build(deps): bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /possible-solution/client directory: @sveltejs/kit, svelte and vite.

Updates @sveltejs/kit from 2.5.10 to 2.52.2

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

@​sveltejs/kit@​2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

• fix: resolve will narrow types to follow trailing slash page settings (#15027)

@​sveltejs/kit@​2.51.0

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

  Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

  • from.scroll: The scroll position at the moment navigation was triggered
  • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

  This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

• feat: hydratable's injected script now works with CSP (#15048)

Patch Changes

• fix: put preloads before styles (#15232)

• fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#15269)

• fix: fetch not working when URL is same host but different than paths.base (#15291)

• fix: navigate to hash link when base element is present (#15236)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

2.52.1

Patch Changes

• fix: clear stale preflight issues on subsequent valid form submissions (#15281)

• chore: remove dependency on sade (#15272)

• fix: include .txt files in precompression (#15259)

• fix: escape backticks and dollar signs when creating inlined css (#15320)

• fix: increment form.pending count before preflight validation (#15279)

2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

• fix: resolve will narrow types to follow trailing slash page settings (#15027)

2.51.0

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

... (truncated)

Commits

• 9c4a737 Version Packages (#15338)
• 3e607b3 Merge commit from fork
• 62991c8 chore: upgrade devalue and svelte (#15339)
• f47c01b Merge commit from fork
• 6f69ded Version Packages (#15321)
• e87efba fix: clear stale preflight issues on subsequent valid form submissions (#15281)
• 4f367d5 chore: fix Node 18 CI by changing .remote.js import to .remote.ts (#15331)
• 20dfadf fix: escape backticks and dollar signs before creating interpolated string (#...
• 8c2384a fix: increment form.pending count before preflight validation (#15279)
• 71ddbc7 chore: remove dependency on sade (#15272)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​sveltejs/kit since your current version.

Updates svelte from 4.2.17 to 5.53.0

Release notes

Sourced from svelte's releases.

svelte@5.53.0

Minor Changes

• feat: allow comments in tags (#17671)

• feat: allow error boundaries to work on the server (#17672)

Patch Changes

• fix: use TrustedHTML to test for customizable support, where necessary (#17743)

• fix: ensure head effects are kept in the effect tree (#17746)

• chore: deactivate current_batch by default in unset_context (#17738)

svelte@5.52.0

Minor Changes

• feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

• fix: re-run non-render-bound deriveds on the server (#17674)

svelte@5.51.5

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#17739)

svelte@5.51.4

Patch Changes

• chore: proactively defer effects in pending boundary (#17734)

• fix: detect and error on non-idempotent each block keys in dev mode (#17732)

svelte@5.51.3

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.0

Minor Changes

• feat: allow comments in tags (#17671)

• feat: allow error boundaries to work on the server (#17672)

Patch Changes

• fix: use TrustedHTML to test for customizable <select> support, where necessary (#17743)

• fix: ensure head effects are kept in the effect tree (#17746)

• chore: deactivate current_batch by default in unset_context (#17738)

5.52.0

Minor Changes

• feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

• fix: re-run non-render-bound deriveds on the server (#17674)

5.51.5

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#17739)

5.51.4

Patch Changes

• chore: proactively defer effects in pending boundary (#17734)

... (truncated)

Commits

• c2fc95a Version Packages (#17747)
• 92e2fc1 feat: allow comments in tags (#17671)
• 2661513 feat: allow error boundaries to work on the server (#17672)
• 582e444 fix: ensure head effects are kept in the effect tree (#17746)
• f8bf9bb chore: deactivate current_batch by default in unset_context (#17738)
• 696d97f fix: use TrustedHTML to test for customizable <select> support, where necessa...
• cbf4e24 Version Packages (#17742)
• 09c4cb5 fix: re-run non-render-bound deriveds on the server (#17674)
• be24b0d feat: support TrustedHTML in {@​html} expressions (#17701)
• 9f48e76 fix: repair dynamic component truthy/falsy hydration mismatches (#17737)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for svelte since your current version.

Updates vite from 5.2.12 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates devalue from 5.0.0 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates esbuild from 0.20.2 to 0.21.5

Release notes

Sourced from esbuild's releases.

v0.21.5

• Fix Symbol.metadata on classes without a class decorator (#3781)

  This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

• Allow unknown import attributes to be used with the copy loader (#3792)

  Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

  // This is an error with "--bundle" without also using "--external:./bagel.js"
  import tasty from "./bagel.js" with { type: "bagel" }

  Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

  However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

  // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
  import tasty from "./tasty.bagel" with { type: "bagel" }

• Support import attributes with glob-style imports (#3797)

  This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

  async function loadLocale(locale: string): Locale {
    const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
    return unpackLocale(locale, data)
  }

  Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

  ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data
  example.ts:2:28:
    2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
      ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

  In addition, this change means plugins can now access the contents of with for glob-style imports.

• Support ${configDir} in tsconfig.json files (#3782)

  This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.21.5

• Fix Symbol.metadata on classes without a class decorator (#3781)

  This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

• Allow unknown import attributes to be used with the copy loader (#3792)

  Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

  // This is an error with "--bundle" without also using "--external:./bagel.js"
  import tasty from "./bagel.js" with { type: "bagel" }

  Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

  However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

  // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
  import tasty from "./tasty.bagel" with { type: "bagel" }

• Support import attributes with glob-style imports (#3797)

  This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

  async function loadLocale(locale: string): Locale {
    const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
    return unpackLocale(locale, data)
  }

  Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

  ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data
  example.ts:2:28:
    2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
      ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

  In addition, this change means plugins can now access the contents of with for glob-style imports.

• Support ${configDir} in tsconfig.json files (#3782)

  This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

... (truncated)

Commits

• fc37c2f publish 0.21.5 to npm
• cb11924 fix Symbol.metadata errors in decorator tests
• b93a2a9 fix #3781: add metadata to all decorated classes
• 953dae9 fix #3797: import attributes and glob-style import
• 98cb2ed fix #3782: support ${configDir} in tsconfig.json
• 8e6603b run make update-compat-table
• db1b8ca fix #3792: import attributes and the copy loader
• de572d0 fix non-deterministic import attribute plugin test
• ae8d1b4 fix #3794: --supported:object-accessors=false
• 67cbf87 publish 0.21.4 to npm
• Additional commits viewable in compare view

Updates rollup from 4.18.0 to 4.57.1

Release notes

Sourced from rollup's releases.

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)
• #6255: chore(deps): lock file maintenance (@​renovate[bot])

v4.57.0

4.57.0

2026-01-27

Features

• Add import attributes to all plugin hooks that did not provide them yet (#5700)
• Deprecate returning import attributes from load or transform hooks as that will no longer be supported with rollup 5 (#5700)

Pull Requests

• #5700: extend more hooks to include import attributes and add warnings (@​TrickyPi, @​lukastaegert)
• #6243: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6244: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6245: chore(deps): lock file maintenance (@​renovate[bot])
• #6246: Refactor to reduce Rollup 5 upgrade diff (@​lukastaegert)

v4.56.0

4.56.0

2026-01-22

Features

• Track object property inclusions of dynamic namespace members (#6230)

Bug Fixes

• Handle methods that access dynamically imported namespace members via this (#6230)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)
• #6255: chore(deps): lock file maintenance (@​renovate[bot])

4.57.0

2026-01-27

Features

• Add import attributes to all plugin hooks that did not provide them yet (#5700)
• Deprecate returning import attributes from load or transform hooks as that will no longer be supported with rollup 5 (#5700)

Pull Requests

• #5700: extend more hooks to include import attributes and add warnings (@​TrickyPi, @​lukastaegert)
• #6243: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6244: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6245: chore(deps): lock file maintenance (@​renovate[bot])
• #6246: Refactor to reduce Rollup 5 upgrade diff (@​lukastaegert)

4.56.0

2026-01-22

Features

• Track object property inclusions of dynamic namespace members (#6230)

Bug Fixes

• Handle methods that access dynamically imported namespace members via this (#6230)

Pull Requests

• #6230: Refine namespace handling (@​lukastaegert)

... (truncated)

Commits

• d37675f 4.57.1
• eafac0b chore(deps): lock file maintenance (#6255)
• 47fa568 chore(deps): update dependency lru-cache to v11 (#6252)
• 416f476 Fully include dynamic imports in a try-catch (#6254)
• 5e393e3 fix: Isolate and cache process.report.getReport() calls in a child process ...
• c931d23 chore(deps): lock file maintenance minor/patch updates (#6253)
• c79e6c2 Mitigate vulnerability that would allow to steal credentials
• 743d054 4.57.0
• 74121c7 extend more hooks to include import attributes and add warnings (#5700)
• c519d82 Refactor to reduce Rollup 5 upgrade diff (#6246)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.