chore(deps): bump the npm_and_yarn group across 2 directories with 12 updates by dependabot[bot] · Pull Request #10 · DEVtheOPS/kore

dependabot · 2026-05-13T10:02:35Z

Bumps the npm_and_yarn group with 4 updates in the / directory: @sveltejs/kit, svelte, vite and picomatch.
Bumps the npm_and_yarn group with 5 updates in the /docs directory:

Package	From	To
vite	`6.4.1`	`6.4.2`
devalue	`5.6.3`	`5.8.0`
picomatch	`2.3.1`	`2.3.2`
postcss	`8.5.6`	`8.5.14`
astro	`5.18.0`	`6.1.10`

Updates @sveltejs/kit from 2.50.1 to 2.57.1

Release notes

Sourced from @sveltejs/kit's releases.

@sveltejs/kit@2.57.1

Patch Changes

fix: better validation for redirect inputs (10d7b44)

fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

fix: use default values as fallbacks (#15680)

fix: relax form typings for union types (#15687)

@sveltejs/kit@2.57.0

Minor Changes

feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#15530)

Patch Changes

fix: use array type for select fields that accept multiple values (#15591)

fix: silently 404 Chrome DevTools workspaces request in dev and preview (#15656)

fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#15323)

fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#15647)

fix: reimplement treeshaking non-dynamic prerendered remote functions (#15447)

@sveltejs/kit@2.56.1

Patch Changes

chore: update JSDoc (#15640)

@sveltejs/kit@2.56.0

Minor Changes

breaking: rework client-driven refreshes (#15562)

breaking: stabilize remote function caching by sorting object keys (#15570)

breaking: add run() method to queries, disallow awaiting queries outside render (#15533)

... (truncated)

Changelog

Sourced from @sveltejs/kit's changelog.

2.57.1

Patch Changes

fix: better validation for redirect inputs (10d7b44)

fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

fix: use default values as fallbacks (#15680)

fix: relax form typings for union types (#15687)

2.57.0

Minor Changes

feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#15530)

Patch Changes

fix: use array type for select fields that accept multiple values (#15591)

fix: silently 404 Chrome DevTools workspaces request in dev and preview (#15656)

fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#15323)

fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#15647)

fix: reimplement treeshaking non-dynamic prerendered remote functions (#15447)

2.56.1

Patch Changes

chore: update JSDoc (#15640)

2.56.0

Minor Changes

breaking: rework client-driven refreshes (#15562)

... (truncated)

Commits

75147d4 Version Packages (#15684)
10d7b44 Merge commit from fork
3202ed6 Merge commit from fork
24d7e76 chore: fix reuse wording in client comment (#15679)
6a9cdaa fix: relax form typings for union types (#15687)
ab8b2f1 fix: use default values as fallbacks (#15680)
3ccb33b Version Packages (#15651)
7f8aef7 chore: reduce use of any types (#15659)
be1c95f chore: avoid importing types directly from Rollup (#15668)
1615af7 chore: centralize noops (#15662)
Additional commits viewable in compare view

Updates svelte from 5.49.1 to 5.53.5

Release notes

Sourced from svelte's releases.

svelte@5.53.5

Patch Changes

fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

svelte@5.53.4

Patch Changes

fix: set server context after async transformError (#17799)

fix: hydrate if blocks correctly (#17784)

fix: handle default parameters scope leaks (#17788)

fix: prevent flushed effects from running again (#17787)

svelte@5.53.3

Patch Changes

fix: render :catch of #await block with correct key (#17769)

chore: pin aria-query@5.3.1 (#17772)

fix: make string coercion consistent to toString (#17774)

svelte@5.53.2

Patch Changes

fix: update expressions on server deriveds (#17767)

fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

svelte@5.53.1

Patch Changes

fix: handle shadowed function names correctly (#17753)

svelte@5.53.0

Minor Changes

feat: allow comments in tags (#17671)

feat: allow error boundaries to work on the server (#17672)

Patch Changes

fix: use TrustedHTML to test for customizable support, where necessary (#17743)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.5

Patch Changes

fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

5.53.4

Patch Changes

fix: set server context after async transformError (#17799)

fix: hydrate if blocks correctly (#17784)

fix: handle default parameters scope leaks (#17788)

fix: prevent flushed effects from running again (#17787)

5.53.3

Patch Changes

fix: render :catch of #await block with correct key (#17769)

chore: pin aria-query@5.3.1 (#17772)

fix: make string coercion consistent to toString (#17774)

5.53.2

Patch Changes

fix: update expressions on server deriveds (#17767)

fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

5.53.1

Patch Changes

fix: handle shadowed function names correctly (#17753)

5.53.0

Minor Changes

feat: allow comments in tags (#17671)

... (truncated)

Commits

ed14b49 Version Packages (#17802)
0df5abc Merge commit from fork
0298e97 Merge commit from fork
96fd3ce Version Packages (#17786)
1b3e660 fix: prevent flushed effects from running again (#17787)
673a1ab fix: set server context after async transformError (#17799)
3a28979 fix: handle default parameters scope leaks (#17788)
fcdc028 fix: hydrate if blocks correctly (#17784)
97f3ac5 Version Packages (#17775)
7deedc5 fix: render :catch of #await block with correct key (#17769)
Additional commits viewable in compare view

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Updates devalue from 5.6.2 to 5.8.0

Release notes

Sourced from devalue's releases.

v5.8.0

Minor Changes

c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Changelog

Sourced from devalue's changelog.

5.8.0

Minor Changes

c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Commits

14933f7 Version Packages (#151)
c5115b0 feat: stringifyAsync (#150)
67dad45 docs: update README to reflect serialization stability non-goal (#147)
6eb920a Version Packages (#146)
8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
2eee2e4 Version Packages (#144)
498656e DataView support (#143)
5590634 Improve platform types support (#142)
57f73fc fix: support boxed bigints and sentinel values (#141)
baec4cb Add prettier configuration (#140)
Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

3ec1394 Release 8.5.14 version
f2bb827 Update dependencies
d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
68bd213 fix: always call raw to retrieve raw values
af58cf1 Release 8.5.13 version
f227dbd Temporary ignore pnpm 11 config
d3abd40 Update dependencies
dd06c3e Revert stringifier changes because of the conflict with postcss-scss
ae889c8 Try to fix CI
e0093e4 Move to pnpm 11
Additional commits viewable in compare view

Updates rollup from 4.57.1 to 4.60.3

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

v4.60.1

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

#6319: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6320: chore(deps): pin dependency typescript to v5 (@renovate[bot], @lukastaegert)

#6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@renovate[bot], @lukastaegert)

#6322: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6323: chore(deps): lock file maintenance (@renovate[bot])

#6324: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.3

2026-05-04

Bug Fixes

Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

#6360: fix: do not rename nested "exports" bindings that do not conflict (@tariqrafique, @lukastaegert)

#6364: chore(deps): update msys2/setup-msys2 digest to e989830 (@renovate[bot])

#6365: fix(deps): update minor/patch updates (@renovate[bot])

#6366: fix(deps): update swc monorepo (major) (@renovate[bot])

#6367: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6368: docs: add missing backticks in plugin-development (@lumirlumir, @lukastaegert)

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

4.60.1

2026-03-30

... (truncated)

Commits

b47bdab 4.60.3
15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
b74aa39 Migrate instructions to AGENTS.md
aa5a377 fix(deps): update minor/patch updates (#6365)
197e68b chore(deps): update msys2/setup-msys2 digest to e989830 (#6364)
cded70a fix(deps): update swc monorepo (major) (#6366)
bb2b8a5 docs: add missing backticks in plugin-development (#6368)
20af1c4 chore(deps): lock file maintenance (#6367)
a6be82b 4.60.2
Additional commits viewable in compare view

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Updates devalue from 5.6.3 to 5.8.0

Release notes

Sourced from devalue's releases.

v5.8.0

Minor Changes

c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Changelog

Sourced from devalue's changelog.

5.8.0

Minor Changes

c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

df2e284: feat: use native alternatives to encode/decode base64

498656e: feat: add DataView support

a210130: feat: whitelist Float16Array

df2e284: feat: simplify TypedArray slices

Patch Changes

5590634: fix: get uneval type handling up to parity with stringify

57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

40f1db1: fix: ensure sparse array indices are integers

87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

Commits

14933f7 Version Packages (#151)
c5115b0 feat: stringifyAsync (#150)
67dad45 docs: update README to reflect serialization stability non-goal (#147)
6eb920a Version Packages (#146)
8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
2eee2e4 Version Packages (#144)
498656e DataView support (#143)
5590634 Improve platform types support (#142)
57f73fc fix: support boxed bigints and sentinel values (#141)
baec4cb Add prettier configuration (#140)
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regres...
Description has been truncated

… updates Bumps the npm_and_yarn group with 4 updates in the / directory: [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit), [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [picomatch](https://github.com/micromatch/picomatch). Bumps the npm_and_yarn group with 5 updates in the /docs directory: | Package | From | To | | --- | --- | --- | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `6.4.1` | `6.4.2` | | [devalue](https://github.com/sveltejs/devalue) | `5.6.3` | `5.8.0` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.14` | | [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro) | `5.18.0` | `6.1.10` | Updates `@sveltejs/kit` from 2.50.1 to 2.57.1 - [Release notes](https://github.com/sveltejs/kit/releases) - [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md) - [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.57.1/packages/kit) Updates `svelte` from 5.49.1 to 5.53.5 - [Release notes](https://github.com/sveltejs/svelte/releases) - [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/svelte/commits/svelte@5.53.5/packages/svelte) Updates `vite` from 6.4.1 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `devalue` from 5.6.2 to 5.8.0 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.3...v5.8.0) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `postcss` from 8.5.6 to 8.5.14 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.14) Updates `rollup` from 4.57.1 to 4.60.3 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.57.1...v4.60.3) Updates `vite` from 6.4.1 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `devalue` from 5.6.3 to 5.8.0 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.3...v5.8.0) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `postcss` from 8.5.6 to 8.5.14 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.14) Updates `astro` from 5.18.0 to 6.1.10 - [Release notes](https://github.com/withastro/astro/releases) - [Changelog](https://github.com/withastro/astro/blob/main/packages/astro/CHANGELOG.md) - [Commits](https://github.com/withastro/astro/commits/astro@6.1.10/packages/astro) Updates `defu` from 6.1.4 to 6.1.7 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.7) Updates `h3` from 1.15.5 to 1.15.11 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.11/CHANGELOG.md) - [Commits](h3js/h3@v1.15.5...v1.15.11) Updates `smol-toml` from 1.6.0 to 1.6.1 - [Release notes](https://github.com/squirrelchat/smol-toml/releases) - [Commits](squirrelchat/smol-toml@v1.6.0...v1.6.1) Updates `svgo` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v4.0.0...v4.0.1) --- updated-dependencies: - dependency-name: "@sveltejs/kit" dependency-version: 2.57.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: svelte dependency-version: 5.53.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.8.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 5.8.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: astro dependency-version: 6.1.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: smol-toml dependency-version: 1.6.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 4.0.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-05-13T10:10:28Z

Rust Security Scan

cargo audit: FAIL (exit 1)
cargo deny (advisories): FAIL (exit 1)
cargo clippy security lints: FAIL (exit 101)

cargo audit (tail)

time 2.9.2
│   │           │   │   ├── tauri-runtime-wry 2.9.3
│   │           │   │   └── tauri 2.9.5
│   │           │   ├── tauri-plugin-fs 2.4.5
│   │           │   ├── tauri-plugin 2.5.2
│   │           │   │   ├── tauri-plugin-websocket 2.4.2
│   │           │   │   ├── tauri-plugin-updater 2.9.0
│   │           │   │   ├── tauri-plugin-opener 2.5.3
│   │           │   │   ├── tauri-plugin-notification 2.3.3
│   │           │   │   ├── tauri-plugin-fs 2.4.5
│   │           │   │   └── tauri-plugin-dialog 2.6.0
│   │           │   ├── tauri-macros 2.5.2
│   │           │   │   └── tauri 2.9.5
│   │           │   ├── tauri-codegen 2.5.2
│   │           │   │   └── tauri-macros 2.5.2
│   │           │   ├── tauri-build 2.5.3
│   │           │   │   ├── tauri 2.9.5
│   │           │   │   └── kore 0.1.1
│   │           │   └── tauri 2.9.5
│   │           └── kuchikiki 0.8.8-speedreader
│   │               ├── wry 0.53.5
│   │               └── tauri-utils 2.8.1
│   ├── phf_macros 0.11.3
│   │   └── phf 0.11.3
│   │       ├── tauri-utils 2.8.1
│   │       └── markup5ever 0.14.1
│   └── phf_codegen 0.11.3
│       └── markup5ever 0.14.1
└── phf_generator 0.10.0
    └── phf_macros 0.10.0
        └── phf 0.10.1
            └── cssparser 0.29.6
                ├── selectors 0.24.0
                │   └── kuchikiki 0.8.8-speedreader
                └── kuchikiki 0.8.8-speedreader

�[0m�[0m�[1m�[33mCrate:    �[0m rand
�[0m�[0m�[1m�[33mVersion:  �[0m 0.9.2
�[0m�[0m�[1m�[33mWarning:  �[0m unsound
�[0m�[0m�[1m�[33mTitle:    �[0m Rand is unsound with a custom logger using `rand::rng()`
�[0m�[0m�[1m�[33mDate:     �[0m 2026-04-09
�[0m�[0m�[1m�[33mID:       �[0m RUSTSEC-2026-0097
�[0m�[0m�[1m�[33mURL:      �[0m https://rustsec.org/advisories/RUSTSEC-2026-0097
�[0m�[0m�[1m�[33mDependency tree:
�[0mrand 0.9.2
├── tungstenite 0.28.0
│   └── tokio-tungstenite 0.28.0
│       └── tauri-plugin-websocket 2.4.2
│           └── kore 0.1.1
├── tauri-plugin-websocket 2.4.2
├── tauri-plugin-notification 2.3.3
│   └── kore 0.1.1
├── rav1e 0.8.1
│   └── ravif 0.12.0
│       └── image 0.25.9
│           └── kore 0.1.1
└── quinn-proto 0.11.13
    └── quinn 0.11.9
        └── reqwest 0.12.28
            ├── tauri-plugin-updater 2.9.0
            │   └── kore 0.1.1
            └── tauri 2.9.5
                ├── tauri-plugin-websocket 2.4.2
                ├── tauri-plugin-updater 2.9.0
                ├── tauri-plugin-opener 2.5.3
                │   └── kore 0.1.1
                ├── tauri-plugin-notification 2.3.3
                ├── tauri-plugin-fs 2.4.5
                │   ├── tauri-plugin-dialog 2.6.0
                │   │   └── kore 0.1.1
                │   └── kore 0.1.1
                ├── tauri-plugin-dialog 2.6.0
                └── kore 0.1.1

�[0m�[0m�[1m�[33mCrate:    �[0m core2
�[0m�[0m�[1m�[33mVersion:  �[0m 0.4.0
�[0m�[0m�[1m�[33mWarning:  �[0m yanked

�[0m�[0m�[1m�[31merror:�[0m 7 vulnerabilities found!
�[0m�[0m�[1m�[33mwarning:�[0m 21 allowed warnings found

cargo deny (tail)


          └── kore v0.1.1

�[0m�[1m�[38;5;9merror[vulnerability]�[0m�[1m: tar-rs incorrectly ignores PAX size headers if header size is nonzero�[0m
    �[0m�[36m┌─�[0m /home/runner/work/kore/kore/src-tauri/Cargo.lock:470:1
    �[0m�[36m│�[0m
�[0m�[36m470�[0m �[0m�[36m│�[0m �[0m�[31mtar 0.4.44 registry+https://github.com/rust-lang/crates.io-index�[0m
    �[0m�[36m│�[0m �[0m�[31m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[0m�[31msecurity vulnerability detected�[0m
    �[0m�[36m│�[0m
    �[0m�[36m├�[0m ID: RUSTSEC-2026-0068
    �[0m�[36m├�[0m Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0068
    �[0m�[36m├�[0m Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX
      size header in cases where the base header size is nonzero.
      
      As part of [CVE-2025-62518][astral-cve], the [astral-tokio-tar]
      project was changed to correctly honor PAX size headers in the case where it
      was different from the base header. This is almost the inverse of the
      astral-tokio-tar issue.
      
      Any discrepancy in how tar parsers honor file size can be used to create
      archives that appear differently when unpacked by different archivers. In this
      case, the tar-rs (Rust tar) crate is an outlier in checking for the header size
      — other tar parsers (including e.g. Go [`archive/tar`][go-tar]) unconditionally
      use the PAX size override. This can affect anything that uses the tar crate to
      parse archives and expects to have a consistent view with other parsers.
      
      This issue has been fixed in version 0.4.45.
      
      [astral-cve]: https://www.cve.org/CVERecord?id=CVE-2025-62518
      [astral-tokio-tar]: https://github.com/astral-sh/tokio-tar
      [go-tar]: https://pkg.go.dev/archive/tar
    �[0m�[36m├�[0m Solution: Upgrade to >=0.4.45 (try `cargo update -p tar`)
    �[0m�[36m├�[0m tar v0.4.44
      └── tauri-plugin-updater v2.9.0
          └── kore v0.1.1

�[0m�[1m�[38;5;11mwarning[yanked]�[0m�[1m: detected yanked crate (try `cargo update -p core2`)�[0m
   �[0m�[36m┌─�[0m /home/runner/work/kore/kore/src-tauri/Cargo.lock:73:1
   �[0m�[36m│�[0m
�[0m�[36m73�[0m �[0m�[36m│�[0m �[0m�[33mcore2 0.4.0 registry+https://github.com/rust-lang/crates.io-index�[0m
   �[0m�[36m│�[0m �[0m�[33m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[0m�[33myanked version�[0m
   �[0m�[36m│�[0m
   �[0m�[36m├�[0m core2 v0.4.0
     └── bitstream-io v4.9.0
         └── rav1e v0.8.1
             └── ravif v0.12.0
                 └── image v0.25.9
                     └── kore v0.1.1

�[0m�[1m�[38;5;11mwarning[advisory-not-detected]�[0m�[1m: advisory was not encountered�[0m
   �[0m�[36m┌─�[0m /home/runner/work/kore/kore/src-tauri/deny.toml:23:6
   �[0m�[36m│�[0m
�[0m�[36m23�[0m �[0m�[36m│�[0m     "�[0m�[33mRUSTSEC-2024-0429�[0m",
   �[0m�[36m│�[0m      �[0m�[33m━━━━━━━━━━━━━━━━━�[0m �[0m�[33mno crate matched advisory criteria�[0m

advisories �[31mFAILED�[0m

cargo clippy (tail)

le-streaming-iterator v0.1.9
�[1m�[92m    Checking�[0m fallible-iterator v0.3.0
�[1m�[92m    Checking�[0m iana-time-zone v0.1.65
�[1m�[92m    Checking�[0m minisign-verify v0.2.4
�[1m�[92m    Checking�[0m chrono v0.4.43
�[1m�[92m    Checking�[0m notify v8.2.0
�[1m�[92m    Checking�[0m image v0.25.9
�[1m�[92m    Checking�[0m rusqlite v0.38.0
�[1m�[92m    Checking�[0m kube v3.0.1
�[1m�[91merror�[0m�[1m: consider using `sort_by_key`�[0m
   �[1m�[94m--> �[0msrc/k8s/client.rs:261:5
    �[1m�[94m|�[0m
�[1m�[94m261�[0m �[1m�[94m|�[0m     namespaces.sort_by(|a, b| b.created_at.cmp(&a.created_at));
    �[1m�[94m|�[0m     �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mhelp�[0m: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.95.0/index.html#unnecessary_sort_by
    �[1m�[94m= �[0m�[1mnote�[0m: `-D clippy::unnecessary-sort-by` implied by `-D warnings`
    �[1m�[94m= �[0m�[1mhelp�[0m: to override `-D warnings` add `#[allow(clippy::unnecessary_sort_by)]`
�[1m�[96mhelp�[0m: try
    �[1m�[94m|�[0m
�[1m�[94m261�[0m �[91m- �[0m    namespaces.�[91msort_by(|a, b| b.created_at.cmp(&a.created_at))�[0m;
�[1m�[94m261�[0m �[92m+ �[0m    namespaces.�[92msort_by_key(|b| std::cmp::Reverse(b.created_at))�[0m;
    �[1m�[94m|�[0m

�[1m�[91merror�[0m�[1m: consider using `sort_by_key`�[0m
   �[1m�[94m--> �[0msrc/k8s/metrics.rs:418:5
    �[1m�[94m|�[0m
�[1m�[94m418�[0m �[1m�[94m|�[0m     summaries.sort_by(|a, b| b.created_at.cmp(&a.created_at));
    �[1m�[94m|�[0m     �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mhelp�[0m: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.95.0/index.html#unnecessary_sort_by
�[1m�[96mhelp�[0m: try
    �[1m�[94m|�[0m
�[1m�[94m418�[0m �[91m- �[0m    summaries.�[91msort_by(|a, b| b.created_at.cmp(&a.created_at))�[0m;
�[1m�[94m418�[0m �[92m+ �[0m    summaries.�[92msort_by_key(|b| std::cmp::Reverse(b.created_at))�[0m;
    �[1m�[94m|�[0m

�[1m�[91merror�[0m�[1m: consider using `sort_by_key`�[0m
   �[1m�[94m--> �[0msrc/k8s/metrics.rs:437:5
    �[1m�[94m|�[0m
�[1m�[94m437�[0m �[1m�[94m|�[0m     list.sort_by(|a, b| b.created_at.cmp(&a.created_at));
    �[1m�[94m|�[0m     �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mhelp�[0m: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.95.0/index.html#unnecessary_sort_by
�[1m�[96mhelp�[0m: try
    �[1m�[94m|�[0m
�[1m�[94m437�[0m �[91m- �[0m    list.�[91msort_by(|a, b| b.created_at.cmp(&a.created_at))�[0m;
�[1m�[94m437�[0m �[92m+ �[0m    list.�[92msort_by_key(|b| std::cmp::Reverse(b.created_at))�[0m;
    �[1m�[94m|�[0m

�[1m�[91merror�[0m: could not compile `kore` (lib) due to 3 previous errors
�[1m�[33mwarning�[0m: build failed, waiting for other jobs to finish...
�[1m�[91merror�[0m: could not compile `kore` (lib test) due to 3 previous errors

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 13, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 12 updates#10

chore(deps): bump the npm_and_yarn group across 2 directories with 12 updates#10
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-212f03eacc

dependabot Bot commented on behalf of github May 13, 2026

Uh oh!

github-actions Bot commented May 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 13, 2026

@​sveltejs/kit@​2.57.1

Patch Changes

@​sveltejs/kit@​2.57.0

Minor Changes

Patch Changes

@​sveltejs/kit@​2.56.1

Patch Changes

@​sveltejs/kit@​2.56.0

Minor Changes

2.57.1

Patch Changes

2.57.0

Minor Changes

Patch Changes

2.56.1

Patch Changes

2.56.0

Minor Changes

svelte@5.53.5

Patch Changes

svelte@5.53.4

Patch Changes

svelte@5.53.3

Patch Changes

svelte@5.53.2

Patch Changes

svelte@5.53.1

Patch Changes

svelte@5.53.0

Minor Changes

Patch Changes

5.53.5

Patch Changes

5.53.4

Patch Changes

5.53.3

Patch Changes

5.53.2

Patch Changes

5.53.1

Patch Changes

5.53.0

Minor Changes

v6.4.2

6.4.2 (2026-04-06)

v5.8.0

Minor Changes

v5.7.1

Patch Changes

v5.7.0

Minor Changes

Patch Changes

v5.6.4

Patch Changes

5.8.0

Minor Changes

5.7.1

Patch Changes

5.7.0

Minor Changes

Patch Changes

5.6.4

Patch Changes

4.0.4

What's Changed

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

8.5.8

8.5.7

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

`@sveltejs/kit@2`.57.1

`@sveltejs/kit@2`.57.0

`@sveltejs/kit@2`.56.1

`@sveltejs/kit@2`.56.0