fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@astrojs/netlify (source)	6.5.6 -> 6.5.10			dependencies	patch
@astrojs/svelte (source)	7.1.0 -> 7.1.1			dependencies	patch
@eslint/js (source)	9.32.0 -> 9.35.0			devDependencies	minor
@fontsource/pt-sans (source)	5.2.6 -> 5.2.7			dependencies	patch
@playwright/test (source)	1.54.2 -> 1.55.0			devDependencies	minor
@sveltejs/adapter-auto (source)	6.0.2 -> 6.1.0			devDependencies	minor
@sveltejs/kit (source)	2.27.3 -> 2.38.1			devDependencies	minor
@sveltejs/package (source)	2.4.1 -> 2.5.0			devDependencies	minor
@sveltejs/vite-plugin-svelte (source)	6.1.0 -> 6.2.0			devDependencies	minor
@sveltejs/vite-plugin-svelte (source)	6.1.0 -> 6.2.0			dependencies	minor
@testing-library/jest-dom	6.6.4 -> 6.8.0			devDependencies	minor
@types/node (source)	22.17.0 -> 22.18.1			devDependencies	minor
eslint (source)	9.32.0 -> 9.35.0			devDependencies	minor
eslint-plugin-svelte (source)	3.11.0 -> 3.12.3			devDependencies	minor
globals	16.3.0 -> 16.4.0			devDependencies	minor
node (source)	24.5.0 -> 24.8.0			volta	minor
pnpm (source)	10.14.0 -> 10.15.1			packageManager	minor
pnpm (source)	10.14.0 -> 10.15.1			volta	minor
svelte (source)	5.38.0 -> 5.38.10			devDependencies	patch
svelte (source)	5.38.0 -> 5.38.10			dependencies	patch
typescript-eslint (source)	8.39.0 -> 8.43.0			devDependencies	minor
zimmerframe	1.1.2 -> 1.1.4			dependencies	patch

---

Release Notes

withastro/astro (@​astrojs/netlify)

v6.5.10

Compare Source

Patch Changes

• #​14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.0

v6.5.9

Compare Source

Patch Changes

• #​14269 4823c42 Thanks @​florian-lefebvre! - Updates context.netlify to implement all its properties

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.0

v6.5.8

Compare Source

Patch Changes

• #​14240 77b18fb Thanks @​delucis! - Increases the minimum supported version of Astro to 5.7.0

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.0

v6.5.7

Compare Source

Patch Changes

• Updated dependencies [4d16de7]:
  • @​astrojs/internal-helpers@​0.7.2
  • @​astrojs/underscore-redirects@​1.0.0

withastro/astro (@​astrojs/svelte)

v7.1.1

Compare Source

Patch Changes

• #​14326 c24a8f4 Thanks @​jsparkdev! - Updates vite version to fix CVE

eslint/eslint (@​eslint/js)

v9.35.0

Compare Source

v9.34.0

Compare Source

v9.33.0

Compare Source

fontsource/font-files (@​fontsource/pt-sans)

v5.2.7

Compare Source

microsoft/playwright (@​playwright/test)

v1.55.0

Compare Source

sveltejs/kit (@​sveltejs/adapter-auto)

v6.1.0

Compare Source

Minor Changes

• feat: add Deno as a supported package manager (#​14163)

Patch Changes

• Updated dependencies [ece3906, 5ac9d27, fed6331, 69f4e5f, 6b34122, 9493537, f67ba09]:
  • @​sveltejs/kit@​2.28.0

sveltejs/kit (@​sveltejs/kit)

v2.38.1

Compare Source

Patch Changes

• fix: enable redirects from queries (#​14400)

• fix: remove empty nodes from serialized server load data (#​14404)

• fix: allow commands from within endpoints (#​14343)

v2.38.0

Compare Source

Minor Changes

• feat: add new remote function query.batch (#​14272)

v2.37.1

Compare Source

Patch Changes

• fix: serialize server load data before passing to universal load, to handle mutations and promises (#​14298)

• fix: resolve_route prevent dropping a trailing slash of id (#​14294)

• fix: assign correct status code to form submission error on the client (#​14345)

• fix: un-proxy form.result (#​14346)

v2.37.0

Compare Source

Minor Changes

• feat: automatically resolve query.refresh() promises on the server (#​14332)

• feat: allow query.set() to be called on the server (#​14304)

Patch Changes

• fix: disable CSRF checks in dev (#​14335)

• fix: allow redirects to external URLs from within form functions (#​14329)

• fix: add type definitions for query.set() method to override the value of a remote query function (#​14303)

• fix: ensure uniqueness of form.for(...) across form functions (#​14327)

v2.36.3

Compare Source

Patch Changes

• fix: bump devalue (#​14323)

• chore: consolidate dev checks to use esm-env instead of a __SVELTEKIT_DEV__ global (#​14308)

• fix: reset form inputs by default when using remote form functions (#​14322)

v2.36.2

Compare Source

Patch Changes

• chore: make config deprecation warnings more visible (#​14281)

• chore: remove redundant Not Found error message (#​14289)

• chore: deprecate csrf.checkOrigin in favour of csrf.trustedOrigins: ['*'] (#​14281)

v2.36.1

Compare Source

Patch Changes

• fix: ensure importing from $app/navigation works in test files (#​14195)

v2.36.0

Compare Source

Minor Changes

• feat: add csrf.trustedOrigins configuration (#​14021)

Patch Changes

• fix: correctly decode custom types streamed from a server load function (#​14261)

• fix: add trailing slash pathname when generating typed routes (#​14065)

v2.35.0

Compare Source

Minor Changes

• feat: better server-side error logging (#​13990)

Patch Changes

• fix: ensure static error page is loaded correctly for custom user errors (#​13952)

v2.34.1

Compare Source

Patch Changes

• fix: support multiple cookies with the same name across different paths and domains (b2c5d02)

• fix: add link header when preloading font (#​14200)

• fix: cookies.get(...) returns undefined for a just-deleted cookie (b2c5d02)

• fix: load env before prerender (c5f7139)

v2.34.0

Compare Source

Minor Changes

• feat: allow dynamic env access during prerender (#​14243)

Patch Changes

• fix: clone fetch responses so that headers are mutable (#​13942)

• fix: serialize server load data before passing to universal load, to handle mutations (#​14268)

• fix: allow asset(...) to be used with imported assets (#​14270)

v2.33.1

Compare Source

Patch Changes

• fix: make paths in .css assets relative (#​14262)

• fix: avoid copying SSR stylesheets to client assets (#​13069)

v2.33.0

Compare Source

Minor Changes

• feat: configure error reporting when routes marked as prerendable were not prerendered (#​11702)

Patch Changes

• fix: use correct flag for server tracing (#​14250)

• fix: correct type names for new handleUnseenRoutes option (#​14254)

• chore: Better docs and error message for missing @opentelemetry/api dependency (#​14250)

v2.32.0

Compare Source

Minor Changes

• feat: inline load fetch response.body stream data as base64 in page (#​11473)

Patch Changes

• fix: better error when .remote.ts files are used without the experimental.remoteFunctions flag (#​14225)

v2.31.1

Compare Source

Patch Changes

• fix: pass options to resolve in resolveId hook (#​14223)

v2.31.0

Compare Source

Minor Changes

• feat: OpenTelemetry tracing for handle, sequence, form actions, remote functions, and load functions running on the server (#​13899)

• feat: add instrumentation.server.ts for tracing and observability setup (#​13899)

v2.30.1

Compare Source

Patch Changes

• chore: generate $app/types in a more Typescript-friendly way (#​14207)

v2.30.0

Compare Source

Minor Changes

• feat: allow to specify options for the service worker in svelte.config.js (#​13578)

Patch Changes

• fix: ensure buttonProps.enhance works on buttons with nested text (#​14199)

• fix: pass validation issues specifically to avoid non-enumerable spreading error (#​14197)

v2.29.1

Compare Source

Patch Changes

• chore: allow remote functions in all of the src directory (#​14198)

v2.29.0

Compare Source

Minor Changes

• feat: add a kit.files.src option (#​14152)

Patch Changes

• fix: don't treat $lib/server.ts or $lib/server_whatever.ts as server-only modules, only $lib/server/** (#​14191)

• fix: make illegal server-only import errors actually useful (#​14155)

• chore: deprecate config.kit.files options (#​14152)

• fix: avoid warning if page options in a Svelte file belongs to a comment (#​14180)

v2.28.0

Compare Source

Minor Changes

• feat: add RouteId and RouteParams to NavigationTarget interface (#​14167)

• feat: add pending property to forms and commands (#​14137)

Patch Changes

• fix: fetch imported assets during prerender (#​12201)

• chore: refactor redundant base64 encoding/decoding functions (#​14160)

• fix: use correct cache result when fetching same url multiple times (#​12355)

• fix: don't refresh queries automatically when running commands (#​14170)

• fix: avoid writing remote function bundle to disk when treeshaking prerendered queries (#​14161)

sveltejs/kit (@​sveltejs/package)

v2.5.0

Compare Source

Minor Changes

• feat: add --preserve-output flag to prevent deletion of the output directory before packaging (#​13055)

sveltejs/vite-plugin-svelte (@​sveltejs/vite-plugin-svelte)

v6.2.0

Compare Source

Minor Changes

• feat(rolldown-vite): enable optimization.inlineConst by default to ensure treeshaking works with esm-env in svelte (#​1207)

v6.1.4

Compare Source

Patch Changes

• fix: allow preprocess plugin to run twice (#​1206)

• fix(types): update urls to PreprocessorGroup and CompileOptions in type documention (#​1203)

• replace kleur dependency with builtin node:utils styleText (#​1210)

v6.1.3

Compare Source

Patch Changes

• fix(api): add api.filter and deprecate api.idFilter to avoid confusing filter.id = idFilter.id assignments when used as hybrid filter in other plugins (#​1199)

v6.1.2

Compare Source

Patch Changes

• fix: ensure compiled css is returned when reloading during dev with ssr (e.g. SvelteKit) (#​1194)

v6.1.1

Compare Source

Patch Changes

• fix: ensure compiled svelte css is loaded correctly when rebuilding in build --watch (#​1189)

testing-library/jest-dom (@​testing-library/jest-dom)

v6.8.0

Compare Source

v6.7.0

Compare Source

Features

• add toBePressed matcher (#​203) (#​658) (cfdf8ae)

eslint/eslint (eslint)

v9.35.0

Compare Source

v9.34.0

Compare Source

v9.33.0

Compare Source

sveltejs/eslint-plugin-svelte (eslint-plugin-svelte)

v3.12.3

Compare Source

Patch Changes

• #​1305 d92dde0 Thanks @​ota-meshi! - fix(no-top-level-browser-globals): false positives for compound logical expression guards

v3.12.2

Compare Source

Patch Changes

• #​1299 5c7cba3 Thanks @​marekdedic! - feat: disabling more rules in runes mode

• #​1299 5c7cba3 Thanks @​marekdedic! - feat: restricting SvelteKit rules to SvelteKit

• #​1306 7cb3660 Thanks @​ota-meshi! - fix(no-unused-props): false positives for ComponentProps<any>

v3.12.1

Compare Source

Patch Changes

• #​1313 27573f4 Thanks @​marekdedic! - fix: Not reporting mailto: and other unusual schema addresses in no-nmavigation-without-resolve (and its deprecated versions)

v3.12.0

Compare Source

Minor Changes

• #​1308 abbcfdd Thanks @​marekdedic! - feat(no-navigation-without-resolve): added to recommended rule set

• #​1289 e2e791f Thanks @​marekdedic! - feat: added the no-navigation-without-resolve rule

• #​1289 e2e791f Thanks @​marekdedic! - chore: deprecated the no-navigation-without-base rule

sindresorhus/globals (globals)

v16.4.0

Compare Source

nodejs/node (node)

v24.8.0: 2025-09-10, Version 24.8.0 (Current), @​targos

Compare Source

Notable Changes

HTTP/2 Network Inspection Support in Node.js

Node.js now supports inspection of HTTP/2 network calls in Chrome DevTools for Node.js.

Usage

Write a test.js script that makes HTTP/2 requests.

const http2 = require('node:http2');

const client = http2.connect('https://nghttp2.org');

const req = client.request([
  ':path', '/',
  ':method', 'GET',
]);

Run it with these options:

node --inspect-wait --experimental-network-inspection test.js

Open about:inspect on Google Chrome and click on Open dedicated DevTools for Node.
The Network tab will let you track your HTTP/2 calls.

Contributed by Darshan Sen in #​59611.

Other Notable Changes

• [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #​59570
• [4b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #​59570
• [3e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #​59647
• [b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #​59544
• [430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #​59537
• [d6d05ba397] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #​59428

Commits

• [d913872369] - assert: cap input size in myersDiff to avoid Int32Array overflow (Haram Jeong) #​59578
• [7bbbcf6666] - benchmark: sqlite prevent create both tables on prepare selects (Bruno Rodrigues) #​59709
• [44d7b92271] - benchmark: calibrate config array-vs-concat (Rafael Gonzaga) #​59587
• [7f347fc551] - build: fix getting OpenSSL version on Windows (Michaël Zasso) #​59609
• [4a317150d5] - build: fix 'implicit-function-declaration' on OpenHarmony platform (hqzing) #​59547
• [bda32af587] - build: use windows-2025 runner (Michaël Zasso) #​59673
• [a4a8ed8f6e] - build: compile bundled uvwasi conditionally (Carlo Cabrera) #​59622
• [d944a87761] - crypto: refactor subtle methods to use synchronous import (Filip Skokan) #​59771
• [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #​59570
• [4b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #​59570
• [3e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #​59647
• [b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #​59544
• [430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #​59537
• [0d1e53d935] - deps: update uvwasi to 0.0.23 (Node.js GitHub Bot) #​59791
• [68732cf426] - deps: update histogram to 0.11.9 (Node.js GitHub Bot) #​59689
• [f12c1ad961] - deps: update googletest to eb2d85e (Node.js GitHub Bot) #​59335
• [45af6966ae] - deps: upgrade npm to 11.6.0 (npm team) #​59750
• [57617244a4] - deps: V8: cherry-pick 6b1b9bc (Xiao-Tao) #​59283
• [2e6225a747] - deps: update amaro to 1.1.2 (Node.js GitHub Bot) #​59616
• [1f7f6dfae6] - diagnostics_channel: revoke DEP0163 (René) #​59758
• [8671a6cdb3] - doc: stabilize --disable-sigusr1 (Rafael Gonzaga) #​59707
• [583b1b255d] - doc: update OpenSSL default security level to 2 (Jeetu Suthar) #​59723
• [9b5eb6eb50] - doc: fix missing links in the errors page (Nam Yooseong) #​59427
• [e7bf712c57] - doc: update "Type stripping in dependencies" section (Josh Kelley) #​59652
• [96db47f91e] - doc: add Miles Guicent as triager (Miles Guicent) #​59562
• [87f829bd0c] - doc: mark path.matchesGlob as stable (Aviv Keller) #​59572
• [062b2f705e] - doc: improve documentation for raw headers in HTTP/2 APIs (Tim Perry) #​59633
• [6ab9306370] - doc: update install_tools.bat free disk space (Stefan Stojanovic) #​59579
• [c8d6b60da6] - doc: fix quic session instance typo (jakecastelli) #​59642
• [61d0a2d1ba] - doc: fix filehandle.read typo (Ruy Adorno) #​59635
• [3276bfa0d0] - doc: update migration recomendations for util.is**() deprecations (Augustin Mauroy) #​59269
• [11de6c7ebb] - doc: fix missing link to the Error documentation in the http page (Alexander Makarenko) #​59080
• [f5b6829bba] - doc,crypto: add description to the KEM and supports() methods (Filip Skokan) #​59644
• [5bfdc7ee74] - doc,crypto: cleanup unlinked and self method references webcrypto.md (Filip Skokan) #​59608
• [010458d061] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #​59679
• [dbe6e63baf] - esm: fix missed renaming in ModuleJob.runSync (Joyee Cheung) #​59724
• [8eb0d9d834] - fs: fix wrong order of file names in cpSync error message (Nicholas Paun) #​59775
• [e69be5611f] - fs: fix dereference: false on cpSync (Nicholas Paun) #​59681
• [2865d2ac20] - http: unbreak keepAliveTimeoutBuffer (Robert Nagy) #​59784
• [ade1175475] - http: use cached '1.1' http version string (Robert Nagy) #​59717
• [74a09482de] - inspector: undici as shared-library should pass tests (Aras Abbasi) #​59837
• [772f8f415a] - inspector: add http2 tracking support (Darshan Sen) #​59611
• [3d225572d7] - Revert "lib: optimize writable stream buffer clearing" (Yoo) #​59743
• [4fd213ce73] - lib: fix isReadable and isWritable return type value (Gabriel Quaresma) #​59089
• [39befddb87] - lib: prefer TypedArrayPrototype primordials (Filip Skokan) #​59766
• [0748160d2e] - lib: fix DOMException subclass support (Chengzhong Wu) #​59680
• [1a93df808c] - lib: revert to using default derived class constructors (René) #​59650
• [bb0755df37] - meta: bump codecov/codecov-action (dependabot[bot]) #​59726
• [45d148d9be] - meta: bump actions/download-artifact from 4.3.0 to 5.0.0 (dependabot[bot]) #​59729
• [01b66b122e] - meta: bump github/codeql-action from 3.29.2 to 3.30.0 (dependabot[bot]) #​59728
• [34f7ab5502] - meta: bump actions/cache from 4.2.3 to 4.2.4 (dependabot[bot]) #​59727
• [5806ea02af] - meta: bump actions/checkout from 4.2.2 to 5.0.0 (dependabot[bot]) #​59725
• [f667215583] - path: refactor path joining logic for clarity and performance (Lee Jiho) #​59781
• [0340fe92a6] - repl: do not cause side effects in tab completion (Anna Henningsen) #​59774
• [a414c1eb51] - repl: fix REPL completion under unary expressions (Kingsword) #​59744
• [c206f8dd87] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #​59607
• [0bf9775ee2] - sea: implement sea.getAssetKeys() (Joyee Cheung) #​59661
• [bf26b478d8] - sea: allow using inspector command line flags with SEA (Joyee Cheung) #​59568
• [92128a8fe2] - src: use DictionaryTemplate for node_url_pattern (James M Snell) #​59802
• [bcb29fb84f] - src: correctly report memory changes to V8 (Yaksh Bariya) #​59623
• [44c24657d3] - **src

---

Configuration

📅 Schedule: Branch creation - "before 7am on friday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[pkg-pr-new]

npm i https://pkg.pr.new/@sheepdog/core@344

npm i https://pkg.pr.new/@sheepdog/svelte@344

npm i https://pkg.pr.new/@sheepdog/vanilla@344

commit: 1cfe749

[netlify]

✅ Deploy Preview for sheepdog ready!

Name	Link
🔨 Latest commit	1cfe749
🔍 Latest deploy log	https://app.netlify.com/projects/sheepdog/deploys/68c3cc8fe1f5660008411795
😎 Deploy Preview	https://deploy-preview-344--sheepdog.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.