chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /tests/app/rp directory: @sveltejs/kit, svelte and rollup.

Updates @sveltejs/kit from 2.48.4 to 2.54.0

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.54.0

Minor Changes

• feat: allow error boundaries to catch errors on the server (#15308)

Patch Changes

• chore: upgrade devalue (#15535)

• fix: don't wait for remote functions that are not awaited in the template (#15280)

• feat: allow resolve() to accept pathnames with a search string and/or hash (#15458)

• chore: remove deprecation warnings for config.kit.files.* options when validating the Svelte config file (#15482)

• fix: handles form target attribute in remote form redirects (#15457)

@​sveltejs/kit@​2.53.4

Patch Changes

• fix: avoid Vite warning about unknown codeSplitting option (#15451)

@​sveltejs/kit@​2.53.3

Patch Changes

• fix: prevent overlapping file metadata in remote functions form (faba869)

@​sveltejs/kit@​2.53.2

Patch Changes

• fix: server-render nested form value sets (#15378)

• fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

• fix: provide correct url info to remote functions (#15418)

• fix: allow optional types for remote query/command/prerender functions (#15293)

• fix: allow commands in more places (#15288)

@​sveltejs/kit@​2.53.1

Patch Changes

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.54.0

Minor Changes

• feat: allow error boundaries to catch errors on the server (#15308)

Patch Changes

• chore: upgrade devalue (#15535)

• fix: don't wait for remote functions that are not awaited in the template (#15280)

• feat: allow resolve() to accept pathnames with a search string and/or hash (#15458)

• chore: remove deprecation warnings for config.kit.files.* options when validating the Svelte config file (#15482)

• fix: handles form target attribute in remote form redirects (#15457)

2.53.4

Patch Changes

• fix: avoid Vite warning about unknown codeSplitting option (#15451)

2.53.3

Patch Changes

• fix: prevent overlapping file metadata in remote functions form (faba869)

2.53.2

Patch Changes

• fix: server-render nested form value sets (#15378)

• fix: use deep partial types for form remote functions .value() and .set(...) (#14837)

• fix: provide correct url info to remote functions (#15418)

• fix: allow optional types for remote query/command/prerender functions (#15293)

... (truncated)

Commits

• 54dadc1 Version Packages (#15464)
• 5b65f39 chore: upgrade devalue (#15535)
• a85396c feat: allow error boundaries to catch errors on the server (#15308)
• 796d1e7 chore: fix Vite ecosystem CI test (#15516)
• d3387f9 chore: fix serialize_data comment typo (#15518)
• 568da5e chore: fix Vite comment typo (#15513)
• 56fa4fa fix: handle target attribute on remote form redirects (#15457)
• 55df690 chore: undeprecate config.kit.files.* options (#15482)
• 37ec6c8 chore: fix navigation type duplicated descriptions (#15490)
• aebeae8 chore: catalog prettier and prettier-plugin-svelte (#15485)
• Additional commits viewable in compare view

Updates svelte from 5.43.2 to 5.53.11

Release notes

Sourced from svelte's releases.

svelte@5.53.11

Patch Changes

• fix: remove untrack circular dependency (#17910)

• fix: recover from errors that leave a corrupted effect tree (#17888)

• fix: properly lazily evaluate RHS when checking for assignment_value_stale (#17906)

• fix: resolve boundary in correct batch when hydrating (#17914)

• chore: rebase batches after process, not during (#17900)

svelte@5.53.10

Patch Changes

• fix: re-process batch if new root effects were scheduled (#17895)

svelte@5.53.9

Patch Changes

• fix: better bind:this cleanup timing (#17885)

svelte@5.53.8

Patch Changes

• fix: {@html} no longer duplicates content inside contenteditable elements (#17853)

• fix: don't access inert block effects (#17882)

• fix: handle asnyc updates within pending boundary (#17873)

• perf: avoid re-traversing the effect tree after $: assignments (#17848)

• chore: simplify scheduling logic (#17805)

svelte@5.53.7

Patch Changes

• fix: correctly add __svelte_meta after else-if chains (#17830)

• perf: cache element interactivity and source line splitting in compiler (#17839)

• chore: avoid rescheduling effects during branch commit (#17837)

• perf: optimize CSS selector pruning (#17846)

• fix: preserve original boundary errors when keyed each rows are removed during async updates (#17843)

• perf: avoid O(n²) name scanning in scope generate and unique (#17844)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.11

Patch Changes

• fix: remove untrack circular dependency (#17910)

• fix: recover from errors that leave a corrupted effect tree (#17888)

• fix: properly lazily evaluate RHS when checking for assignment_value_stale (#17906)

• fix: resolve boundary in correct batch when hydrating (#17914)

• chore: rebase batches after process, not during (#17900)

5.53.10

Patch Changes

• fix: re-process batch if new root effects were scheduled (#17895)

5.53.9

Patch Changes

• fix: better bind:this cleanup timing (#17885)

5.53.8

Patch Changes

• fix: {@html} no longer duplicates content inside contenteditable elements (#17853)

• fix: don't access inert block effects (#17882)

• fix: handle asnyc updates within pending boundary (#17873)

• perf: avoid re-traversing the effect tree after $: assignments (#17848)

• chore: simplify scheduling logic (#17805)

5.53.7

Patch Changes

• fix: correctly add __svelte_meta after else-if chains (#17830)

• perf: cache element interactivity and source line splitting in compiler (#17839)

• chore: avoid rescheduling effects during branch commit (#17837)

... (truncated)

Commits

• bd433c5 Version Packages (#17901)
• 7c9ff8f fix: resolve boundary in correct batch when hydrating (#17914)
• 667896a fix: recover from errors that leave a corrupted effect tree (#17888)
• e4e0893 fix: remove untrack circular dependency (#17910)
• 58f161d fix: properly lazily evaluate RHS when checking for assignment_value_stale (#...
• 0e8f49b chore: rebase batches after process, not during (#17900)
• 72cd247 Version Packages (#17896)
• 342d856 fix: re-process batch if new root effects were scheduled (#17895)
• d54361b Version Packages (#17886)
• be36c93 fix: better bind:this cleanup timing (#17885)
• Additional commits viewable in compare view

Updates devalue from 5.4.2 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

Commits

• 6cbb3f5 Version Packages (#133)
• 40f1db1 Merge commit from fork
• 87c1f3c Merge commit from fork
• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• Additional commits viewable in compare view

Updates rollup from 4.52.5 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)

... (truncated)

Commits

• ae84695 4.59.0
• b39616e Update audit-resolve
• c60770d Validate bundle stays within output dir (#6275)
• 33f39c1 4.58.0
• b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
• 7f00689 Extend agent instructions
• e7b2b85 chore(deps): lock file maintenance (#6270)
• 2aa5da9 fix(deps): update minor/patch updates (#6267)
• 4319837 chore(deps): update dependency lru-cache to v11 (#6269)
• c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!