• 161be91 test(sio): pin version of the client bundle in the tests
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for socket.io-client since your current version.

Updates @types/node from 24.3.1 to 25.0.3

Commits

• See full diff in compare view

Updates esbuild from 0.25.9 to 0.27.2

Release notes

Sourced from esbuild's releases.

v0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  // New output (with --minify)

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}

... (truncated)

Commits

• cd83297 publish 0.27.2 to npm
• 2759721 additional tests for switch with break
• fd2b4b3 update release notes
• c8d93a7 fix #4357: -webkit- prefix for mask shorthand (#4358)
• 92ff12c compat table: update @types/node
• a35eceb compat table: fix a type error with the new types
• f598984 fix make compat-table to install dependencies
• f7f6df0 release notes for #4361
• 6f8ec15 fix: allow subpath imports that start with #/ (#4361)
• f7ae61f minify some switch statements to if-else statement
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates gts from 6.0.2 to 7.0.0

Release notes

Sourced from gts's releases.

v7.0.0

7.0.0 (2025-12-04)

⚠ BREAKING CHANGES

• eslint use new config format (plus update deps) (#935)

Features

• eslint use new config format (plus update deps) (#935) (625836a)

Changelog

Sourced from gts's changelog.

7.0.0 (2025-12-04)

⚠ BREAKING CHANGES

• eslint use new config format (plus update deps) (#935)

Features

• eslint use new config format (plus update deps) (#935) (625836a)

Commits

• e0486de chore(main): release 7.0.0 (#936)
• 625836a feat!: eslint use new config format (plus update deps) (#935)
• See full diff in compare view

Updates jsdom from 27.2.0 to 27.4.0

Release notes

Sourced from jsdom's releases.

Version 27.4.0

• Added TextEncoder and TextDecoder.
• Improved decoding of HTML bytes by using the new @exodus/bytes package; it is now much more correct. (ChALkeR)
• Improved decoding of XML bytes to use UTF-8 more often, instead of sniffing for <meta charset> or using the parent frame's encoding.
• Fixed a memory leak when Ranges were used and then the elements referred to by those ranges were removed.

Version 27.3.0

• Improved CSS parsing and CSSOM object APIs via updates to @acemir/cssom. (acemir)

Changelog

Sourced from jsdom's changelog.

27.4.0

• Added TextEncoder and TextDecoder.
• Improved decoding of HTML bytes by using the new @exodus/bytes package; it is now much more correct. (ChALkeR)
• Improved decoding of XML bytes to use UTF-8 more often, instead of sniffing for <meta charset> or using the parent frame's encoding.
• Fixed a memory leak when Ranges were used and then the elements referred to by those ranges were removed.

27.3.0

• Improved CSS parsing and CSSOM object APIs via updates to @acemir/cssom. (acemir)

Commits

• 098d16d Version 27.4.0
• 1cd029e Improve asciiLowercase/asciiUppercase performance
• 83fcb62 Implement TextEncoder and TextDecoder; improve XML decoding
• ddad97d Switch from iconv-lite to exodus/bytes for decoding
• 25cb2a1 Use weak references for ranges
• ed4f5ed Add currently-failing CSS regression tests
• 56b75c2 Version 27.3.0
• decdb95 Update dependencies and dev dependencies
• 542b1a6 CSSOM improvements
• See full diff in compare view

Updates typescript from 5.9.2 to 5.9.3

Release notes

Sourced from typescript's releases.

TypeScript 5.9.3

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

Commits

• c63de15 Bump version to 5.9.3 and LKG
• 8428ca4 🤖 Pick PR #62438 (Fix incorrectly ignored dts file fr...) into release-5.9 (#...
• a131cac 🤖 Pick PR #62351 (Add missing Float16Array constructo...) into release-5.9 (#...
• 0424333 🤖 Pick PR #62423 (Revert PR 61928) into release-5.9 (#62425)
• bdb641a 🤖 Pick PR #62311 (Fix parenthesizer rules for manuall...) into release-5.9 (#...
• 0d9b9b9 🤖 Pick PR #61978 (Restructure CI to prepare for requi...) into release-5.9 (#...
• 2dce0c5 Intentionally regress one buggy declaration output to an older version (#62163)
• See full diff in compare view

Updates vitest from 4.0.10 to 4.0.16

Release notes

Sourced from vitest's releases.

v4.0.16

   🐞 Bug Fixes

• Fix browser mode default testTimeout back to 15 seconds  -  by @​hi-ogawa in vitest-dev/vitest#9167 (da0ad)
• Avoid crashing on process.versions stub  -  by @​AriPerkkio in vitest-dev/vitest#9174 (78cfb)
• Reject calling suite function inside test  -  by @​hi-ogawa in vitest-dev/vitest#9198 (1a259)
• Allow inlining fully dynamic import  -  by @​hi-ogawa in vitest-dev/vitest#9137 (56851)
• Fix module graph UI on html reporter with headless browser mode  -  by @​hi-ogawa in vitest-dev/vitest#9219 (60642)
• Log deprecated test.poolOptions if it's set  -  by @​sheremet-va in vitest-dev/vitest#9226 (f7f6a)
• browser:
  • Import recordArtifact from the vitest package  -  by @​macarie in vitest-dev/vitest#9186 (01c56)
  • Fix import.meta.env define  -  by @​hi-ogawa in vitest-dev/vitest#9205 (01a9a)
  • String formatting bug when including placeholders in console.log  -  by @​michael-debs and @​hi-ogawa in vitest-dev/vitest#9030 and vitest-dev/vitest#9131 (84a30)
• coverage:
  • Istanbul untested files source maps are off  -  by @​AriPerkkio in vitest-dev/vitest#9208 (372e8)
• experimental:
  • Export setupEnvironment for custom pools  -  by @​AriPerkkio in vitest-dev/vitest#9187 (5d26b)

    View changes on GitHub

v4.0.15

   🚀 Experimental Features

• cache: Add opt-out on a plugin level, fix internal root cache  -  by @​sheremet-va in vitest-dev/vitest#9154 (a68f7)
• reporters: Print import duration breakdown  -  by @​sheremet-va in vitest-dev/vitest#9105 (122ff)

   🐞 Bug Fixes

• Keep built-in id as is in bun and deno  -  by @​sheremet-va in vitest-dev/vitest#9117 (075ab)
• Use optimizeDeps.rolldownOptions to fix depreated warning + fix ssr.external: true  -  by @​hi-ogawa in vitest-dev/vitest#9121 (fd8bd)
• Fix external behavior with deps.optimizer  -  by @​hi-ogawa in vitest-dev/vitest#9125 (4c754)
• Very minor typo in "Chrome DevTools Protocol"  -  by @​HowToTestFrontend in vitest-dev/vitest#9146 (20997)
• browser: Run toMatchScreenshot only once when used with expect.element  -  by @​macarie in vitest-dev/vitest#9132 (0d2e7)
• coverage: Istanbul provider to not break source maps  -  by @​AriPerkkio in vitest-dev/vitest#9040 (e4ca9)
• deps: Update dependency tinyexec to v1  -  in vitest-dev/vitest#9122 (fd786)
• docs: Remove --browser.provider from docs  -  by @​sheremet-va in vitest-dev/vitest#9115 (120b3)
• expect: Preserve currentTestName in extended matchers  -  by @​macarie in vitest-dev/vitest#9106 (e4345)
• pool: Terminate workers on CTRL+c forceful exits  -  by @​AriPerkkio in vitest-dev/vitest#9140 (d57d8)
• reporters: Show project in github reporter  -  by @​sheremet-va in vitest-dev/vitest#9138 (bb65e)
• spy: Do not mock overriden method, if parent was automocked  -  by @​sheremet-va in vitest-dev/vitest#9116 (1a246)
• web-worker: MessagePort objects passed to Worker.postMessage work when clone === "native"  -  by @​whitphx in vitest-dev/vitest#9118 (deee8)

    View changes on GitHub

v4.0.14

   🚀 Experimental Features

• browser: Expose utils.configurePrettyDOM  -  by @​sheremet-va in vitest-dev/vitest#9103 (2cc34)
• runner: Add full names to tasks  -  by @​macarie in vitest-dev/vitest#9087 (821aa)
• ui: Add tabbed failure view for toMatchScreenshot with comparison slider  -  by @​macarie in vitest-dev/vitest#8813 (c37c2)

... (truncated)

Commits

• b46d744 chore: release v4.0.16
• 84a3062 fix(browser): string formatting bug when including placeholders in console.lo...
• f7f6aa8 fix: log deprecated test.poolOptions if it's set (#9226)
• 568513c fix: allow inlining fully dynamic import (#9137)
• 5d26b87 fix(experimental): export setupEnvironment for custom pools (#9187)
• f17eb42 refactor: avoid using isFileServingAllowed from Vite (#9160)
• 78cfbf9 fix: avoid crashing on process.versions stub (#9174)
• da0ade2 fix: fix browser mode default testTimeout back to 15 seconds (#9167)
• eb1abf0 chore: release v4.0.15
• a68f74e feat(cache): add opt-out on a plugin level, fix internal root cache (#9154)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions