chore(deps-dev): bump the security-updates group across 1 directory with 10 updates

[dependabot]

Bumps the security-updates group with 10 updates in the / directory:

Package	From	To
@sveltejs/kit	2.20.8	2.21.1
cypress	14.3.3	14.4.0
eslint	9.26.0	9.27.0
eslint-plugin-svelte	3.5.1	3.9.0
start-server-and-test	2.0.11	2.0.12
svelte	5.28.2	5.33.1
svelte-check	4.1.7	4.2.1
typescript-eslint	8.32.0	8.32.1
vite-plugin-dts	4.5.3	4.5.4
vitest	3.1.3	3.1.4

Updates @sveltejs/kit from 2.20.8 to 2.21.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.21.1

Patch Changes

• chore: clarify which functions handleFetch affects (#13788)

• fix: ensure $env and $app/environment are correctly set while analysing server nodes (#13790)

@​sveltejs/kit@​2.21.0

Minor Changes

• feat: allow running client-side code at the top-level of universal pages/layouts when SSR is disabled and page options are only boolean or string literals (#13684)

Patch Changes

• chore: remove import-meta-resolve dependency (#13629)

• fix: remove component code from server nodes that are never used for SSR (#13684)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.21.1

Patch Changes

• chore: clarify which functions handleFetch affects (#13788)

• fix: ensure $env and $app/environment are correctly set while analysing server nodes (#13790)

2.21.0

Minor Changes

• feat: allow running client-side code at the top-level of universal pages/layouts when SSR is disabled and page options are only boolean or string literals (#13684)

Patch Changes

• chore: remove import-meta-resolve dependency (#13629)

• fix: remove component code from server nodes that are never used for SSR (#13684)

Commits

• 44a7aae Version Packages (#13800)
• 5ab5762 docs: clarify what handleFetch affects (#13788)
• df163d2 fix: set $env and $app/environment variables before analysing server node...
• b666e15 chore: minor dependency updates
• 39f7b73 docs: expand docs for fail method (#13789)
• d0f2d7b Version Packages (#13783)
• 09f61ec feat: statically analyse universal pages and layouts v3 (#13684)
• bd1c046 chore: remove import-meta-resolve (#13629)
• 08660a7 chore(deps): update all non-major dependencies (#13611)
• 149779a chore(deps-dev): bump vite from 6.2.6 to 6.2.7 (#13770)
• Additional commits viewable in compare view

Updates cypress from 14.3.3 to 14.4.0

Release notes

Sourced from cypress's releases.

v14.4.0

Changelog: https://docs.cypress.io/app/references/changelog#14-4-0

Commits

• 09868d7 chore: updating v8 snapshot cache (#31742)
• fa409fd chore: updating v8 snapshot cache (#31741)
• 3276441 chore: updating v8 snapshot cache (#31740)
• 92aa273 chore: release 14.4.0 (#31745)
• 93f708c test: update cloud studio test to account for full snapshot update (#31744)
• b7cac8f dependency: update dependency @​sinonjs/fake-timers to v10 (#31737)
• ecd944a chore: Update v8 snapshot cache - linux (#31734)
• 0353859 chore: Update v8 snapshot cache - darwin (#31735)
• 7ea2d57 chore: Update v8 snapshot cache - windows (#31736)
• 9d4b3db dependency: update dependency @​sinonjs/fake-timers to v9 (#31725)
• Additional commits viewable in compare view

Updates eslint from 9.26.0 to 9.27.0

Release notes

Sourced from eslint's releases.

v9.27.0

Features

• d71e37f feat: Allow flags to be set in ESLINT_FLAGS env variable (#19717) (Nicholas C. Zakas)
• ba456e0 feat: Externalize MCP server (#19699) (Nicholas C. Zakas)
• 07c1a7e feat: add allowRegexCharacters to no-useless-escape (#19705) (sethamus)
• 7bc6c71 feat: add no-unassigned-vars rule (#19618) (Jacob Bandes-Storch)
• ee40364 feat: convert no-array-constructor suggestions to autofixes (#19621) (sethamus)
• 32957cd feat: support TS syntax in max-params (#19557) (Nitin Kumar)

Bug Fixes

• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir)
• dc5ed33 fix: correct types and tighten type definitions in SourceCode class (#19731) (루밀LuMir)
• de1b5de fix: correct service property name in Linter.ESLintParseResult type (#19713) (Francesco Trotta)
• 60c3e2c fix: sort keys in eslint-suppressions.json to avoid git churn (#19711) (Ron Waldon-Howe)
• 9da90ca fix: add allowReserved to Linter.ParserOptions type (#19710) (Francesco Trotta)
• fbb8be9 fix: add info to ESLint.DeprecatedRuleUse type (#19701) (Francesco Trotta)

Documentation

• 25de550 docs: Update description of frozen rules to mention TypeScript (#19736) (Nicholas C. Zakas)
• bd5def6 docs: Clean up configuration files docs (#19735) (Nicholas C. Zakas)
• 4d0c60d docs: Add Neovim to editor integrations (#19729) (Maria José Solano)
• 71317eb docs: Update README (GitHub Actions Bot)
• 4c289e6 docs: Update README (GitHub Actions Bot)
• f0f0d46 docs: clarify that unused suppressions cause non-zero exit code (#19698) (Milos Djermanovic)
• 8ed3273 docs: fix internal usages of ConfigData type (#19688) (Francesco Trotta)
• eb316a8 docs: add fmt and check sections to Package.json Conventions (#19686) (루밀LuMir)
• a3a2559 docs: fix wording in Combine Configs (#19685) (Milos Djermanovic)
• c8d17e1 docs: Update README (GitHub Actions Bot)

Chores

• f8f1560 chore: upgrade @​eslint/js@​9.27.0 (#19739) (Milos Djermanovic)
• ecaef73 chore: package.json update for @​eslint/js release (Jenkins)
• 596fdc6 chore: update dependency @​arethetypeswrong/cli to ^0.18.0 (#19732) (renovate[bot])
• f791da0 chore: remove unbalanced curly brace from .editorconfig (#19730) (Maria José Solano)
• e86edee refactor: Consolidate Config helpers (#19675) (Nicholas C. Zakas)
• cf36352 chore: remove shared types (#19718) (Francesco Trotta)
• f60f276 refactor: Easier RuleContext creation (#19709) (Nicholas C. Zakas)
• 58a171e chore: update dependency @​eslint/plugin-kit to ^0.3.1 (#19712) (renovate[bot])
• 3a075a2 chore: update dependency @​eslint/core to ^0.14.0 (#19715) (renovate[bot])
• 44bac9d ci: run tests in Node.js 24 (#19702) (Francesco Trotta)
• 35304dd chore: add missing funding field to packages (#19684) (루밀LuMir)
• f305beb test: mock process.emitWarning to prevent output disruption (#19687) (Francesco Trotta)

Changelog

Sourced from eslint's changelog.

v9.27.0 - May 16, 2025

• f8f1560 chore: upgrade @​eslint/js@​9.27.0 (#19739) (Milos Djermanovic)
• ecaef73 chore: package.json update for @​eslint/js release (Jenkins)
• 25de550 docs: Update description of frozen rules to mention TypeScript (#19736) (Nicholas C. Zakas)
• bd5def6 docs: Clean up configuration files docs (#19735) (Nicholas C. Zakas)
• d71e37f feat: Allow flags to be set in ESLINT_FLAGS env variable (#19717) (Nicholas C. Zakas)
• 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir)
• 596fdc6 chore: update dependency @​arethetypeswrong/cli to ^0.18.0 (#19732) (renovate[bot])
• ba456e0 feat: Externalize MCP server (#19699) (Nicholas C. Zakas)
• dc5ed33 fix: correct types and tighten type definitions in SourceCode class (#19731) (루밀LuMir)
• 4d0c60d docs: Add Neovim to editor integrations (#19729) (Maria José Solano)
• f791da0 chore: remove unbalanced curly brace from .editorconfig (#19730) (Maria José Solano)
• e86edee refactor: Consolidate Config helpers (#19675) (Nicholas C. Zakas)
• 07c1a7e feat: add allowRegexCharacters to no-useless-escape (#19705) (sethamus)
• cf36352 chore: remove shared types (#19718) (Francesco Trotta)
• f60f276 refactor: Easier RuleContext creation (#19709) (Nicholas C. Zakas)
• 71317eb docs: Update README (GitHub Actions Bot)
• de1b5de fix: correct service property name in Linter.ESLintParseResult type (#19713) (Francesco Trotta)
• 58a171e chore: update dependency @​eslint/plugin-kit to ^0.3.1 (#19712) (renovate[bot])
• 3a075a2 chore: update dependency @​eslint/core to ^0.14.0 (#19715) (renovate[bot])
• 60c3e2c fix: sort keys in eslint-suppressions.json to avoid git churn (#19711) (Ron Waldon-Howe)
• 4c289e6 docs: Update README (GitHub Actions Bot)
• 9da90ca fix: add allowReserved to Linter.ParserOptions type (#19710) (Francesco Trotta)
• 7bc6c71 feat: add no-unassigned-vars rule (#19618) (Jacob Bandes-Storch)
• ee40364 feat: convert no-array-constructor suggestions to autofixes (#19621) (sethamus)
• fbb8be9 fix: add info to ESLint.DeprecatedRuleUse type (#19701) (Francesco Trotta)
• f0f0d46 docs: clarify that unused suppressions cause non-zero exit code (#19698) (Milos Djermanovic)
• 44bac9d ci: run tests in Node.js 24 (#19702) (Francesco Trotta)
• 32957cd feat: support TS syntax in max-params (#19557) (Nitin Kumar)
• 35304dd chore: add missing funding field to packages (#19684) (루밀LuMir)
• 8ed3273 docs: fix internal usages of ConfigData type (#19688) (Francesco Trotta)
• f305beb test: mock process.emitWarning to prevent output disruption (#19687) (Francesco Trotta)
• eb316a8 docs: add fmt and check sections to Package.json Conventions (#19686) (루밀LuMir)
• a3a2559 docs: fix wording in Combine Configs (#19685) (Milos Djermanovic)
• c8d17e1 docs: Update README (GitHub Actions Bot)

Commits

• b9080cf 9.27.0
• b7a5c66 Build: changelog update for 9.27.0
• f8f1560 chore: upgrade @​eslint/js@​9.27.0 (#19739)
• ecaef73 chore: package.json update for @​eslint/js release
• 25de550 docs: Update description of frozen rules to mention TypeScript (#19736)
• bd5def6 docs: Clean up configuration files docs (#19735)
• d71e37f feat: Allow flags to be set in ESLINT_FLAGS env variable (#19717)
• 5687ce7 fix: correct mismatched removed rules (#19734)
• 596fdc6 chore: update dependency @​arethetypeswrong/cli to ^0.18.0 (#19732)
• ba456e0 feat: Externalize MCP server (#19699)
• Additional commits viewable in compare view

Updates eslint-plugin-svelte from 3.5.1 to 3.9.0

Release notes

Sourced from eslint-plugin-svelte's releases.

[email protected]

Minor Changes

• #1235 6e86e30 Thanks @​43081j! - Improve performance of ignore comment extraction and add support for comma-separated ignore codes

[email protected]

Patch Changes

• #1231 0681f90 Thanks @​marekdedic! - fix(consistent-selector-style): Fixed detections of repeated elements such as in {#each}

[email protected]

Patch Changes

• #1227 c938185 Thanks @​ota-meshi! - fix(no-top-level-browser-globals): false positives for type annotations

[email protected]

Minor Changes

• #1210 9cffd3b Thanks @​ota-meshi! - feat: add svelte/no-top-level-browser-globals rule

[email protected]

Minor Changes

• #1221 534ad78 Thanks @​baseballyama! - feat(sort-attributes): support {@attach}

[email protected]

Minor Changes

• #1170 3ddbd83 Thanks @​baseballyama! - feat: add prefer-writable-derived rule

• #1069 73f23ae Thanks @​marekdedic! - feat: added the require-event-prefix rule

• #1197 e9aec7f Thanks @​43081j! - Added no-add-event-listener rule to disallow usages of addEventListener

• #1148 87c74fe Thanks @​marekdedic! - feat(consistent-selector-style): added support for dynamic classes and IDs

Patch Changes

• #1208 78d0f78 Thanks @​ota-meshi! - fix(no-unused-svelte-ignore): ignore reactive-component warnings

Commits

• a0f5c17 chore: release eslint-plugin-svelte (#1236)
• 6e86e30 feat: support comma-separated ignore comments (#1235)
• 15742cb chore: release eslint-plugin-svelte (#1232)
• 0681f90 fix(consistent-selector-style): Fixed detections of repeated elements such as...
• 04ca0d1 chore: release eslint-plugin-svelte (#1228)
• c938185 fix(no-top-level-browser-globals): false positives for type annotations (#1227)
• 21cf410 chore: release eslint-plugin-svelte (#1224)
• 30ac92a chore(deps): update dependency eslint to ~9.27.0 (#1225)
• 9cffd3b feat: add svelte/no-top-level-browser-globals rule (#1210)
• 2fa75f1 chore: release eslint-plugin-svelte (#1222)
• Additional commits viewable in compare view

Updates start-server-and-test from 2.0.11 to 2.0.12

Release notes

Sourced from start-server-and-test's releases.

v2.0.12

2.0.12 (2025-05-15)

Bug Fixes

• deps: update dependency debug to v4.4.1 (#403) (b3b82c0)

Commits

• b3b82c0 fix(deps): update dependency debug to v4.4.1 (#403)
• See full diff in compare view

Updates svelte from 5.28.2 to 5.33.1

Release notes

Sourced from svelte's releases.

[email protected]

Patch Changes

• fix: make deriveds on the server lazy again (#15964)

[email protected]

Minor Changes

• feat: XHTML compliance (#15538)

• feat: add fragments: 'html' | 'tree' option for wider CSP compliance (#15538)

[email protected]

Patch Changes

• chore: simplify <pre> cleaning (#15980)

• fix: attach __svelte_meta correctly to elements following a CSS wrapper (#15982)

• fix: import untrack directly from client in svelte/attachments (#15974)

[email protected]

Patch Changes

• Warn when an invalid <select multiple> value is given (#14816)

[email protected]

Minor Changes

• feat: warn on implicitly closed tags (#15932)

• feat: attachments fromAction utility (#15933)

Patch Changes

• fix: only re-run directly applied attachment if it changed (#15962)

[email protected]

Patch Changes

• fix: avoid auto-parenthesis for special-keywords-only MediaQuery (#15937)

[email protected]

Minor Changes

• feat: allow state fields to be declared inside class constructors (#15820)

Patch Changes

• fix: Add missing AttachTag in Tag union type inside the AST namespace from "svelte/compiler" (#15946)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.33.1

Patch Changes

• fix: make deriveds on the server lazy again (#15964)

5.33.0

Minor Changes

• feat: XHTML compliance (#15538)

• feat: add fragments: 'html' | 'tree' option for wider CSP compliance (#15538)

5.32.2

Patch Changes

• chore: simplify <pre> cleaning (#15980)

• fix: attach __svelte_meta correctly to elements following a CSS wrapper (#15982)

• fix: import untrack directly from client in svelte/attachments (#15974)

5.32.1

Patch Changes

• Warn when an invalid <select multiple> value is given (#14816)

5.32.0

Minor Changes

• feat: warn on implicitly closed tags (#15932)

• feat: attachments fromAction utility (#15933)

Patch Changes

• fix: only re-run directly applied attachment if it changed (#15962)

5.31.1

Patch Changes

• fix: avoid auto-parenthesis for special-keywords-only MediaQuery (#15937)

5.31.0

... (truncated)

Commits

• db7b25b Version Packages (#15989)
• ac046df fix: make deriveds on the server lazy again (#15964)
• 9250c9c Version Packages (#15987)
• d1141a1 feat: functional template generation (#15538)
• 5a84098 Version Packages (#15978)
• 50de8c5 fix: attach __svelte_meta correctly to elements following a CSS wrapper (#15982)
• c03ea47 chore: simplify \<pre> cleaning (#15980)
• 4e72b7d fix: import untrack directly from client in svelte/attachments (#15974)
• ef48d35 Version Packages (#15967)
• de80949 fix(14815): warn when an invalid <select multiple> value is given (#14816)
• Additional commits viewable in compare view

Updates svelte-check from 4.1.7 to 4.2.1

Release notes

Sourced from svelte-check's releases.

svelte-check-4.2.1

• feat: support generics on snippets (#2761)

svelte-check-4.2.0

• feat: support attachments (#2760)
• fix: deduplicate definition for rune-mode components (#2759)

Commits

• d12a9ae feat: support generics on snippets (#2761)
• 7a13025 fix: deduplicate definition for rune-mode components (#2759)
• 3d6e12f fix: more robust solution project check for ts < 5.7 in ts plugin (#2758)
• bc9a3fd feat: support attachments (#2760)
• See full diff in compare view

Updates typescript-eslint from 8.32.0 to 8.32.1

Release notes

Sourced from typescript-eslint's releases.

v8.32.1

8.32.1 (2025-05-12)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-conversion] shouldn't have fixable property (#11194)
• eslint-plugin: [no-deprecated] support computed member access (#10867)
• eslint-plugin: [consistent-indexed-object-style] adjust auto-fixer to generate valid syntax for TSMappedType with no type annotation (#11180)
• eslint-plugin: [consistent-indexed-object-style] check for indirect circular types in aliased mapped types (#11177)

❤️ Thank You

• Azat S. @​azat-io
• Dima Barabash @​dbarabashh
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.32.1 (2025-05-12)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

Commits

• af077a0 chore(release): publish 8.32.1
• b2be3dc chore: simplify tsconfig setup using configDir (#11136)
• aeb7402 chore(ast-spec): finish migrating to vitest (#11126)
• e57126a chore(typescript-eslint): correct naming of import of typescript-eslint in te...
• See full diff in compare view

Updates vite-plugin-dts from 4.5.3 to 4.5.4

Changelog

Sourced from vite-plugin-dts's changelog.

4.5.4 (2025-05-15)

Bug Fixes

• correct specify root for rollup types (062e6d3), closes #425
• should collect diagnostics when transform (#423) (3d0cc1b)
• use entry name instead of entry path to generate indexName (#424) (e8049d9)

Commits

• 8bea4df release: v4.5.4
• 3d0cc1b fix: should collect diagnostics when transform (#423)
• 062e6d3 fix: correct specify root for rollup types
• e8049d9 fix: use entry name instead of entry path to generate indexName (#424)
• See full diff in compare view

Updates vitest from 3.1.3 to 3.1.4

Release notes

Sourced from vitest's releases.

v3.1.4

   🐞 Bug Fixes

• Apply browser CLI options only if the project has the browser set in the config already  -  by @​sheremet-va in vitest-dev/vitest#8002 (64f2b)

    View changes on GitHub

Commits

• ac88181 chore: release v3.1.4
• 64f2b43 fix: apply browser CLI options only if the project has the browser set in the...
• See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
cypress	[>= 10.a, < 11]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependabot. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.