chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	^2.57.1 → ^2.58.0
@tailwindcss/vite (source)	^4.2.2 → ^4.2.4
@turf/turf	^7.3.4 → ^7.3.5
@vitest/coverage-v8 (source)	^4.1.4 → ^4.1.5
@vitest/ui (source)	^4.1.4 → ^4.1.5
dompurify	^3.4.0 → ^3.4.1
eslint-plugin-svelte (source)	^3.17.0 → ^3.17.1
fast-xml-parser	^5.7.0 → ^5.7.1
lucide-static (source)	^1.8.0 → ^1.9.0
prettier-plugin-tailwindcss	^0.7.2 → ^0.7.3
svelte (source)	^5.55.4 → ^5.55.5
tailwindcss (source)	^4.2.2 → ^4.2.4
typescript-eslint (source)	^8.58.2 → ^8.59.0
vite (source)	^8.0.8 → ^8.0.10
vitest (source)	^4.1.4 → ^4.1.5

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.58.0

Compare Source

Minor Changes

• breaking: require limit in requested (as originally intended) (#​15739)

• feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#​15739)

• breaking: requested now yields { arg, query } entries instead of the validated argument (#​15739)

Patch Changes

• fix: allow query().current, .error, .loading, and .ready to work in non-reactive contexts (#​15699)

• fix: prevent deep_set crash on nullish nested values (#​15600)

• fix: restore correct RemoteFormFields typing for nullable array fields (e.g. when a schema uses .default([])), so .as('checkbox') and friends work again (#​15723)

• fix: don't warn about removed SSI comments in transformPageChunk (#​15695)

  Server-side include (SSI) directives like <!--#include virtual="..." --> are HTML comments that are replaced by servers such as nginx. Previously, removing them in transformPageChunk would trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with <!--# and Svelte's hydration comments never do, they can be safely excluded from the check.

• Change enhance function return type from void to MaybePromise. (#​15710)

• fix: throw an error when resolve is called with an external URL (#​15733)

• fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#​15718)

• fix: reset form result on redirect (#​15724)

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

Turfjs/turf (@​turf/turf)

v7.3.5

Compare Source

What's Changed

Main goal of this release was to revert a build breaking performance improvement introduced in v7.3.2 that was affecting CommonJS environments.

• Reverted performance related improvement to clusters-dbscan that broke builds by @​smallsaucepan in #​3049

Other bug fixes and new functionality:

• Add @​turf/directional-mean to @​turf/turf by @​mfedderly in #​3002
• Mark old nearest-point-on-line properties as deprecated by @​EmilJunker in #​3005

Housekeeping and behind the scenes changes:

• Introduced tstyche for type checking and to guard against unintentional API changes by @​smallsaucepan in #​3020
• Remove unused scripts by @​mfedderly in #​3036
• Update generate-readme script by @​mfedderly in #​3037

Full Changelog: Turfjs/turf@v7.3.4...v7.3.5

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

cure53/DOMPurify (dompurify)

v3.4.1: DOMPurify 3.4.1

Compare Source

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

sveltejs/eslint-plugin-svelte (eslint-plugin-svelte)

v3.17.1

Compare Source

Patch Changes

• #​1321 97d89f7 Thanks @​marekdedic! - feat(no-navigation-without-resolve): added support for ResolvedPathname types

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.7.1: upgrade @​nodable/entities and FXB

Compare Source

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

lucide-icons/lucide (lucide-static)

v1.9.0: Version 1.9.0

Compare Source

What's Changed

• fix(packages/angular): allow string inputs for size by @​swastik7805 in #​4253
• fix(gh-icon): update colors for ColoredPath component by @​jguddas in #​4233
• feat(packages): use .mjs for ESM bundles by @​karsa-mistmere in #​4285
• fix(build-font): add collision detection to font codepoints by @​karsa-mistmere in #​4300
• feat(icons): added timeline icon by @​jguddas in #​4270

New Contributors

• @​swastik7805 made their first contribution in #​4253

Full Changelog: lucide-icons/lucide@1.8.0...1.9.0

tailwindlabs/prettier-plugin-tailwindcss (prettier-plugin-tailwindcss)

v0.7.3

Compare Source

Changed

• Remove top-level await (#​420)
• Improve load-time performance (#​420)

Fixed

• Collapse whitespace in template literals with adjacent quasis (#​427)

sveltejs/svelte (svelte)

v5.55.5

Compare Source

Patch Changes

• fix: don't mark deriveds while an effect is updating (#​18124)

• fix: do not dispatch introstart event with animation of animate directive (#​18122)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.10

Compare Source

Features

• update rolldown to 1.0.0-rc.17 (#​22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#​22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#​22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#​22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#​22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#​22278) (9437518)
• typecheck client directory (#​22284) (40a0847)

v8.0.9

Compare Source

Features

• update rolldown to 1.0.0-rc.16 (#​22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#​22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#​22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#​22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#​22039) (374bb5d)
• deps: update all non-major dependencies (#​22219) (4cd0d67)
• deps: update all non-major dependencies (#​22268) (c28e9c1)
• detect Deno workspace root (fix #​22237) (#​22238) (1b793c0)
• dev: handle errors in watchChange hook (#​22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#​22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#​22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#​22231) (44c42b9)
• fix reuses wording in dev environment comment (#​22173) (9163412)
• fix wording in sass error comment (#​22214) (bc5c6a7)
• update build CLI defaults (#​22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#​22271) (0a3887d)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.