build(deps): bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
@sveltejs/adapter-vercel	5.10.2	6.3.2
@sveltejs/kit	2.43.2	2.60.1
svelte	5.33.17	5.55.7
vite	6.3.6	6.4.2
minimatch	3.1.2	10.2.5
flatted	3.3.3	3.4.2
js-yaml	4.1.0	4.1.1
picomatch	2.3.1	4.0.4
rollup	4.42.0	4.60.4
tar	7.4.3	7.5.15

Updates @sveltejs/adapter-vercel from 5.10.2 to 6.3.2

Release notes

Sourced from @​sveltejs/adapter-vercel's releases.

@​sveltejs/adapter-vercel@​6.3.2

Patch Changes

• fix: 404 for immutable assets that don't match static files (c67da8a)

• Updated dependencies [3e607b3, 62991c8, f47c01b]:

  • @​sveltejs/kit@​2.52.2

@​sveltejs/adapter-vercel@​6.3.1

Patch Changes

• feat: show remote function calls under the /_app/remote route in observability (#15098)

• fix: prevent isr routes from handling remote function calls (#15098)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

@​sveltejs/adapter-vercel@​6.3.0

Minor Changes

• chore: mark RequestContext as deprecated and refer to @vercel/functions (#14725)

Patch Changes

• Updated dependencies [e67613c, a5c313e, 06de550]:
  • @​sveltejs/kit@​2.49.3

@​sveltejs/adapter-vercel@​6.2.0

Minor Changes

• feat: Node 24 support (#14982)

@​sveltejs/adapter-vercel@​6.1.2

Patch Changes

• chore(deps): upgrade to @vercel/nft version 1.0.0 to reduce dependencies (#14950)

• Updated dependencies [0889a2a, 2ff3951, 5b30755]:

  • @​sveltejs/kit@​2.48.7

@​sveltejs/adapter-vercel@​6.1.1

Patch Changes

• chore: improve runtime config parsing (#14838)

• Updated dependencies [cd72d94, 53b1b73, 2ccc638]:

  • @​sveltejs/kit@​2.48.3

... (truncated)

Changelog

Sourced from @​sveltejs/adapter-vercel's changelog.

6.3.2

Patch Changes

• fix: 404 for immutable assets that don't match static files (c67da8a)

• Updated dependencies [3e607b3, 62991c8, f47c01b]:

  • @​sveltejs/kit@​2.52.2

6.3.1

Patch Changes

• feat: show remote function calls under the /_app/remote route in observability (#15098)

• fix: prevent isr routes from handling remote function calls (#15098)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

6.3.0

Minor Changes

• chore: mark RequestContext as deprecated and refer to @vercel/functions (#14725)

Patch Changes

• Updated dependencies [e67613c, a5c313e, 06de550]:
  • @​sveltejs/kit@​2.49.3

6.2.0

Minor Changes

• feat: Node 24 support (#14982)

6.1.2

Patch Changes

• chore(deps): upgrade to @vercel/nft version 1.0.0 to reduce dependencies (#14950)

• Updated dependencies [0889a2a, 2ff3951, 5b30755]:

  • @​sveltejs/kit@​2.48.7

6.1.1

Patch Changes

... (truncated)

Commits

• 9c4a737 Version Packages (#15338)
• c67da8a Merge commit from fork
• 3b2ea1b Version Packages (#15186)
• 3fdb3ad fix: prevent isr routes from handling remote function calls (#15085) (#15098)
• 1399bd5 Version Packages (#15091)
• 0da365a chore(deps): update vitest monorepo to v4 (major) (#14789)
• 0280f4b feat: expose waitUntil also for serverless runtime & add docs (#14725)
• 79bb212 chore: Use formatter for robustness (#15006)
• 9fda2fc Version Packages (#14985)
• e295db5 feat: Add Node 24 support to Vercel adapter (#14982)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​sveltejs/adapter-vercel since your current version.

Updates @sveltejs/kit from 2.43.2 to 2.60.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.60.1

Patch Changes

• chore: bump svelte and devalue (#15836)

• fix: prevent query.batch cross-talk (dadaefc)

@​sveltejs/kit@​2.60.0

Minor Changes

• feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)

• feat: warn on unread form remote function validation issues (#15653)

Patch Changes

• fix: abort navigation after async rendering if obsolete (#15811)

• fix: skip refreshing queries on full-page reload form submissions (#15803)

@​sveltejs/kit@​2.59.1

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#15793)

@​sveltejs/kit@​2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

• fix: empty call to .updates() on a command/form invocation means "don't update anything" (#15705)

• fix: form.fields.foo.as('checkbox', default_value) now works (#15752)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.60.1

Patch Changes

• chore: bump svelte and devalue (#15836)

• fix: prevent query.batch cross-talk (dadaefc)

2.60.0

Minor Changes

• feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)

• feat: warn on unread form remote function validation issues (#15653)

Patch Changes

• fix: abort navigation after async rendering if obsolete (#15811)

• fix: skip refreshing queries on full-page reload form submissions (#15803)

2.59.1

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#15793)

2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

... (truncated)

Commits

• d020406 Version Packages (#15838)
• 16b07a2 chore: bump svelte and devalue (#15836)
• dadaefc Merge commit from fork
• db8e8ae Version Packages (#15810)
• 2549a44 feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans ...
• d3b5257 fix: skip refreshing queries on full-page reload form submissions (#15803)
• ea0b9a7 fix: abort navigation after async rendering if obsolete (#15811)
• a45e720 feat: warn on unread validation issues (#15653)
• 9cfa07d Version Packages (#15795)
• e547ec1 fix: resolve user files with drive letter on Windows (#15793)
• Additional commits viewable in compare view

Updates svelte from 5.33.17 to 5.55.7

Release notes

Sourced from svelte's releases.

svelte@5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

svelte@5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

• chore: allow null for pending in typings (#18201)

• fix: flush eager effects in production (#18107)

• fix: rethrow error of failed iterable after calling return() (#18169)

• fix: account for proxified instance when updating bind:this (#18147)

• fix: ensure scheduled batch is flushed if not obsolete (#18131)

• fix: resolve stale deriveds with latest value (#18167)

• chore: remove unnecessary increment_pending calls (#18183)

• fix: correctly compile component member expressions for SSR (#18192)

• fix: reset source.updated stack traces after flush (#18196)

• fix: replacing async 'blocking' strategy with 'merging' (#18205)

• fix: allow @debug tags to reference awaited variables (#18138)

• fix: re-run fallback props if dependencies update (#18146)

• fix: abort running obsolete async branches (#18118)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

• chore: allow null for pending in typings (#18201)

• fix: flush eager effects in production (#18107)

• fix: rethrow error of failed iterable after calling return() (#18169)

• fix: account for proxified instance when updating bind:this (#18147)

• fix: ensure scheduled batch is flushed if not obsolete (#18131)

• fix: resolve stale deriveds with latest value (#18167)

• chore: remove unnecessary increment_pending calls (#18183)

• fix: correctly compile component member expressions for SSR (#18192)

• fix: reset source.updated stack traces after flush (#18196)

• fix: replacing async 'blocking' strategy with 'merging' (#18205)

• fix: allow @debug tags to reference awaited variables (#18138)

• fix: re-run fallback props if dependencies update (#18146)

... (truncated)

Commits

• 4d8f99a Version Packages (#18220)
• 0552308 chore: bump devalue (#18219)
• e1cbbd9 Merge commit from fork
• a16ebc6 Merge commit from fork
• d2375e2 Merge commit from fork
• 547853e Merge commit from fork
• 55f9c85 Version Packages (#18158)
• a10e8e4 fix: keep dependencies of $state.eager/pending (alternative approach) (#1...
• ef4b97d fix: duplicated "of" in events.js comment (#18217)
• 5122936 fix: treat batches as a linked list (#18205)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for svelte since your current version.

Updates vite from 6.3.6 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

• feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

• fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• See full diff in compare view

Updates minimatch from 3.1.2 to 10.2.5

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• 693c823 10.2.5
• 7953af1 do not allow .. to consume drive letter on Windows
• 1caf918 lint and format
• 7783ed6 ignore docs
• 6d9b356 update deps etc
• c36addb 10.2.4
• 26b9002 docs: add warning about ReDoS
• 3a0d83b fix partial matching of globstar patterns
• ea94840 10.2.3
• 0873fba update deps
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates devalue from 5.3.2 to 5.8.1

Release notes

Sourced from devalue's releases.

v5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

v5.8.0

Minor Changes

• c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

5.8.0

Minor Changes

• c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

... (truncated)

Commits

• 796ea83 Version Packages (#152)
• 206ca67 Merge commit from fork
• 14933f7 Version Packages (#151)
• c5115b0 feat: stringifyAsync (#150)
• 67dad45 docs: update README to reflect serialization stability non-goal (#147)
• 6eb920a Version Packages (#146)
• 8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
• 2eee2e4 Version Packages (#144)
• 498656e DataView support (#143)
• 5590634 Improve platform types support (#142)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for devalue since your current version.

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates glob from 10.4.5 to 13.0.6

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• e80cb38 13.0.6
• 9cdbbff revert tsgo, not ready for test coverage correctness yet
• 89c99ba use tsgo compiler
• b7275d5 update deps, expand engines to include node 18
• 942e360 update workflows, pull taprc out of package.json
• 4a0d53c update tap for mockImport bugfix
• ef94ad2 update tap
• 180c2d4 update docs
• 37993c8 remove stray console.error in test
• 03ae4c2 13.0.5
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates picomatch from 2.3.1 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

3.0.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@3.0.1...3.0.2

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates rollup from 4.42.0 to 4.60.4

Release notes

Sourced from rollup's releases.

v4.60.4

4.60.4

2026-05-14

Bug Fixes

• Improve stability of chunk hashes (#6362)

Pull Requests

• #6362: fix: stabilize chunk assignment across parallel file reads (@​sonukapoor, @​Sonu Kapoor, @​TrickyPi, @​lukastaegert)
• #6370: fix(deps): update minor/patch updates (@​renovate[bot])
• #6371: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6372: chore(deps): update react monorepo to v19 (major) (@​renovate[bot])
• #6373: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6375: Resolve vulnerabilities (@​lukastaegert)

v4.60.2

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
flaggle	Ready	Preview, Comment	May 14, 2026 11:41pm