Bump the dev-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the dev-dependencies group with 3 updates in the / directory: @substrate-system/web-component, @substrate-system/tapout and vite.

Updates @substrate-system/web-component from 0.0.46 to 0.0.49

Changelog

Sourced from @​substrate-system/web-component's changelog.

v0.0.49

v0.0.48 - 2026-03-15

Merged

• Bump @​substrate-system/tapout from 0.0.35 to 0.0.37 [#33](https://github.com/substrate-system/web-component/issues/33)

Commits

• test: add failing tests for property-to-attribute reflection 5bc5c47
• FEATURE: Reflect class properties for preact c920a51
• feat: add declarative property-to-attribute reflection 3a0dad3

v0.0.47 - 2026-03-15

Commits

• test: add failing tests for property-to-attribute reflection a6bc570
• FEATURE: Reflect class properties for preact 7f0724c
• feat: add declarative property-to-attribute reflection 0c1e80e

Commits

• 39d7967 0.0.49
• bccf28b 0.0.48
• 8f4c649 0.0.47
• c920a51 FEATURE: Reflect class properties for preact
• 3a0dad3 feat: add declarative property-to-attribute reflection
• 5bc5c47 test: add failing tests for property-to-attribute reflection
• 74a7672 Merge pull request #33 from substrate-system/dependabot/npm_and_yarn/substrat...
• 3597d11 Bump @​substrate-system/tapout from 0.0.35 to 0.0.37
• a025661 better docs
• See full diff in compare view

Updates @substrate-system/tapout from 0.0.35 to 0.0.37

Changelog

Sourced from @​substrate-system/tapout's changelog.

v0.0.37

v0.0.36 - 2026-02-26

Commits

• fix timeout 7f62808
• fix timeout de9b443
• better docs 240b323

Commits

• 1463ed7 0.0.37
• 8af05ef 0.0.36
• de9b443 fix timeout
• 7f62808 fix timeout
• 240b323 better docs
• See full diff in compare view

Updates vite from 7.3.1 to 8.0.0

Release notes

Sourced from vite's releases.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

v8.0.0-beta.16

Please refer to CHANGELOG.md for details.

v8.0.0-beta.15

Please refer to CHANGELOG.md for details.

v8.0.0-beta.14

Please refer to CHANGELOG.md for details.

v8.0.0-beta.13

Please refer to CHANGELOG.md for details.

v8.0.0-beta.12

Please refer to CHANGELOG.md for details.

v8.0.0-beta.11

Please refer to CHANGELOG.md for details.

v8.0.0-beta.10

Please refer to CHANGELOG.md for details.

v8.0.0-beta.9

Please refer to CHANGELOG.md for details.

v8.0.0-beta.8

Please refer to CHANGELOG.md for details.

v8.0.0-beta.7

Please refer to CHANGELOG.md for details.

v8.0.0-beta.6

Please refer to CHANGELOG.md for details.

v8.0.0-beta.5

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.0 (2026-03-12)

Today, we're thrilled to announce the release of the next Vite major:

• Vite 8.0 announcement blog post
• Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
• Migration Guide

⚠ BREAKING CHANGES

• remove import.meta.hot.accept resolution fallback (#21382)
• update default browser target (#21193)
• the epic rolldown-vite merge (#21189)

Features

• update rolldown to 1.0.0-rc.9 (#21813) (f05be0e)
• warn when vite-tsconfig-paths plugin is detected (#21781) (ada493e)
• css: support es2025 build target for lightningcss (#21769) (08906e7)
• forward browser console logs and errors to dev server terminal (#20916) (2540ed0)
• update rolldown to 1.0.0-rc.8 (#21790) (a0c950e)
• export Visitor and ESTree from rolldown/utils (#21664) (45de31e)
• update rolldown to 1.0.0-rc.6 (#21714) (37a65f8)
• use util.inspect for CLI error display (#21668) (5f425a9)
• update rolldown to 1.0.0-rc.5 (#21660) (b3ddbc5)
• update rolldown to 1.0.0-rc.4 (#21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#21102) (216a3b5)
• integrate devtools (#21331) (acbf507)
• update rolldown to 1.0.0-rc.3 (#21554) (43358e9)
• manifest: add assets field for standalone CSS entry points (#21015) (f289b9b)
• update rolldown to 1.0.0-rc.2 (#21512) (fa136a9)
• bundled-dev: support worker in initial bundle (#21415) (f3d3149)
• dev: detect port conflicts on wildcard hosts (#21381) (b0dd5a9)
• shortcuts case insensitive (#21224) (7796ade)
• update rolldown to 1.0.0-rc.1 (#21463) (ff9dd7f)
• warn if envPrefix contains spaces (#21292) (9fcde3c)
• update rolldown to 1.0.0-beta.60 (#21408) (c33aa7c)
• update rolldown to 1.0.0-beta.59 (#21374) (0037943)
• add ignoreOutdatedRequests option to optimizeDeps (#21364) (b2e75aa)
• add ios to default esbuild targets (#21342) (daae6e9)
• update rolldown to 1.0.0-beta.58 (#21354) (ba40cef)
• update rolldown to 1.0.0-beta.57 (#21335) (d5412ef)
• css: support es2024 build target for lightningcss (#21294) (bd33b8e)
• update rolldown to 1.0.0-beta.56 (#21323) (9847a63)
• introduce v2 native plugins and enable it by default (#21268) (42f2ab3)
• ssr: avoid errors when rewriting already rewritten stacktrace (#21269) (98d9a33)
• update rolldown to 1.0.0-beta.55 (#21300) (2c8db85)
• update rolldown to 1.0.0-beta.54 (#21267) (c751172)

... (truncated)

Commits

• ea68a88 chore(deps): update rolldown-related dependencies (#20810)
• 693d255 release: v7.1.7
• 98a3484 fix(hmr): wait for import.meta.hot.prune callbacks to complete before runni...
• 9f32b1d fix(hmr): trigger prune event when import is removed from non hmr module (#20...
• 9f2247c fix(deps): update all non-major dependencies (#20811)
• 105abe8 fix(glob): handle glob imports from folders starting with dot (#20800)
• 4c4583c fix(build): fix ssr environment emitAssets: true when `sharedConfigBuild: t...
• 9bc9d12 fix(client): use CSP nonce when rendering error overlay (#20791)
• 54377f7 release: v7.1.6
• 88af2ae fix(deps): update all non-major dependencies (#20773)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​substrate-system/​tapout@​0.0.35 ⏵ 0.0.37	-24		-1	-6	-19
	@​substrate-system/​web-component@​0.0.49
	vite@​7.3.1 ⏵ 8.0.0	-2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → npm/vite@8.0.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@8.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report