build(deps): bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
@sveltejs/kit	2.5.2	2.53.3
svelte	4.2.12	5.53.5
vite	5.1.4	5.4.21
braces	3.0.2	3.0.3
js-yaml	3.14.1	3.14.2

Updates @sveltejs/kit from 2.5.2 to 2.53.3

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.53.3

Patch Changes

• fix: prevent overlapping file metadata in remote functions form (faba869)

@​sveltejs/kit@​2.53.2

Patch Changes

• fix: server-render nested form value sets (#15378)

• fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

• fix: provide correct url info to remote functions (#15418)

• fix: allow optional types for remote query/command/prerender functions (#15293)

• fix: allow commands in more places (#15288)

@​sveltejs/kit@​2.53.1

Patch Changes

• fix: address warning about inlineDynamicImports when using Vite 8 (#15403)

@​sveltejs/kit@​2.53.0

Minor Changes

• feat: support Vite 8 (#15024)

Patch Changes

• fix: remove event listeners on form attachment cleanup (#15286)

• fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

@​sveltejs/kit@​2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.53.3

Patch Changes

• fix: prevent overlapping file metadata in remote functions form (faba869)

2.53.2

Patch Changes

• fix: server-render nested form value sets (#15378)

• fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

• fix: provide correct url info to remote functions (#15418)

• fix: allow optional types for remote query/command/prerender functions (#15293)

• fix: allow commands in more places (#15288)

2.53.1

Patch Changes

• fix: address warning about inlineDynamicImports when using Vite 8 (#15403)

2.53.0

Minor Changes

• feat: support Vite 8 (#15024)

Patch Changes

• fix: remove event listeners on form attachment cleanup (#15286)

• fix: apply queries refreshed in a form remote function when a redirect is thrown (#15362)

2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

... (truncated)

Commits

• 66d88c9 Version Packages (#15440)
• faba869 Merge commit from fork
• 708fc4b chore(deps): bump rollup to 4.59.0 (#15433)
• 98496fa Version Packages (#15416)
• 8c5048b fix: provide correct url info to remote functions (#15418)
• ce4b57c fix: allow commands in more places (#15288)
• 7277edb chore: fix CI lint (#15417)
• 64f484f fix: deep partial .value() and .set(...) types for forms (#14837)
• d28d372 fix: allow optional types for remote query/command/prerender functions (#15293)
• 244838c fix: server-render nested form value sets (#15378)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​sveltejs/kit since your current version.

Updates svelte from 4.2.12 to 5.53.5

Release notes

Sourced from svelte's releases.

[email protected]

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

[email protected]

Patch Changes

• fix: set server context after async transformError (#17799)

• fix: hydrate if blocks correctly (#17784)

• fix: handle default parameters scope leaks (#17788)

• fix: prevent flushed effects from running again (#17787)

[email protected]

Patch Changes

• fix: render :catch of #await block with correct key (#17769)

• chore: pin [email protected] (#17772)

• fix: make string coercion consistent to toString (#17774)

[email protected]

Patch Changes

• fix: update expressions on server deriveds (#17767)

• fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

[email protected]

Patch Changes

• fix: handle shadowed function names correctly (#17753)

[email protected]

Minor Changes

• feat: allow comments in tags (#17671)

• feat: allow error boundaries to work on the server (#17672)

Patch Changes

• fix: use TrustedHTML to test for customizable support, where necessary (#17743)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.5

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

5.53.4

Patch Changes

• fix: set server context after async transformError (#17799)

• fix: hydrate if blocks correctly (#17784)

• fix: handle default parameters scope leaks (#17788)

• fix: prevent flushed effects from running again (#17787)

5.53.3

Patch Changes

• fix: render :catch of #await block with correct key (#17769)

• chore: pin [email protected] (#17772)

• fix: make string coercion consistent to toString (#17774)

5.53.2

Patch Changes

• fix: update expressions on server deriveds (#17767)

• fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

5.53.1

Patch Changes

• fix: handle shadowed function names correctly (#17753)

5.53.0

Minor Changes

• feat: allow comments in tags (#17671)

... (truncated)

Commits

• ed14b49 Version Packages (#17802)
• 0df5abc Merge commit from fork
• 0298e97 Merge commit from fork
• 96fd3ce Version Packages (#17786)
• 1b3e660 fix: prevent flushed effects from running again (#17787)
• 673a1ab fix: set server context after async transformError (#17799)
• 3a28979 fix: handle default parameters scope leaks (#17788)
• fcdc028 fix: hydrate if blocks correctly (#17784)
• 97f3ac5 Version Packages (#17775)
• 7deedc5 fix: render :catch of #await block with correct key (#17769)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for svelte since your current version.

Updates vite from 5.1.4 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port [email protected] changes to [email protected] (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates devalue from 4.3.2 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits

• 6cbb3f5 Version Packages (#133)
• 40f1db1 Merge commit from fork
• 87c1f3c Merge commit from fork
• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates esbuild from 0.19.12 to 0.21.5

Release notes

Sourced from esbuild's releases.

v0.21.5

• Fix Symbol.metadata on classes without a class decorator (#3781)

  This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

• Allow unknown import attributes to be used with the copy loader (#3792)

  Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

  // This is an error with "--bundle" without also using "--external:./bagel.js"
  import tasty from "./bagel.js" with { type: "bagel" }

  Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

  However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

  // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
  import tasty from "./tasty.bagel" with { type: "bagel" }

• Support import attributes with glob-style imports (#3797)

  This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

  async function loadLocale(locale: string): Locale {
    const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
    return unpackLocale(locale, data)
  }

  Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

  ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data
  example.ts:2:28:
    2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
      ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

  In addition, this change means plugins can now access the contents of with for glob-style imports.

• Support ${configDir} in tsconfig.json files (#3782)

  This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.21.5

• Fix Symbol.metadata on classes without a class decorator (#3781)

  This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

• Allow unknown import attributes to be used with the copy loader (#3792)

  Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

  // This is an error with "--bundle" without also using "--external:./bagel.js"
  import tasty from "./bagel.js" with { type: "bagel" }

  Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

  However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

  // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
  import tasty from "./tasty.bagel" with { type: "bagel" }

• Support import attributes with glob-style imports (#3797)

  This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

  async function loadLocale(locale: string): Locale {
    const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
    return unpackLocale(locale, data)
  }

  Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

  ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data
  example.ts:2:28:
    2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
      ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

  In addition, this change means plugins can now access the contents of with for glob-style imports.

• Support ${configDir} in tsconfig.json files (#3782)

  This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

... (truncated)

Commits

• fc37c2f publish 0.21.5 to npm
• cb11924 fix Symbol.metadata errors in decorator tests
• b93a2a9 fix #3781: add metadata to all decorated classes
• 953dae9 fix #3797: import attributes and glob-style import
• 98cb2ed fix #3782: support ${configDir} in tsconfig.json
• 8e6603b run make update-compat-table
• db1b8ca fix #3792: import attributes and the copy loader
• de572d0 fix non-deterministic import attribute plugin test
• ae8d1b4 fix #3794: --supported:object-accessors=false
• 67cbf87 publish 0.21.4 to npm
• Additional commits viewable in compare view

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates rollup from 4.12.0 to 4.59.1

Release notes

Sourced from rollup's releases.

v4.59.1

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])
• #6290: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6291: chore(deps): update dependency @​shikijs/vitepress-twoslash to v4 (@​renovate[bot])
• #6292: chore(deps): lock file maintenance (@​renovate[bot])
• #6297: chore(deps): update minor/patch updates (@​renovate[bot])
• #6298: chore(deps): lock file maintenance (@​renovate[bot])
• #6299: chore(deps): lock file maintenance (@​renovate[bot])
• #6300: docs: update packagephobia link (@​bluwy)
• #6301: chore(deps): update dependency lint-staged to ^16.3.3 (@​renovate[bot])
• #6306: fix: fix chunk assignment for deoptimized module with dynamic import (@​JoaoBrlt, @​lukastaegert)
• #6307: chore(deps): update minor/patch updates (@​renovate[bot])
• #6308: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6309: chore(deps): update dependency vite to v8 (@​renovate[bot])
• #6310: chore(deps): lock file maintenance (@​renovate[bot])
• #6311: chore(deps): lock file maintenance (@​renovate[bot])
• #6312: chore(deps): lock file maintenance (@​renovate[bot])

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])
• #6290: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6291: chore(deps): update dependency @​shikijs/vitepress-twoslash to v4 (@​renovate[bot])
• #6292: chore(deps): lock file maintenance (@​renovate[bot])
• #6297: chore(deps): update minor/patch updates (@​renovate[bot])
• #6298: chore(deps): lock file maintenance (@​renovate[bot])
• #6299: chore(deps): lock file maintenance (@​renovate[bot])
• #6300: docs: update packagephobia link (@​bluwy)
• #6301: chore(deps): update dependency lint-staged to ^16.3.3 (@​renovate[bot])
• #6306: fix: fix chunk assignment for deoptimized module with dynamic import (@​JoaoBrlt, @​lukastaegert)
• #6307: chore(deps): update minor/patch updates (@​renovate[bot])
• #6308: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6309: chore(deps): update dependency vite to v8 (@​renovate[bot])
• #6310: chore(deps): lock file maintenance (@​renovate[bot])
• #6311: chore(deps): lock file maintenance (@​renovate[bot])
• #6312: chore(deps): lock file maintenance (@​renovate[bot])

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

... (truncated)

Commits

• 0cba9e0 4.59.1
• 4eeea29 Pin Vite
• 1cd49ae fix: fix chunk assignment for deoptimized module with dynamic import (#6306)
• c9dabc3 Downgrade Vite
• d46200f chore(deps): update dependency vite to v8 (#6309)
• aa6c853 chore(deps): update dependency lru-cache to v11 (#6308)
• 4208811 chore(deps): lock file maintenance (#6312)
• 5348a82 chore(deps): lock file maintenance (#6311)
• c942b8d chore(deps): update minor/patch updates (#6307)
• bf9d35c chore(deps): lock file maintenance (#6310)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependa...

Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
konf-infopanel-2024	Ready	Preview, Comment	Mar 22, 2026 4:13am