Follow-up from PR #373 and security direct-dependency bump work.
This migration is required to clear deferred advisories that are blocked on the current Svelte 4 toolchain:
Context: PR #373 intentionally stayed on Vite 5.4.21 because Vite 6 requires Svelte 5-compatible plugin/toolchain changes. The Svelte SSR code audit in that PR found no currently exploitable patterns in src/, but migration remains required to fully close these advisories.
Scope for this issue:
- plan and execute Svelte 4 -> 5 migration
- upgrade Vite/tooling to the patched line compatible with Svelte 5
- close the deferred advisories above
Follow-up from PR #373 and security direct-dependency bump work.
This migration is required to clear deferred advisories that are blocked on the current Svelte 4 toolchain:
Context: PR #373 intentionally stayed on Vite 5.4.21 because Vite 6 requires Svelte 5-compatible plugin/toolchain changes. The Svelte SSR code audit in that PR found no currently exploitable patterns in
src/, but migration remains required to fully close these advisories.Scope for this issue: