chore(deps): bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
svelte	5.19.7	5.55.5
glob	11.0.0	11.1.0
glob	10.4.5	10.5.0
postcss	8.4.47	8.5.14
@eslint/plugin-kit	0.2.8	0.4.1
brace-expansion	1.1.11	1.1.14
flatted	3.3.1	3.4.2
rollup	2.79.2	2.80.0
svgo	2.8.0	2.8.2
yaml	1.10.2	1.10.3
yaml	2.5.0	2.9.0

Updates svelte from 5.19.7 to 5.55.5

Release notes

Sourced from svelte's releases.

svelte@5.55.5

Patch Changes

• fix: don't mark deriveds while an effect is updating (#18124)

• fix: do not dispatch introstart event with animation of animate directive (#18122)

svelte@5.55.4

Patch Changes

• fix: never mark a child effect root as inert (#18111)

• fix: reset context after waiting on blockers of @const expressions (#18100)

• fix: keep flushing new eager effects (#18102)

svelte@5.55.3

Patch Changes

• fix: ensure proper HMR updates for dynamic components (#18079)

• fix: correctly calculate @const blockers (#18039)

• fix: freeze deriveds once their containing effects are destroyed (#17921)

• fix: defer error boundary rendering in forks (#18076)

• fix: avoid false positives for reactivity loss warning (#18088)

svelte@5.55.2

Patch Changes

• fix: invalidate @const tags based on visible references in legacy mode (#18041)

• fix: handle parens in template expressions more robustly (#18075)

• fix: disallow -- in idPrefix (#18038)

• fix: correct types for ontoggle on <details> elements (#18063)

• fix: don't override $destroy/set/on instance methods in dev mode (#18034)

• fix: unskip branches of earlier batches after commit (#18048)

• fix: never set derived.v inside fork (#18037)

• fix: skip rebase logic in non-async mode (#18040)

• fix: don't reset status of uninitialized deriveds (#18054)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.5

Patch Changes

• fix: don't mark deriveds while an effect is updating (#18124)

• fix: do not dispatch introstart event with animation of animate directive (#18122)

5.55.4

Patch Changes

• fix: never mark a child effect root as inert (#18111)

• fix: reset context after waiting on blockers of @const expressions (#18100)

• fix: keep flushing new eager effects (#18102)

5.55.3

Patch Changes

• fix: ensure proper HMR updates for dynamic components (#18079)

• fix: correctly calculate @const blockers (#18039)

• fix: freeze deriveds once their containing effects are destroyed (#17921)

• fix: defer error boundary rendering in forks (#18076)

• fix: avoid false positives for reactivity loss warning (#18088)

5.55.2

Patch Changes

• fix: invalidate @const tags based on visible references in legacy mode (#18041)

• fix: handle parens in template expressions more robustly (#18075)

• fix: disallow -- in idPrefix (#18038)

• fix: correct types for ontoggle on <details> elements (#18063)

• fix: don't override $destroy/set/on instance methods in dev mode (#18034)

• fix: unskip branches of earlier batches after commit (#18048)

• fix: never set derived.v inside fork (#18037)

... (truncated)

Commits

• b771df3 Version Packages (#18125)
• 8e73190 fix: don't mark deriveds while an effect is updating (#18124)
• 51736e5 fix: do not dispatch transition event with animation (#18122)
• 7fddfbd Version Packages (#18105)
• 671fc2e fix: never mark a child effect root as inert (#18111)
• 0ed8c28 fix: reset context after waiting on blockers of @const expressions (#18100)
• 273f1a8 fix: keep flushing new eager effects (#18102)
• 4a50e8e Version Packages (#18085)
• 15588f5 fix: avoid false positives for reactivity loss warning (#18088)
• 0e9e76f fix: freeze deriveds once their containing effects are destroyed (#17921)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for svelte since your current version.

Updates glob from 11.0.0 to 11.1.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• 59bf9ca fix notes
• dde4fa6 docs(README): add #anchor and improve notes
• 0559b0e docs: add better links to path-scurry docs
• c9773c2 fix: correct typos in README.md
• 13e68ea Fix punctuation in traversal function documentation
• 1527e2b fix repo url
• 7e190e8 fix typo maths → paths
• Additional commits viewable in compare view

Updates glob from 10.4.5 to 10.5.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• 59bf9ca fix notes
• dde4fa6 docs(README): add #anchor and improve notes
• 0559b0e docs: add better links to path-scurry docs
• c9773c2 fix: correct typos in README.md
• 13e68ea Fix punctuation in traversal function documentation
• 1527e2b fix repo url
• 7e190e8 fix typo maths → paths
• Additional commits viewable in compare view

Updates postcss from 8.4.47 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

... (truncated)

Commits

• 3ec1394 Release 8.5.14 version
• f2bb827 Update dependencies
• d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
• 68bd213 fix: always call raw to retrieve raw values
• af58cf1 Release 8.5.13 version
• f227dbd Temporary ignore pnpm 11 config
• d3abd40 Update dependencies
• dd06c3e Revert stringifier changes because of the conflict with postcss-scss
• ae889c8 Try to fix CI
• e0093e4 Move to pnpm 11
• Additional commits viewable in compare view

Updates @eslint/plugin-kit from 0.2.8 to 0.4.1

Release notes

Sourced from @​eslint/plugin-kit's releases.

config-helpers: v0.4.1

0.4.1 (2025-10-17)

Bug Fixes

• add validation for plugins in isLegacyConfig (#292) (74f9427)
• improve type support for isolated dependencies in pnpm (#289) (f8df139)
• use flat config when eslintrc config does not exist (#288) (ddc8577)

plugin-kit: v0.4.1

0.4.1 (2025-10-27)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.16.0 to ^0.17.0

config-helpers: v0.4.0

0.4.0 (2025-09-16)

Features

• Add config types in @​eslint/core (#237) (7b6dd37)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.15.2 to ^0.16.0

plugin-kit: v0.4.0

0.4.0 (2025-09-16)

Features

• add support for getLocFromIndex and getIndexFromLoc (#212) (a3588d8)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.15.2 to ^0.16.0

... (truncated)

Changelog

Sourced from @​eslint/plugin-kit's changelog.

0.4.1 (2025-10-27)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.16.0 to ^0.17.0

0.4.0 (2025-09-16)

Features

• add support for getLocFromIndex and getIndexFromLoc (#212) (a3588d8)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.15.2 to ^0.16.0

0.3.5 (2025-08-05)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.15.1 to ^0.15.2

0.3.4 (2025-07-21)

Bug Fixes

• potential quadratic runtime in regular expression (#240) (b283f64)

0.3.3 (2025-06-25)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^0.15.0 to ^0.15.1

0.3.2 (2025-06-09)

... (truncated)

Commits

• f5ecc7e chore: release main (#303)
• 760fb02 docs: Update README sponsors
• 6030cad docs: Update README sponsors
• f1f341d docs: Update README sponsors
• b8e4f36 test: use strictEqual in plugin-kit where possible (#278)
• 7f592e3 chore: release main (#257)
• bf1e92e test: add exactOptionalPropertyTypes option to type test (#270)
• ab10682 docs: Update README sponsors
• 7255100 chore: standardize test filenames to *.test.js (#267)
• 100a4c7 docs: Update README sponsors
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​eslint/plugin-kit since your current version.

Updates brace-expansion from 1.1.11 to 1.1.14

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.15.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates flatted from 3.3.1 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates rollup from 2.79.2 to 2.80.0

Changelog

Sourced from rollup's changelog.

2.80.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6277)

Pull Requests

• #6277: Validate bundle stays within output dir (@​lukastaegert)

Commits

• d17ae15 2.80.0
• d6dee5e Validate bundle stays within output dir (#6277)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates svgo from 2.8.0 to 2.8.2

Release notes

Sourced from svgo's releases.

v2.8.2

This is effectively just a re-release of SVGO v2.8.1, but with *.test.js files omitted. It seems something was wrong with the configuration in the v2.8.0 tag and I hadn't noticed it included a few extra files. 😅

We'll deprecate v2.8.1, and I'll include the change log here.

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v2.8.0	v2.8.2	Delta
svgo.browser.js	587.2 kB	589.2 kB	⬆️ 2 kB

Support

SVGO v2 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v2 to v3 and Migration Guide from v3 to v4 which should ease the process.

v2.8.1

Deprecated

This release left *.test.js files in the package, which have been omitted in v2.8.2. Sorry for the noise!

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v2.8.0	v2.8.1	Delta

... (truncated)

Commits

• f706b07 deps: upgrade to sax v1.5.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by sethiii, a new releaser for svgo since your current version.

Updates yaml from 1.10.2 to 1.10.3

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• See full diff in compare view

Updates yaml from 2.5.0 to 2.9.0

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.