chore(deps-dev): bump the development-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the development-dependencies group with 10 updates in the / directory:

Package	From	To
typescript	5.9.3	6.0.3
vite	7.3.2	8.0.10
parcel	2.16.3	2.16.4
@rollup/plugin-terser	0.4.4	1.0.0
rollup	4.55.1	4.60.2
serve	14.2.5	14.2.6
@rsbuild/core	1.7.2	2.0.2
@sveltejs/kit	2.49.4	2.58.0
@sveltejs/vite-plugin-svelte	6.2.4	7.0.0
svelte-check	4.3.5	4.4.6

Updates typescript from 5.9.3 to 6.0.3

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• Additional commits viewable in compare view

Updates vite from 7.3.2 to 8.0.10

Changelog

Sourced from vite's changelog.

8.0.10 (2026-04-23)

Features

• update rolldown to 1.0.0-rc.17 (#22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#22278) (9437518)
• typecheck client directory (#22284) (40a0847)

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

8.0.8 (2026-04-09)

Features

• update rolldown to 1.0.0-rc.15 (#22201) (6baf587)

... (truncated)

Commits

• 32c2978 release: v8.0.10
• a4d06d9 feat: update rolldown to 1.0.0-rc.17 (#22299)
• a4d828f fix: hmrClient.logger.debug and hmrClient.logger.error looked different f...
• 83f0a78 fix(css): show filename in CSS minification warnings for .css?inline (#22292)
• b8a21cc fix: remove format sniffing module resolution from JS resolver (#22297)
• 40a0847 refactor: typecheck client directory (#22284)
• 5c7cec6 fix(optimizer): allow user transform.target to override default in optimizeDe...
• 9437518 refactor: enable some typecheck rules (#22278)
• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• Additional commits viewable in compare view

Updates parcel from 2.16.3 to 2.16.4

Changelog

Sourced from parcel's changelog.

[2.16.4] – 2026-02-01

Fixed

• Dev server
  • Add --no-cors option to disable CORS headers – Details

Commits

• See full diff in compare view

Updates @rollup/plugin-terser from 0.4.4 to 1.0.0

Changelog

Sourced from @​rollup/plugin-terser's changelog.

v1.0.0

2026-03-05

Breaking Changes

• terser!: upgrade serialize-javascript to v7 and node to v20 (#1968)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​rollup/plugin-terser since your current version.

Updates rollup from 4.55.1 to 4.60.2

Changelog

Sourced from rollup's changelog.

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])
• #6332: chore(deps): update codecov/codecov-action action to v6 (@​renovate[bot])
• #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@​renovate[bot])
• #6334: fix(deps): update rust crate swc_compiler_base to v51 (@​renovate[bot])
• #6335: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6346: fix(deps): update minor/patch updates (@​renovate[bot])
• #6347: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6348: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6349: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6350: fix: reset variable render names between outputs in the same generate (@​barry3406, @​lukastaegert)
• #6351: chore(deps): update minor/patch updates (@​renovate[bot])
• #6352: chore(deps): update cross-platform-actions/action action to v1 (@​renovate[bot])
• #6353: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6354: chore(deps): lock file maintenance (@​renovate[bot])
• #6355: chore(deps): lock file maintenance (@​renovate[bot])
• #6356: chore(deps): lock file maintenance (@​renovate[bot])
• #6358: chore: remove cross-env from devDeps (@​K-tecchan)

4.60.1

2026-03-30

Bug Fixes

• Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

• #6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@​littlegrayss, @​TrickyPi)
• #6317: chore(deps): pin dependencies (@​renovate[bot], @​lukastaegert)
• #6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@​renovate[bot], @​lukastaegert)
• #6319: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6320: chore(deps): pin dependency typescript to v5 (@​renovate[bot], @​lukastaegert)
• #6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@​renovate[bot], @​lukastaegert)
• #6322: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6323: chore(deps): lock file maintenance (@​renovate[bot])
• #6324: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)

4.60.0

... (truncated)

Commits

• a6be82b 4.60.2
• 5e6fb9f fix: reset variable render names between outputs in the same generate (#6350)
• 7542834 chore: remove cross-env from devDeps (#6358)
• 1fa79d0 chore(deps): update cross-platform-actions/action action to v1 (#6352)
• 819332e chore(deps): update dependency lru-cache to v11 (#6353)
• fd464a9 chore(deps): lock file maintenance (#6356)
• e6d2ff9 chore(deps): lock file maintenance (#6355)
• 32e8517 chore(deps): update minor/patch updates (#6351)
• 1d5bcb4 chore(deps): lock file maintenance (#6354)
• f58d278 fix(deps): update swc monorepo (major) (#6348)
• Additional commits viewable in compare view

Updates serve from 14.2.5 to 14.2.6

Changelog

Sourced from serve's changelog.

14.2.6

Patch Changes

• 7fcb924: Bump ajv to 8.18.0
• b3888f9: Update serve-handler to 6.1.7 to fix ReDoS vulnerabilities

Commits

• f3c702c Version Packages (#846)
• 7fcb924 Add changeset for #842
• a2fecb3 chore(deps): update ajv to v8.18.0 (#842)
• b3888f9 Bump serve-handler to 6.1.7 (#845)
• See full diff in compare view

Updates @rsbuild/core from 1.7.2 to 2.0.2

Commits

• 36b3ac3 release: v2.0.2 (#7552)
• a2c4566 fix: preserve console argument side effects (#7550)
• 92f7ffd refactor(core): simplify CSS url loader request (#7551)
• 90bce25 chore(deps): restrict rspack minor upgrades (#7546)
• 098c9dc chore(deps): update all patch dependencies (#7548)
• b590bdb fix(core): avoid CSS url asset name conflicts (#7542)
• da5a5cf fix(core): pass asset info to CSS url filenames (#7543)
• bc597b3 feat(core): support CSS url imports (#7541)
• 65506b5 chore(types): update swc decorator types (#7539)
• 4e9e6d2 release: v2.0.1 (#7536)
• Additional commits viewable in compare view

Updates @sveltejs/kit from 2.49.4 to 2.58.0

Changelog

Sourced from @​sveltejs/kit's changelog.

2.58.0

Minor Changes

• breaking: require limit in requested (as originally intended) (#15739)

• feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#15739)

• breaking: requested now yields { arg, query } entries instead of the validated argument (#15739)

Patch Changes

• fix: allow query().current, .error, .loading, and .ready to work in non-reactive contexts (#15699)

• fix: prevent deep_set crash on nullish nested values (#15600)

• fix: restore correct RemoteFormFields typing for nullable array fields (e.g. when a schema uses .default([])), so .as('checkbox') and friends work again (#15723)

• fix: don't warn about removed SSI comments in transformPageChunk (#15695)

  Server-side include (SSI) directives like <!--#include virtual="..." --> are HTML comments that are replaced by servers such as nginx. Previously, removing them in transformPageChunk would trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with <!--# and Svelte's hydration comments never do, they can be safely excluded from the check.

• Change enhance function return type from void to MaybePromise. (#15710)

• fix: throw an error when resolve is called with an external URL (#15733)

• fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#15718)

• fix: reset form result on redirect (#15724)

2.57.1

Patch Changes

• fix: better validation for redirect inputs (10d7b44)

• fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

... (truncated)

Commits

• a21582c Version Packages (#15716)
• f499a45 breaking: return bound query instance from requested (#15739)
• 8cc203a fix: don't warn about removed SSI comments in transformPageChunk (#15695)
• 6b41862 Testing fix for CVE-2026-40073 (#15701)
• ee8047b fix: throw on external links in resolve (#15733)
• f06726c Change enhance function return type to void | Promise<void> (#15710)
• b34cc27 fix: reset form result on redirect (#15724)
• 394470c fix: restore correct RemoteFormFields typing for nullable array fields (#15...
• b77f00d fix: allow query().current and other data properties to work in non-reactiv...
• 50cc685 fix: link stylesheets and fonts in the head even when SSR is disabled (#15718)
• Additional commits viewable in compare view

Updates @sveltejs/vite-plugin-svelte from 6.2.4 to 7.0.0

Changelog

Sourced from @​sveltejs/vite-plugin-svelte's changelog.

7.0.0

Major Changes

• breaking(deps): require vite 8 (#1266)

• breaking(options): remove deprecated options (#1274)

  • vitePlugin.hot in svelte.config.js use compilerOptions.hmr instead
  • vitePlugin.ignorePluginPreprocessors in svelte.config.js no longer needed
  • api.idFilter of vite-plugin-svelte:api use api.filter instead
  • plugin.api.sveltePreprocess of other vite plugins Update affected plugins to a newer version or remove them. See docs for more information.

• breaking(dev): no longer overrides compilerOptions.cssHash because Svelte now produces a stable css hash by itself (#1271)

• breaking(inspector): integrate vite-plugin-svelte-inspector into vite-plugin-svelte to avoid circular dependency (#1270)

• breaking(deps): require svelte 5.46.4 or later (#1271)

Patch Changes

• chore: upgrade vitefu to compatible peer dependency range (#1286)

• remove author field from package.json (#1281)

7.0.0-next.1

Patch Changes

• chore: upgrade vitefu to compatible peer dependency range (#1286)

• remove author field from package.json (#1281)

7.0.0-next.0

Major Changes

• breaking(deps): require vite 8 (#1266)

... (truncated)

Commits

• 67721b6 Version Packages (#1289)
• 04fbcee Version Packages (next) (#1287)
• 9344fc3 chore: remove dominikg from author field (#1281)
• 22a402e chore: upgrade vitefu to compatible peer dependency range (#1286)
• 170bacc Version Packages (next) (#1268)
• 583f700 remove deprecations (#1274)
• 1011098 refactor: bump svelte and remove custom cssHash handling (#1271)
• 7e39bc1 refactor: move inspector into vite-plugin-svelte, adapt code (#1270)
• c6db092 refactor: update vite peer dep and remove esbuild (#1266)
• See full diff in compare view

Updates svelte from 5.46.1 to 5.46.4

Changelog

Sourced from svelte's changelog.

5.46.4

Patch Changes

• fix: use devalue.uneval to serialize hydratable keys (ef81048e238844b729942441541d6dcfe6c8ccca)

5.46.3

Patch Changes

• fix: reconnect clean deriveds when they are read in a reactive context (#17362)

• fix: don't transform references of function declarations in legacy mode (#17431)

• fix: notify deriveds of changes to sources inside forks (#17437)

• fix: always reconnect deriveds in get, when appropriate (#17451)

• fix: prevent derives without dependencies from ever re-running (286b40c4526ce9970cb81ddd5e65b93b722fe468)

• fix: correctly update writable deriveds inside forks (#17437)

• fix: remove $inspect calls after await expressions when compiling for production server code (#17407)

• fix: clear batch between runs (#17424)

• fix: adjust loc property of Program nodes created from <script> elements (#17428)

• fix: don't revert source to UNINITIALIZED state when time travelling (#17409)

5.46.2

Notice

Not published due to CI issue

Commits

• 0718a26 Version Packages (#17476)
• cfc7e0a chore: Upgrade devalue (#17475)
• ef81048 Merge commit from fork
• 6d90b96 chore: edit changelog (#17463)
• ed8dcd0 Version Packages (#17458)
• 51c7f71 Version Packages (#17410)
• 7dbb5b4 fix: derived reactivity and perf regressions (#17362)
• ae224be fix: always reconnect deriveds in get, when appropriate (#17451)
• 2c23390 chore: const -> var
• 286b40c fix: prevent derives without dependencies from ever re-running (#17445)
• Additional commits viewable in compare view

Updates svelte-check from 4.3.5 to 4.4.6

Commits

• 26571cf Version Packages (#2977)
• e874861 feat: support js/ts config section in VSCode (#2996)
• 9397bbf feat: add command to show compiled CSS in preview window (#2993)
• 5ff9a1a fix: prevent config loading message in svelte-check --incremental (#2974)
• e066cbc fix: resolve svelte files under NodeNext (#2990)
• 8f0fed5 use e18e recommendation (#2986)
• 8fc3d43 fix: typescript 6.0 compatibility (#2988)
• 628b5a8 fix: ts-ignore for Svelte 4/5 type differences
• d5b1f7b feat: pull diagnostics support (#2978)
• 77578ed chore(deps): replace vscode-tmgrammar-test with textmate-grammar-test (#2976)
• Additional commits viewable in compare view

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud