Bump the runtime-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the runtime-dependencies group with 5 updates in the / directory:

Package	From	To
@anthropic-ai/sdk	0.91.1	0.96.0
@inquirer/prompts	8.4.2	8.4.3
svelte	5.55.5	5.55.8
hono	4.12.15	4.12.19
openapi-fetch	0.13.8	0.17.0

Updates @anthropic-ai/sdk from 0.91.1 to 0.96.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.96.0

0.96.0 (2026-05-13)

Full Changelog: sdk-v0.95.2...sdk-v0.96.0

Features

• api: Add BetaManagedAgentsSearchResultBlock types (08f02f3)
• api: Add support for cache diagnostics beta (eafbd6d)

Bug Fixes

• zod: ensure only zod/v4 types are used (#992) (9e08bcc)

Chores

• api: spec updates (27d64ef)

sdk: v0.95.2

0.95.2 (2026-05-11)

Full Changelog: sdk-v0.95.1...sdk-v0.95.2

sdk: v0.95.1

0.95.1 (2026-05-07)

Full Changelog: sdk-v0.95.0...sdk-v0.95.1

Chores

• redact api-key headers in debug logs (fad8fee)

sdk: v0.95.0

0.95.0 (2026-05-06)

Full Changelog: sdk-v0.94.0...sdk-v0.95.0

Features

• api: add support for Managed Agents multiagents and outcomes, webhooks, vault validation (e0c0e9b)

Bug Fixes

• api: Adjust webhook configuration (deed3f6)

sdk: v0.94.0

0.94.0 (2026-05-05)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.96.0 (2026-05-13)

Full Changelog: sdk-v0.95.2...sdk-v0.96.0

Features

• api: Add BetaManagedAgentsSearchResultBlock types (08f02f3)
• api: Add support for cache diagnostics beta (eafbd6d)

Bug Fixes

• zod: ensure only zod/v4 types are used (#992) (9e08bcc)

Chores

• api: spec updates (27d64ef)

0.95.2 (2026-05-11)

Full Changelog: sdk-v0.95.1...sdk-v0.95.2

0.95.1 (2026-05-07)

Full Changelog: sdk-v0.95.0...sdk-v0.95.1

Chores

• redact api-key headers in debug logs (fad8fee)

0.95.0 (2026-05-06)

Full Changelog: sdk-v0.94.0...sdk-v0.95.0

Features

• api: add support for Managed Agents multiagents and outcomes, webhooks, vault validation (e0c0e9b)

Bug Fixes

• api: Adjust webhook configuration (deed3f6)

0.94.0 (2026-05-05)

Full Changelog: sdk-v0.93.0...sdk-v0.94.0

Features

... (truncated)

Commits

• a53f60d chore: release main
• d1b8d04 feat(api): Add support for cache diagnostics beta
• 8e43bf8 chore(api): spec updates
• 697e4d5 codegen metadata
• cd5801c feat(api): Add BetaManagedAgentsSearchResultBlock types
• dce6bc7 ci: pin GitHub Actions to commit SHAs
• 4eee523 fix(zod): ensure only zod/v4 types are used (#992)
• e3bcdd4 chore: release main
• 08943f1 feat(aws): Add AWS client for Claude Platform on AWS
• 7834ceb ci(release-please): exclude subpackages from root changelog (#991)
• Additional commits viewable in compare view

Updates @inquirer/prompts from 8.4.2 to 8.4.3

Release notes

Sourced from @​inquirer/prompts's releases.

@​inquirer/prompts@​8.4.3

• Fix: Windows rendering bug
• Fix: Preserve exact literal types in choices array (Typescript only)
• Fix: Allow input default value to be of type undefined (Typescript only)
• Bump dependencies

Commits

• 113558c chore: Publish new release
• f0ca377 chore: format everything with nano-staged
• 5341ca1 chore: Bump yarn
• cb7ffda ci: add Node.js 26 to test matrix (#2112)
• 0401a5c fix(@​inquirer/input): allow explicit undefined for default option (#2111)
• 40f87a8 fix: reset cursor to column 0 after prompt completes
• b88c9a2 fix: satisfy eslint-plugin-n v18 rules
• 697684a chore(deps-dev): Bump the linting group across 1 directory with 6 updates
• 105c439 chore(deps-dev): Bump the build group with 3 updates (#2107)
• a020d8a chore(deps-dev): Bump oxfmt in the formatting group (#2106)
• Additional commits viewable in compare view

Updates svelte from 5.55.5 to 5.55.8

Release notes

Sourced from svelte's releases.

svelte@5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

svelte@5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

svelte@5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

• chore: allow null for pending in typings (#18201)

• fix: flush eager effects in production (#18107)

• fix: rethrow error of failed iterable after calling return() (#18169)

• fix: account for proxified instance when updating bind:this (#18147)

• fix: ensure scheduled batch is flushed if not obsolete (#18131)

• fix: resolve stale deriveds with latest value (#18167)

• chore: remove unnecessary increment_pending calls (#18183)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

• chore: allow null for pending in typings (#18201)

• fix: flush eager effects in production (#18107)

• fix: rethrow error of failed iterable after calling return() (#18169)

• fix: account for proxified instance when updating bind:this (#18147)

• fix: ensure scheduled batch is flushed if not obsolete (#18131)

... (truncated)

Commits

• f9440dc Version Packages (#18239)
• ca3f35b fix(print): handle svelte:body and fix keyframe percentage double-printing (#...
• 2bc3592 fix: use named symbols everywhere (#18238)
• dc1f037 fix: don't run teardown effects when deriveds are unfreezed (#18227)
• 1e899cb fix: execute uninitialized derived even if it's destroyed (#18228)
• eb10a70 fix: unset context synchronously in run (#18236)
• 4d8f99a Version Packages (#18220)
• 0552308 chore: bump devalue (#18219)
• e1cbbd9 Merge commit from fork
• a16ebc6 Merge commit from fork
• Additional commits viewable in compare view

Updates hono from 4.12.15 to 4.12.19

Release notes

Sourced from hono's releases.

v4.12.19

What's Changed

• ci: pin GitHub Actions to SHAs by @​yusukebe in honojs/hono#4932
• fix(serveStatic): make options parameter optional in all adapters by @​mixelburg in honojs/hono#4934
• fix(cookie): return the first cookie when there are multiple cookies with the same name by @​usualoma in honojs/hono#4922
• feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @​justinnais in honojs/hono#4913
• feat(cache): key cache entries by configured vary headers by @​usualoma in honojs/hono#4915
• feat(request): add bytes() by @​yusukebe in honojs/hono#4921
• fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @​yusukebe in honojs/hono#4940

New Contributors

• @​justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

... (truncated)

Commits

• 7e62bcd 4.12.19
• e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
• 54f2f0c feat(request): add bytes() (#4921)
• e59db59 feat(cache): key cache entries by configured vary headers (#4915)
• 48a7ccb feat(bearer-auth): make bearerAuth generic for typed context in verifyToken (...
• ff7522f fix(cookie): return the first cookie when there are multiple cookies with the...
• 26f8c33 fix(serveStatic): make options parameter optional in all adapters (#4934)
• 16c4e38 ci: pin GitHub Actions to SHAs (#4932)
• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• Additional commits viewable in compare view

Updates openapi-fetch from 0.13.8 to 0.17.0

Release notes

Sourced from openapi-fetch's releases.

openapi-fetch@0.17.0

Minor Changes

• #2549 a690e52 Thanks @​abumalick! - Add readOnly/writeOnly support via --read-write-markers flag. When enabled, readOnly properties are wrapped with $Read<T> and writeOnly properties with $Write<T>. openapi-fetch uses Readable<T> and Writable<T> helpers to exclude these properties from responses and request bodies respectively.

Patch Changes

• #2572 9350ddf Thanks @​luis-guideti! - Do not treat Content-Length=0 as empty when Transfer-Encoding is chunked

• Updated dependencies [a690e52]:

  • openapi-typescript-helpers@0.1.0

openapi-fetch@0.16.0

Minor Changes

• #2362 9002418 Thanks @​luxass! - Added support for setting a custom path serializers either globally or per request. This allows you to customize how path parameters are serialized in the URL. E.g. you can use a custom serializer to prevent encoding of a path parameter, if you need to pass a value that should not be encoded.

openapi-fetch@0.15.2

Patch Changes

• #2508 89843b0 Thanks @​srbarba! - Use text() when no content-length is provided to avoid errors parsing empty bodies (200 with no content)

openapi-fetch@0.15.0

Minor Changes

• #2465 8f96eb5 Thanks @​Kauabunga! - Enable request level middlewares option

openapi-fetch@0.14.1

Patch Changes

• #2407 7527d1e Thanks @​jthacker! - Fix Request parameter being ignored by client methods

openapi-fetch@0.14.0

Minor Changes

• #2310 e66b5ce Thanks @​drwpow! - Build package with unbuild. Also remove the minified version (openapi-fetch is only useful in a TypeScript/bundler environment, so there’s no sense in loading it from a CDN clientside).

Changelog

Sourced from openapi-fetch's changelog.

0.17.0

Minor Changes

• #2549 a690e52 Thanks @​abumalick! - Add readOnly/writeOnly support via --read-write-markers flag. When enabled, readOnly properties are wrapped with $Read<T> and writeOnly properties with $Write<T>. openapi-fetch uses Readable<T> and Writable<T> helpers to exclude these properties from responses and request bodies respectively.

Patch Changes

• #2572 9350ddf Thanks @​luis-guideti! - Do not treat Content-Length=0 as empty when Transfer-Encoding is chunked

• Updated dependencies [a690e52]:

  • openapi-typescript-helpers@0.1.0

0.16.0

Minor Changes

• #2362 9002418 Thanks @​luxass! - Added support for setting a custom path serializers either globally or per request. This allows you to customize how path parameters are serialized in the URL. E.g. you can use a custom serializer to prevent encoding of a path parameter, if you need to pass a value that should not be encoded.

0.15.2

Patch Changes

• #2508 89843b0 Thanks @​srbarba! - Use text() when no content-length is provided to avoid errors parsing empty bodies (200 with no content)

0.15.1

Patch Changes

• #2556 36c0fb8 Thanks @​justAnArthur! - fix omit serializing for already serialized data

0.15.0

Minor Changes

• #2465 8f96eb5 Thanks @​Kauabunga! - Enable request level middlewares option

0.14.1

Patch Changes

• #2407 7527d1e Thanks @​jthacker! - Fix Request parameter being ignored by client methods

0.14.0

Minor Changes

• #2310 e66b5ce Thanks @​drwpow! - Build package with unbuild. Also remove the minified version (openapi-fetch is only useful in a TypeScript/bundler environment, so there’s no sense in loading it from a CDN clientside).

Commits

• 5709d33 [ci] release (#2611)
• 9350ddf Do not treat Content-Length=0 as empty when Transfer-Encoding is chunked (#2572)
• a690e52 feat(openapi-typescript): add readOnly/writeOnly support via markers (#2549)
• a06e6c3 chore(deps): update dependency superagent to v10.3.0 (#2595)
• 7318f82 [ci] release (#2604)
• 33b83c4 chore(deps): update dependency express to v5.2.1 (#2591)
• 66556d0 chore(deps): update dependency axios to v1.13.5 (#2590)
• 9002418 feat(openapi-fetch): add support for pathSerializer option (#2362)
• ed0c26c feat(openapi-fetch): enable middleware request param module augmentation (#2527)
• 47ba213 ci: fix npm publish permissions (#2601)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for openapi-fetch since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions