chore(deps-dev): bump the npm group across 1 directory with 5 updates

[dependabot]

Bumps the npm group with 5 updates in the /.github/frontend directory:

Package	From	To
@sveltejs/kit	2.58.0	2.60.1
@sveltejs/vite-plugin-svelte	7.0.0	7.1.2
svelte	5.55.5	5.55.9
svelte-check	4.4.6	4.4.8
vite	8.0.10	8.0.13

Updates @sveltejs/kit from 2.58.0 to 2.60.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.60.1

Patch Changes

• chore: bump svelte and devalue (#15836)

• fix: prevent query.batch cross-talk (dadaefc)

@​sveltejs/kit@​2.60.0

Minor Changes

• feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)

• feat: warn on unread form remote function validation issues (#15653)

Patch Changes

• fix: abort navigation after async rendering if obsolete (#15811)

• fix: skip refreshing queries on full-page reload form submissions (#15803)

@​sveltejs/kit@​2.59.1

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#15793)

@​sveltejs/kit@​2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

• fix: empty call to .updates() on a command/form invocation means "don't update anything" (#15705)

• fix: form.fields.foo.as('checkbox', default_value) now works (#15752)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.60.1

Patch Changes

• chore: bump svelte and devalue (#15836)

• fix: prevent query.batch cross-talk (dadaefc)

2.60.0

Minor Changes

• feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)

• feat: warn on unread form remote function validation issues (#15653)

Patch Changes

• fix: abort navigation after async rendering if obsolete (#15811)

• fix: skip refreshing queries on full-page reload form submissions (#15803)

2.59.1

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#15793)

2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

... (truncated)

Commits

• d020406 Version Packages (#15838)
• 16b07a2 chore: bump svelte and devalue (#15836)
• dadaefc Merge commit from fork
• db8e8ae Version Packages (#15810)
• 2549a44 feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans ...
• d3b5257 fix: skip refreshing queries on full-page reload form submissions (#15803)
• ea0b9a7 fix: abort navigation after async rendering if obsolete (#15811)
• a45e720 feat: warn on unread validation issues (#15653)
• 9cfa07d Version Packages (#15795)
• e547ec1 fix: resolve user files with drive letter on Windows (#15793)
• Additional commits viewable in compare view

Updates @sveltejs/vite-plugin-svelte from 7.0.0 to 7.1.2

Release notes

Sourced from @​sveltejs/vite-plugin-svelte's releases.

@​sveltejs/vite-plugin-svelte@​7.1.2

Patch Changes

• fix: correctly resolve compiled CSS on the server for dependencies with Svelte files (#1342)

@​sveltejs/vite-plugin-svelte@​7.1.1

Patch Changes

• fix: pass typescript.onlyRemoveTypeImports to transformWithOxc in vitePreprocess so that value imports are not dropped when they are only referenced in Svelte template markup (#1326)

• fix: correctly resolve compiled CSS for optimised Svelte dependencies on the server (#1336)

@​sveltejs/vite-plugin-svelte@​7.1.0

Minor Changes

• feat: enable optimizer for server environments during dev (#1328)

Changelog

Sourced from @​sveltejs/vite-plugin-svelte's changelog.

7.1.2

Patch Changes

• fix: correctly resolve compiled CSS on the server for dependencies with Svelte files (#1342)

7.1.1

Patch Changes

• fix: pass typescript.onlyRemoveTypeImports to transformWithOxc in vitePreprocess so that value imports are not dropped when they are only referenced in Svelte template markup (#1326)

• fix: correctly resolve compiled CSS for optimised Svelte dependencies on the server (#1336)

7.1.0

Minor Changes

• feat: enable optimizer for server environments during dev (#1328)

Commits

• 471f822 Version Packages (#1344)
• 1a9bc08 fix: always retrieve CSS using component filename first (#1342)
• 508d91b Version Packages (#1339)
• 990e58c fix: correctly resolve Svelte CSS on the server during development (#1336)
• d5458a9 fix: restore value imports stripped by oxc in script preprocessing (#1326)
• 1c85126 Version Packages (#1331)
• 1a4d225 feat: enable optimizer for server environments during dev (#1328)
• d91be5f fix: use correct pnpm catalog syntax
• 4d3afb4 chore: fix audit CI (#1327)
• 8b3687b use modern JSDoc imports (#1309)
• See full diff in compare view

Updates svelte from 5.55.5 to 5.55.9

Release notes

Sourced from svelte's releases.

svelte@5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

svelte@5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

svelte@5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

svelte@5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

... (truncated)

Commits

• b65a3f3 Version Packages (#18240)
• ef319ed chore: bump acorn-typescript/esrap (#18248)
• d654db8 fix: avoid false-positive batch invariant error (#18246)
• 000c594 fix: {#await await ...} and async dependencies fixes (#18243)
• a5df661 fix: avoid unnecessary stringify in server attributes (#18232)
• f9440dc Version Packages (#18239)
• ca3f35b fix(print): handle svelte:body and fix keyframe percentage double-printing (#...
• 2bc3592 fix: use named symbols everywhere (#18238)
• dc1f037 fix: don't run teardown effects when deriveds are unfreezed (#18227)
• 1e899cb fix: execute uninitialized derived even if it's destroyed (#18228)
• Additional commits viewable in compare view

Updates svelte-check from 4.4.6 to 4.4.8

Release notes

Sourced from svelte-check's releases.

svelte-check@4.4.8

Patch Changes

• feat: typescript 6.0 support (#2985)

svelte-check@4.4.7

Patch Changes

• fix: flush stdout/stderr before exit (#3014)

• fix: report diagnostics in tsconfig.json (#3005)

Commits

• 0070c6f Version Packages (#3015)
• 29e2894 feat: typescript 6.0 support (#2985)
• d99bb34 Version Packages (#2999)
• 35428ae fix: flush stdout/stderr before exit in svelte-check (#3014)
• a553963 fix: report diagnostics in tsconfig.json (#3005)
• 4c306eb fix: prevent incorrect $types imports being injected in update import (#3010)
• 31488f9 fix: properly place svelte-ignore comment in quickfix when \<script module> ...
• 5be821d fix: prevent duplicate diagnostics (#3000)
• 8b103ba fix: hoist self-referenced props interface (#2998)
• See full diff in compare view

Updates vite from 8.0.10 to 8.0.13

Release notes

Sourced from vite's releases.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.13 (2026-05-14)

Features

• bundled-dev: add lazy bundling support (#21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
• update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
• make isBundled per environment (#22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#22430) (6ea3838)
• update changelog (#22413) (fcdc87c)

8.0.12 (2026-05-11)

Features

• update rolldown to 1.0.0 (#22401) (cf0ff41)

Bug Fixes

• deps: update all non-major dependencies (#22420) (2be6000)
• module-runner: prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains (#22369) (f5a22e6)
• refer to rolldownOptions instead of deprecated rollupOptions in messages (#22400) (b675c7b)
• worker: apply build.target to worker bundle (#22404) (3c93fde)
• worker: forward define to worker bundle transform (#22408) (d4838a0)

Miscellaneous Chores

• deps: update dependency eslint-plugin-n to v18 (#22423) (2fe7bd2)
• deps: update rolldown-related dependencies (#22421) (66b9eb3)

8.0.11 (2026-05-07)

Features

• update rolldown to 1.0.0-rc.18 (#22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#22334) (672c962)
• deps: update all non-major dependencies (#22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#22306) (30028f9)
• make separate object instance for each environment (#22276) (7c2aa3b)

... (truncated)

Commits

• a46f11a release: v8.0.13
• d9b18e0 fix(ssr): avoid rewriting labels that collide with imports (#22451)
• 4f0949f feat(bundled-dev): add lazy bundling support (#21406)
• 158e8ae fix(build): copy public directory after building same environment with `write...
• 47071ce feat(optimizer): improve the esbuild plugin converter to pass some properties...
• 8e59c97 fix(css): keep deprecated name/originalFileName in synthetic `assetFileNa...
• a576326 fix: make isBundled per environment (#22257)
• 8c766a6 feat: update rolldown to 1.0.1 (#22444)
• b7edcb7 fix(css): await sass/less/styl worker disposal on teardown (fix #22274) (#22275)
• fcdc87c chore: update changelog (#22413)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codeant-ai]

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​sveltejs/​kit@​2.60.1
	npm/​@​sveltejs/​vite-plugin-svelte@​7.1.2
	npm/​vite@​8.0.13
	npm/​svelte@​5.55.9
	npm/​svelte-check@​4.4.8

View full report