chore(deps-dev): bump the development-dependencies group with 5 updates

[dependabot]

Bumps the development-dependencies group with 5 updates:

Package	From	To
vite	6.0.7	6.0.9
rollup	4.30.1	4.31.0
@rsbuild/core	1.1.13	1.1.14
@sveltejs/kit	2.15.2	2.16.0
svelte	5.17.3	5.19.0

Updates vite from 6.0.7 to 6.0.9

Release notes

Sourced from vite's releases.

v6.0.9

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v6.0.8

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.0.9 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
• fix!: default server.cors: false to disallow fetching from untrusted origins (b09572a)
• fix: verify token for HMR WebSocket connection (029dcd6)

6.0.8 (2025-01-20)

• fix: avoid SSR HMR for HTML files (#19193) (3bd55bc), closes #19193
• fix: build time display 7m 60s (#19108) (cf0d2c8), closes #19108
• fix: don't resolve URL starting with double slash (#19059) (35942cd), closes #19059
• fix: ensure server.close() only called once (#19204) (db81c2d), closes #19204
• fix: resolve.conditions in ResolvedConfig was defaultServerConditions (#19174) (ad75c56), closes #19174
• fix: tree shake stringified JSON imports (#19189) (f2aed62), closes #19189
• fix: use shared sigterm callback (#19203) (47039f4), closes #19203
• fix(deps): update all non-major dependencies (#19098) (8639538), closes #19098
• fix(optimizer): use correct default install state path for yarn PnP (#19119) (e690d8b), closes #19119
• fix(types): improve ESBuildOptions.include / exclude type to allow readonly (string | RegExp)[] (ea53e70), closes #19146
• chore(deps): update dependency pathe to v2 (#19139) (71506f0), closes #19139

Commits

• a55f8ba release: v6.0.9
• bd896fb fix!: check host header to prevent DNS rebinding attacks and introduce `serve...
• 029dcd6 fix: verify token for HMR WebSocket connection
• b09572a fix!: default server.cors: false to disallow fetching from untrusted origins
• c0f72a6 release: v6.0.8
• f2aed62 fix: tree shake stringified JSON imports (#19189)
• db81c2d fix: ensure server.close() only called once (#19204)
• 47039f4 fix: use shared sigterm callback (#19203)
• 3bd55bc fix: avoid SSR HMR for HTML files (#19193)
• e690d8b fix(optimizer): use correct default install state path for yarn PnP (#19119)
• Additional commits viewable in compare view

Updates rollup from 4.30.1 to 4.31.0

Release notes

Sourced from rollup's releases.

v4.31.0

4.31.0

2025-01-19

Features

• Do not immediately quit when trying to use watch mode from within non-TTY environments (#5803)

Bug Fixes

• Handle files with more than one UTF-8 BOM header (#5806)

Pull Requests

• #5792: fix(deps): update rust crate swc_compiler_base to v8 (@​renovate[bot])
• #5793: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5794: chore(deps): lock file maintenance (@​renovate[bot])
• #5801: chore(deps): update dependency eslint-config-prettier to v10 (@​renovate[bot])
• #5802: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5803: Support watch mode in yarn, gradle and containers (@​lukastaegert)
• #5806: fix: strip all BOMs (@​TrickyPi)

Changelog

Sourced from rollup's changelog.

4.31.0

2025-01-19

Features

• Do not immediately quit when trying to use watch mode from within non-TTY environments (#5803)

Bug Fixes

• Handle files with more than one UTF-8 BOM header (#5806)

Pull Requests

• #5792: fix(deps): update rust crate swc_compiler_base to v8 (@​renovate[bot])
• #5793: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5794: chore(deps): lock file maintenance (@​renovate[bot])
• #5801: chore(deps): update dependency eslint-config-prettier to v10 (@​renovate[bot])
• #5802: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5803: Support watch mode in yarn, gradle and containers (@​lukastaegert)
• #5806: fix: strip all BOMs (@​TrickyPi)

Commits

• 15c264d 4.31.0
• b9eeec2 fix: strip all BOMs (#5806)
• 0e77fb7 Support watch mode in yarn, gradle and containers (#5803)
• 8e814a5 chore(deps): update dependency eslint-config-prettier to v10 (#5801)
• 1f09912 fix(deps): lock file maintenance minor/patch updates (#5802)
• 1f1e6c7 fix(deps): update rust crate swc_compiler_base to v8 (#5792)
• 7f4e904 chore(deps): lock file maintenance (#5794)
• ad9d904 fix(deps): lock file maintenance minor/patch updates (#5793)
• See full diff in compare view

Updates @rsbuild/core from 1.1.13 to 1.1.14

Release notes

Sourced from @​rsbuild/core's releases.

v1.1.14

What's Changed

Other Changes

• fix!: disable server.cors by default for security reasons by @​chenjiahan in web-infra-dev/rsbuild#4399
• Release v1.1.14 by @​chenjiahan in web-infra-dev/rsbuild#4400

Full Changelog: web-infra-dev/rsbuild@v1.2.0-beta.1...v1.1.14

Commits

• 3000db7 Release v1.1.14 (#4400)
• 0fd17d4 fix!: disable server.cors by default for security reasons (#4399)
• See full diff in compare view

Updates @sveltejs/kit from 2.15.2 to 2.16.0

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.16.0

Minor Changes

• feat: add ability to invalidate a custom identifier on goto() (#13256)

• feat: remove the postinstall script to support pnpm 10 (#13304)

  NOTE: users should add "prepare": "svelte-kit sync" to their package.json in order to avoid the following warning upon first running Vite:

  ▲ [WARNING] Cannot find base config file "./.svelte-kit/tsconfig.json" [tsconfig.json]
  tsconfig.json:2:12:
    2 │   "extends": "./.svelte-kit/tsconfig.json",
      ╵              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

• feat: provide PageProps and LayoutProps types (#13308)

Patch Changes

• perf: shorten chunk file names (#13003)

• fix: strip internal data before passing URL to reroute (#13092)

• fix: support absolute URLs and reroutes with data-sveltekit-preload-code="viewport" (#12217)

• fix: use current window.fetch for server load fetch requests (#13315)

• fix: resolve symlinks when handling routes (#12740)

• fix: prevent infinite reload when using the hash router and previewing /index.html (#13296)

• fix: service worker base path in dev mode (#12577)

• chore: error during development when using use:enhance with +server (#13197)

• chore: add most common status codes to redirect() JS documentation (#13301)

• fix: correctly link to assets inlined by the inlineStyleThreshold option (#13068)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.16.0

Minor Changes

• feat: add ability to invalidate a custom identifier on goto() (#13256)

• feat: remove the postinstall script to support pnpm 10 (#13304)

  NOTE: users should add "prepare": "svelte-kit sync" to their package.json in order to avoid the following warning upon first running Vite:

  ▲ [WARNING] Cannot find base config file "./.svelte-kit/tsconfig.json" [tsconfig.json]
  tsconfig.json:2:12:
    2 │   "extends": "./.svelte-kit/tsconfig.json",
      ╵              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

• feat: provide PageProps and LayoutProps types (#13308)

Patch Changes

• perf: shorten chunk file names (#13003)

• fix: strip internal data before passing URL to reroute (#13092)

• fix: support absolute URLs and reroutes with data-sveltekit-preload-code="viewport" (#12217)

• fix: use current window.fetch for server load fetch requests (#13315)

• fix: resolve symlinks when handling routes (#12740)

• fix: prevent infinite reload when using the hash router and previewing /index.html (#13296)

• fix: service worker base path in dev mode (#12577)

• chore: error during development when using use:enhance with +server (#13197)

• chore: add most common status codes to redirect() JS documentation (#13301)

... (truncated)

Commits

• 537cd1b Version Packages (#13316)
• 6774ebc fix: strip internal data before passing URL to reroute (#13092)
• 37f72fb fix: inline server stylesheets instead of client stylesheets (#13068)
• e541a40 feat: remove the postinstall script in favor of template prepare script (#13304)
• c43fd92 fix: only decode URL hash instead of entire URL (#13332)
• 388d441 fix: catch error when resolving peer dep (#13334)
• 777c8ef fix: tighten up preloadCode (#12217)
• 0142dd8 chore: add missing await (#13327)
• 34a03ff fix: use resolve_symlinks for node.universal and node.server (#12740)
• d440c68 perf: shorten file names (#13003)
• Additional commits viewable in compare view

Updates svelte from 5.17.3 to 5.19.0

Release notes

Sourced from svelte's releases.

[email protected]

Minor Changes

• feat: Expose ClassValue from svelte/elements (#15035)

Patch Changes

• fix: create fewer deriveds for concatenated strings (#15041)

• fix: correctly parse leading comments in function binding (#15020)

[email protected]

Minor Changes

• feat: allow \<template> elements to contain any child (#15007)

Patch Changes

• fix: ensure resume effects are scheduled in topological order (#15012)

• fix: bump esrap (#15015)

• fix: remove listener on bind_current_time teardown (#15013)

[email protected]

Patch Changes

• feat: allow const tag inside svelte:boundary (#14993)

• fix: ensure signal write invalidation within effects is consistent (#14989)

[email protected]

Patch Changes

• fix: never consider inert boundary effects (#14999)

• fix: store access on component destroy (#14968)

• fix: correctly transform pre with no content (#14973)

• fix: wrap each block expression in derived to encapsulate effects (#14967)

Changelog

Sourced from svelte's changelog.

5.19.0

Minor Changes

• feat: Expose ClassValue from svelte/elements (#15035)

Patch Changes

• fix: create fewer deriveds for concatenated strings (#15041)

• fix: correctly parse leading comments in function binding (#15020)

5.18.0

Minor Changes

• feat: allow \<template> elements to contain any child (#15007)

Patch Changes

• fix: ensure resume effects are scheduled in topological order (#15012)

• fix: bump esrap (#15015)

• fix: remove listener on bind_current_time teardown (#15013)

5.17.5

Patch Changes

• feat: allow const tag inside svelte:boundary (#14993)

• fix: ensure signal write invalidation within effects is consistent (#14989)

5.17.4

Patch Changes

• fix: never consider inert boundary effects (#14999)

• fix: store access on component destroy (#14968)

• fix: correctly transform pre with no content (#14973)

• fix: wrap each block expression in derived to encapsulate effects (#14967)

Commits

• a9d1f46 Version Packages (#15021)
• 509ba56 fix: create fewer deriveds for concatenated strings (#15041)
• 2aefc54 feat(elements): Expose ClassValue (#15035)
• 973b51d fix: correctly parse leading comments in function binding (#15020)
• 1d3c439 Version Packages (#15010)
• ff79704 fix: bump esrap (#15015)
• 5419610 fix: ensure resume effects are scheduled in topological order (#15012)
• 360ee70 fix: remove listener on bind_current_time teardown (#15013)
• dfa97a5 feat: allow every children in template tags (#15007)
• a1698c6 Version Packages (#15001)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[tbouffard]

Converted to Draft

• rsbuild: need to check "NOTE: users should add "prepare": "svelte-kit sync" to their package.json in order to avoid the following warning upon first running Vite:"

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dependabot]

Superseded by #186.