Skip to content

Bump the npm_and_yarn group across 2 directories with 5 updates#7

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/examples/svelte-app/npm_and_yarn-20f321c229
Open

Bump the npm_and_yarn group across 2 directories with 5 updates#7
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/examples/svelte-app/npm_and_yarn-20f321c229

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 20, 2026

Bumps the npm_and_yarn group with 2 updates in the /examples/svelte-app directory: @sveltejs/kit and svelte.
Bumps the npm_and_yarn group with 3 updates in the /site directory: devalue, diff and h3.

Updates @sveltejs/kit from 2.49.2 to 2.52.2

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.52.2

Patch Changes

  • fix: validate form file information to prevent amplification attacks (3e607b3)

  • chore: upgrade devalue and svelte (#15339)

  • fix: parse file offset table more strictly (f47c01b)

@​sveltejs/kit@​2.52.0

Minor Changes

  • feat: match function to map a path back to a route id and params (#14997)

Patch Changes

  • fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

  • fix: resolve will narrow types to follow trailing slash page settings (#15027)

@​sveltejs/kit@​2.51.0

Minor Changes

  • feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

    Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

    • from.scroll: The scroll position at the moment navigation was triggered
    • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

    This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

  • feat: hydratable's injected script now works with CSP (#15048)

Patch Changes

  • fix: put preloads before styles (#15232)

  • fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#15269)

  • fix: fetch not working when URL is same host but different than paths.base (#15291)

  • fix: navigate to hash link when base element is present (#15236)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.52.2

Patch Changes

  • fix: validate form file information to prevent amplification attacks (3e607b3)

  • chore: upgrade devalue and svelte (#15339)

  • fix: parse file offset table more strictly (f47c01b)

2.52.1

Patch Changes

  • fix: clear stale preflight issues on subsequent valid form submissions (#15281)

  • chore: remove dependency on sade (#15272)

  • fix: include .txt files in precompression (#15259)

  • fix: escape backticks and dollar signs when creating inlined css (#15320)

  • fix: increment form.pending count before preflight validation (#15279)

2.52.0

Minor Changes

  • feat: match function to map a path back to a route id and params (#14997)

Patch Changes

  • fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

  • fix: resolve will narrow types to follow trailing slash page settings (#15027)

2.51.0

Minor Changes

  • feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

... (truncated)

Commits

Updates svelte from 4.2.20 to 5.53.0

Release notes

Sourced from svelte's releases.

svelte@5.53.0

Minor Changes

  • feat: allow comments in tags (#17671)

  • feat: allow error boundaries to work on the server (#17672)

Patch Changes

  • fix: use TrustedHTML to test for customizable support, where necessary (#17743)

  • fix: ensure head effects are kept in the effect tree (#17746)

  • chore: deactivate current_batch by default in unset_context (#17738)

svelte@5.52.0

Minor Changes

  • feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

  • fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

  • fix: re-run non-render-bound deriveds on the server (#17674)

svelte@5.51.5

Patch Changes

svelte@5.51.4

Patch Changes

  • chore: proactively defer effects in pending boundary (#17734)

  • fix: detect and error on non-idempotent each block keys in dev mode (#17732)

svelte@5.51.3

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.0

Minor Changes

  • feat: allow comments in tags (#17671)

  • feat: allow error boundaries to work on the server (#17672)

Patch Changes

  • fix: use TrustedHTML to test for customizable <select> support, where necessary (#17743)

  • fix: ensure head effects are kept in the effect tree (#17746)

  • chore: deactivate current_batch by default in unset_context (#17738)

5.52.0

Minor Changes

  • feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

  • fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

  • fix: re-run non-render-bound deriveds on the server (#17674)

5.51.5

Patch Changes

5.51.4

Patch Changes

  • chore: proactively defer effects in pending boundary (#17734)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for svelte since your current version.


Updates devalue from 5.6.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows
Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows
Commits

Updates devalue from 5.6.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows
Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows
Commits

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)
Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

🤖 CI

❤️ Contributors

Commits
  • 24231b9 chore(release): v1.15.5
  • bd92b74 chore: fix more ts/lint issues
  • d18c074 chore: update deps
  • c9ebf80 chore: fix ts issue
  • 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
  • 401c9b8 ci: fix publish tag
  • 589625c chore: update publish tag to 1.x
  • b4dce71 chore: update ci
  • 0a4a115 chore: add test:types script
  • c934599 chore: update ci
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 2 directories with 5 updates
1ff17ed 
Bumps the npm_and_yarn group with 2 updates in the /examples/svelte-app directory: [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) and [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte).
Bumps the npm_and_yarn group with 3 updates in the /site directory: [devalue](https://github.com/sveltejs/devalue), [diff](https://github.com/kpdecker/jsdiff) and [h3](https://github.com/h3js/h3).


Updates `@sveltejs/kit` from 2.49.2 to 2.52.2
- [Release notes](https://github.com/sveltejs/kit/releases)
- [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.52.2/packages/kit)

Updates `svelte` from 4.2.20 to 5.53.0
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.53.0/packages/svelte)

Updates `devalue` from 5.6.1 to 5.6.3
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.1...v5.6.3)

Updates `devalue` from 5.6.1 to 5.6.3
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.1...v5.6.3)

Updates `diff` from 5.2.0 to 5.2.2
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v5.2.0...v5.2.2)

Updates `h3` from 1.15.4 to 1.15.5
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.4...v1.15.5)

---
updated-dependencies:
- dependency-name: "@sveltejs/kit"
  dependency-version: 2.52.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: svelte
  dependency-version: 5.53.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.6.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: devalue
  dependency-version: 5.6.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: diff
  dependency-version: 5.2.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: h3
  dependency-version: 1.15.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 20, 2026
@dependabot dependabot Bot mentioned this pull request Feb 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants