fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@eslint/js (source)	^9.33.0 -> ^9.34.0
@sveltejs/kit (source)	^2.31.1 -> ^2.37.0
@sveltejs/package (source)	^2.4.1 -> ^2.5.0
@sveltejs/vite-plugin-svelte-inspector (source)	^5.0.0 -> ^5.0.1
@tsconfig/svelte (source)	^5.0.4 -> ^5.0.5
@types/node (source)	^22.17.2 -> ^22.18.0
decamelize	^6.0.0 -> ^6.0.1
eslint (source)	^9.33.0 -> ^9.34.0
magic-string	^0.30.17 -> ^0.30.18
playwright-core (source)	~1.54.2 -> ~1.55.0
pnpm (source)	10.14.0 -> 10.15.1
sass	^1.90.0 -> ^1.91.0
svelte (source)	^5.38.2 -> ^5.38.6
typescript-eslint (source)	^8.39.1 -> ^8.41.0
vite (source)	^7.1.2 -> ^7.1.4

---

Release Notes

eslint/eslint (@​eslint/js)

v9.34.0

Compare Source

sveltejs/kit (@​sveltejs/kit)

v2.37.0

Compare Source

Minor Changes

• feat: automatically resolve query.refresh() promises on the server (#​14332)

• feat: allow query.set() to be called on the server (#​14304)

Patch Changes

• fix: disable CSRF checks in dev (#​14335)

• fix: allow redirects to external URLs from within form functions (#​14329)

• fix: add type definitions for query.set() method to override the value of a remote query function (#​14303)

• fix: ensure uniqueness of form.for(...) across form functions (#​14327)

v2.36.3

Compare Source

Patch Changes

• fix: bump devalue (#​14323)

• chore: consolidate dev checks to use esm-env instead of a __SVELTEKIT_DEV__ global (#​14308)

• fix: reset form inputs by default when using remote form functions (#​14322)

v2.36.2

Compare Source

Patch Changes

• chore: make config deprecation warnings more visible (#​14281)

• chore: remove redundant Not Found error message (#​14289)

• chore: deprecate csrf.checkOrigin in favour of csrf.trustedOrigins: ['*'] (#​14281)

v2.36.1

Compare Source

Patch Changes

• fix: ensure importing from $app/navigation works in test files (#​14195)

v2.36.0

Compare Source

Minor Changes

• feat: add csrf.trustedOrigins configuration (#​14021)

Patch Changes

• fix: correctly decode custom types streamed from a server load function (#​14261)

• fix: add trailing slash pathname when generating typed routes (#​14065)

v2.35.0

Compare Source

Minor Changes

• feat: better server-side error logging (#​13990)

Patch Changes

• fix: ensure static error page is loaded correctly for custom user errors (#​13952)

v2.34.1

Compare Source

Patch Changes

• fix: support multiple cookies with the same name across different paths and domains (b2c5d02)

• fix: add link header when preloading font (#​14200)

• fix: cookies.get(...) returns undefined for a just-deleted cookie (b2c5d02)

• fix: load env before prerender (c5f7139)

v2.34.0

Compare Source

Minor Changes

• feat: allow dynamic env access during prerender (#​14243)

Patch Changes

• fix: clone fetch responses so that headers are mutable (#​13942)

• fix: serialize server load data before passing to universal load, to handle mutations (#​14268)

• fix: allow asset(...) to be used with imported assets (#​14270)

v2.33.1

Compare Source

Patch Changes

• fix: make paths in .css assets relative (#​14262)

• fix: avoid copying SSR stylesheets to client assets (#​13069)

v2.33.0

Compare Source

Minor Changes

• feat: configure error reporting when routes marked as prerendable were not prerendered (#​11702)

Patch Changes

• fix: use correct flag for server tracing (#​14250)

• fix: correct type names for new handleUnseenRoutes option (#​14254)

• chore: Better docs and error message for missing @opentelemetry/api dependency (#​14250)

v2.32.0

Compare Source

Minor Changes

• feat: inline load fetch response.body stream data as base64 in page (#​11473)

Patch Changes

• fix: better error when .remote.ts files are used without the experimental.remoteFunctions flag (#​14225)

sveltejs/kit (@​sveltejs/package)

v2.5.0

Compare Source

Minor Changes

• feat: add --preserve-output flag to prevent deletion of the output directory before packaging (#​13055)

sveltejs/vite-plugin-svelte (@​sveltejs/vite-plugin-svelte-inspector)

v5.0.1

Compare Source

Patch Changes

• docs: update usage instructions in readme and link to docs (#​1197)

tsconfig/bases (@​tsconfig/svelte)

v5.0.5

Compare Source

sindresorhus/decamelize (decamelize)

v6.0.1

Compare Source

• Fix performance issues in some extreme edge-cases e9e3041

---

eslint/eslint (eslint)

v9.34.0

Compare Source

rich-harris/magic-string (magic-string)

v0.30.18

Compare Source

Bug Fixes

• prevent infinite loop on empty input (#​302) (0fd6253)

microsoft/playwright (playwright-core)

v1.55.0

Compare Source

pnpm/pnpm (pnpm)

v10.15.1

Compare Source

Patch Changes

• Fix .pnp.cjs crash when importing subpath #​9904.
• When resolving peer dependencies, pnpm looks whether the peer dependency is present in the root workspace project's dependencies. This change makes it so that the peer dependency is correctly resolved even from aliased npm-hosted dependencies or other types of dependencies #​9913.

v10.15.0

Compare Source

Minor Changes

• Added the cleanupUnusedCatalogs configuration. When set to true, pnpm will remove unused catalog entries during installation #​9793.
• Automatically load pnpmfiles from config dependencies that are named @*/pnpm-plugin-* #​9780.
• pnpm config get now prints an INI string for an object value #​9797.
• pnpm config get now accepts property paths (e.g. pnpm config get catalog.react, pnpm config get .catalog.react, pnpm config get 'packageExtensions["@​babel/parser"].peerDependencies["@​babel/types"]'), and pnpm config set now accepts dot-leading or subscripted keys (e.g. pnpm config set .ignoreScripts true).
• pnpm config get --json now prints a JSON serialization of config value, and pnpm config set --json now parses the input value as JSON.

Patch Changes

• Semi-breaking. When automatically installing missing peer dependencies, prefer versions that are already present in the direct dependencies of the root workspace package #​9835.
• When executing the pnpm create command, must verify whether the node version is supported even if a cache already exists #​9775.
• When making requests for the non-abbreviated packument, add */* to the Accept header to avoid getting a 406 error on AWS CodeArtifact #​9862.
• The standalone exe version of pnpm works with glibc 2.26 again #​9734.
• Fix a regression in which pnpm dlx pkg --help doesn't pass --help to pkg #​9823.

sass/dart-sass (sass)

v1.91.0

Compare Source

• Potentially breaking change: meta.inspect() (as well as other systems
  that use it such as @debug and certain error messages) now emits numbers
  with as high precision as is available instead of rounding to the nearest
  1e⁻¹⁰ as we do when serializing to CSS. This better fits the purpose of
  meta.inspect(), which is to provide full information about the structure of
  a Sass value.

• Passing a rest argument ($arg...) before a positional or named argument when
  calling a function or mixin is now deprecated. This was always outside the
  specified syntax, but it was historically treated the same as passing the rest
  argument at the end of the argument list whether or not that matched the
  visual order of the arguments.

sveltejs/svelte (svelte)

v5.38.6

Compare Source

Patch Changes

• fix: don't fail on flushSync while flushing effects (#​16674)

v5.38.5

Compare Source

Patch Changes

• fix: ensure async deriveds always get dependencies from thennable (#​16672)

v5.38.3

Compare Source

Patch Changes

• fix: ensure correct order of template effect values (#​16655)

• fix: allow async {@​const} in more places (#​16643)

• fix: properly catch top level await errors (#​16619)

• perf: prune effects without dependencies (#​16625)

• fix: only emit for_await_track_reactivity_loss in async mode (#​16644)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.41.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v8.40.0

Compare Source

🩹 Fixes

• typescript-eslint: export plugin, parser, and configs that are compatible with both defineConfig() and tseslint.config() (#​11475)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v7.1.4

Compare Source

Bug Fixes

• add missing awaits (#​20697) (79d10ed)
• deps: update all non-major dependencies (#​20676) (5a274b2)
• deps: update all non-major dependencies (#​20709) (0401feb)
• pass rollup watch options when building in watch mode (#​20674) (f367453)

Miscellaneous Chores

• remove unused constants entry from rolldown.config.ts (#​20710) (537fcf9)

Code Refactoring

• remove unnecessary minify parameter from finalizeCss (#​20701) (8099582)

v7.1.3

Compare Source

Features

• cli: add Node.js version warning for unsupported versions (#​20638) (a1be1bf)
• generate code frame for parse errors thrown by terser (#​20642) (a9ba017)
• support long lines in generateCodeFrame (#​20640) (1559577)

Bug Fixes

• deps: update all non-major dependencies (#​20634) (4851cab)
• optimizer: incorrect incompatible error (#​20439) (446fe83)
• support multiline new URL(..., import.meta.url) expressions (#​20644) (9ccf142)

Performance Improvements

• cli: dynamically import resolveConfig (#​20646) (f691f57)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20633) (98b92e8)

Code Refactoring

• replace startsWith with strict equality (#​20603) (42816de)
• use import in worker threads (#​20641) (530687a)

Tests

• remove checkNodeVersion test (#​20647) (731d3e6)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.