fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@better-svelte-email/components (source)	2.0.0 → 2.1.1			dependencies	minor
@better-svelte-email/server (source)	2.0.0 → 2.1.1			dependencies	minor
@internationalized/date (source)	3.12.1 → 3.12.2			devDependencies	patch
@lucide/svelte (source)	1.14.0 → 1.18.0			devDependencies	minor
@mmailaender/convex-svelte	^0.18.0 → ^0.19.0			dependencies	minor
@oxlint/plugins (source)	1.62.0 → 1.69.0			devDependencies	minor	1.70.0
@playwright/test (source)	1.59.1 → 1.60.0			devDependencies	minor	1.61.0
@sveltejs/kit (source)	2.60.1 → 2.65.0			devDependencies	minor	2.65.1
@sveltejs/package (source)	2.5.7 → 2.5.8			devDependencies	patch
@sveltejs/vite-plugin-svelte (source)	7.0.0 → 7.1.2			devDependencies	minor
@tailwindcss/typography	0.5.19 → 0.5.20			devDependencies	patch
@tailwindcss/vite (source)	4.2.4 → 4.3.0			devDependencies	minor	4.3.1
@types/node (source)	25.6.0 → 25.9.3			devDependencies	minor
@typescript-eslint/eslint-plugin (source)	8.59.1 → 8.61.0			devDependencies	minor
@typescript-eslint/parser (source)	8.59.1 → 8.61.0			devDependencies	minor
acorn	8.15.0 → 8.17.0			overrides	minor
actions/checkout (changelog)	de0fac2 → df4cb1c			action	digest
anthropics/claude-code-action (changelog)	fefa07e → d5726de			action	digest
bits-ui	2.18.0 → 2.18.1			devDependencies	patch
bun-tasks	0.1.2 → 0.1.4			devDependencies	patch
convex (source)	1.37.0 → 1.41.0			devDependencies	minor
eslint-plugin-svelte (source)	3.17.1 → 3.19.0			devDependencies	minor
knip (source)	6.11.0 → 6.16.1			devDependencies	minor
oxlint (source)	1.62.0 → 1.69.0			devDependencies	minor	1.70.0
prettier (source)	3.8.3 → 3.8.4			devDependencies	patch
prettier-plugin-svelte	3.5.1 → 3.5.2			devDependencies	patch
svelte (source)	5.55.7 → 5.56.3			devDependencies	minor
svelte-check	4.4.7 → 4.6.0			devDependencies	minor
tailwind-merge	3.5.0 → 3.6.0			devDependencies	minor
tailwindcss (source)	4.2.4 → 4.3.0			devDependencies	minor	4.3.1
typescript-eslint (source)	8.59.1 → 8.61.0			devDependencies	minor
vercel (source)	53.1.1 → 53.4.0			devDependencies	minor
vite (source)	8.0.10 → 8.0.16			devDependencies	patch
vitest (source)	4.1.5 → 4.1.8			devDependencies	patch	4.1.9

---

Release Notes

Konixy/better-svelte-email (@​better-svelte-email/components)

v2.1.1

Compare Source

Patch Changes

• 66be550: Updated packages, enabled npm trusted publisher and provenance

v2.1.0

Compare Source

Minor Changes

• 6a6cc75: - Allow external images in cli email preview
  • Add Resend test email sending from the CLI preview UI, with optional .bse/resend.json credential storage.
    See the docs for more details.
  • Small preview UI improvements and fixes
  • Updated dependencies

v2.0.1

Compare Source

Patch Changes

• 198c010: Removed the @better-svelte-email/server dependency for the @better-svelte-email/components package. Also updated READMEs across the library.

Konixy/better-svelte-email (@​better-svelte-email/server)

v2.1.1

Compare Source

Patch Changes

• 66be550: Updated packages, enabled npm trusted publisher and provenance

v2.1.0

Compare Source

Minor Changes

• 6a6cc75: - Allow external images in cli email preview
  • Add Resend test email sending from the CLI preview UI, with optional .bse/resend.json credential storage.
    See the docs for more details.
  • Small preview UI improvements and fixes
  • Updated dependencies

v2.0.1

Compare Source

Patch Changes

• 198c010: Removed the @better-svelte-email/server dependency for the @better-svelte-email/components package. Also updated READMEs across the library.

adobe/react-spectrum (@​internationalized/date)

v3.12.2

Compare Source

lucide-icons/lucide (@​lucide/svelte)

v1.18.0: Version 1.18.0

Compare Source

What's Changed

• chore(site): Remove survey from site by @​ericfennis in #​4417
• feat(icons): added play-off icon by @​Ahmed-Dghaies in #​4412
• fix(metadata): add missing use-cases prop on play-off.json by @​karsa-mistmere in #​4423
• fix(docs): force hide #bb-banner, if html.has-bb-banner is missing by @​karsa-mistmere in #​4422
• fix(docs): Remove @next from installation instructions for@lucide/svelte by @​alecglassford in #​4432
• feat(packages/angular): add support for Angular v22 and onwards by @​karsa-mistmere in #​4450
• fix(ci): add check to skip release if latest tag was created today by @​ericfennis in #​4085
• feat(icons): added webcam-off icon by @​jordan-burnett in #​4242

New Contributors

• @​alecglassford made their first contribution in #​4432
• @​jordan-burnett made their first contribution in #​4242

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

v1.17.0: Version 1.17.0

Compare Source

What's Changed

• chore(lucide-vue-next|lucide-svelte|lucide-angular): Remove deprecated packages by @​ericfennis in #​4376
• chore(repo): Update issue templates and documentation for package ren… by @​ericfennis in #​4379
• feat(site): Adds survey overlay to website by @​ericfennis in #​4380
• feat(site): Certificate dev links by @​ericfennis in #​4390
• fix(icons): changed martini icon by @​jamiemlaw in #​4335
• chore(deps): bump brace-expansion from 1.1.11 to 5.0.6 by @​dependabot[bot] in #​4386
• chore(deps): bump @​tootallnate/once from 2.0.0 to 2.0.1 by @​dependabot[bot] in #​4404
• chore(deps): bump devalue from 5.8.0 to 5.8.1 by @​dependabot[bot] in #​4391
• chore(deps): bump ws from 8.18.0 to 8.20.1 by @​dependabot[bot] in #​4392
• fix(gh-icon): limit icon size to a maximum of 256 pixels by @​jguddas in #​4398
• chore(dependencies): Update dependencies by @​ericfennis in #​4377
• feat(copilot): Adding copilot instructions by @​ericfennis in #​4407
• feat(icons): add globe-check by @​Barakudum in #​4342
• feat(metadata): Require use-cases in meta json by @​ericfennis in #​4321
• feat(icons): added parasol icon by @​karsa-mistmere in #​4347

Full Changelog: lucide-icons/lucide@1.16.0...1.17.0

v1.16.0: Version 1.16.0

Compare Source

What's Changed

• feat(icons): added blender icon by @​rrod497 in #​3884

Full Changelog: lucide-icons/lucide@1.15.0...1.16.0

v1.15.0: Version 1.15.0

Compare Source

What's Changed

• fix: remove 'less' from brand stopwords by @​jguddas in #​4331
• fix(@​lucide/vue): Clone slots before passing to icon by @​axtho in #​4339
• fix(icons): changed text-cursor icon by @​jamiemlaw in #​4340
• fix(icons): changed landmark icon by @​jamiemlaw in #​4334
• chore(deps-dev): bump nitropack from 2.13.1 to 2.13.4 by @​dependabot[bot] in #​4352
• chore(deps-dev): bump simple-git from 3.33.0 to 3.36.0 by @​dependabot[bot] in #​4349
• fix(icons): changed candy-cane icon by @​jguddas in #​4148
• fix(icons): changed volleyball icon by @​jamiemlaw in #​4338
• fix(icons): changed chart-no-axes-combined icon by @​jguddas in #​3567
• feat(icon): added broccoli icon by @​swastik7805 in #​4263
• chore(site): Updates to site and updated carbon ads by @​ericfennis in #​4359
• feat(icons): added sticky note variants by @​Barakudum in #​4348
• chore(deps-dev): bump astro from 6.1.6 to 6.1.10 by @​dependabot[bot] in #​4361

New Contributors

• @​axtho made their first contribution in #​4339
• @​Barakudum made their first contribution in #​4348

Full Changelog: lucide-icons/lucide@1.14.0...1.15.0

mmailaender/convex-svelte (@​mmailaender/convex-svelte)

v0.19.1

Compare Source

Patch Changes

• @​mmailaender/convex-svelte is now deprecated. All features have been merged into convex-svelte and all future development will happen there.

v0.19.0

Compare Source

microsoft/playwright (@​playwright/test)

v1.60.0

Compare Source

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});

await page.locator('#dropzone').drop({
  data: {
    'text/plain': 'hello world',
    'text/uri-list': 'https://example.com',
  },
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

• Event browser.on('context') — fired when a new context is created on the browser.
• BrowserContext now mirrors lifecycle events from its pages: browserContext.on('download'), browserContext.on('frameattached'), browserContext.on('framedetached'), browserContext.on('framenavigated'), browserContext.on('pageclose'), browserContext.on('pageload').

Locators and Assertions

• New option description in page.getByRole() / locator.getByRole() / frame.getByRole() / frameLocator.getByRole() for matching the accessible description.
• New option pseudo in expect(locator).toHaveCSS() reads computed styles from ::before or ::after.
• New option style in locator.highlight() applies extra inline CSS to the highlight overlay, plus new page.hideHighlight() to clear all highlights.

Network

• webSocketRoute.protocols() returns the WebSocket subprotocols requested by the page.
• New option noDefaults in browserType.connectOverCDP() disables Playwright's default overrides on the default context (download behavior, focus emulation, media emulation), so attaching to a user's daily-driver browser doesn't disturb its state.

Errors and Reporting

• New webError.location() mirrors consoleMessage.location().
• consoleMessage.location() now exposes line / column properties (lineNumber / columnNumber are deprecated).
• New testInfoError.errorContext surfaces additional diagnostic context, such as the aria snapshot of the receiver at the time of an expect(...) matcher failure.
• reporter.onError() now receives a workerInfo argument with details about the worker for fixture teardown errors.

Test runner

• New {testFileBaseName} token in testProject.snapshotPathTemplate — file name without extension.
• Test runner now errors when a config tries to override a non-option fixture, and rejects workers: 0 or negative values.

🛠️ Other improvements

• HTML reporter:
  • npx playwright show-report accepts .zip files directly — no need to unzip first.
  • Steps that contain attachments inside nested children show an indicator on the parent step.
  • The repeatEachIndex is shown in the test header when non-zero.
• Trace Viewer adds a pretty-print toggle for JSON / form request and response bodies in the network details panel.

Breaking Changes ⚠️

• Removed long-deprecated APIs:
  • Locator.ariaRef() — use the standard locator.ariaSnapshot() pipeline.
  • handle option on BrowserContext.exposeBinding and Page.exposeBinding.
  • logger option on BrowserType.connect and BrowserType.connectOverCDP — use tracing instead.
  • Context options videosPath / videoSize — use recordVideo instead.

Browser Versions

• Chromium 148.0.7778.96
• Mozilla Firefox 150.0.2
• WebKit 26.4

This version was also tested against the following stable channels:

• Google Chrome 147
• Microsoft Edge 147

sveltejs/kit (@​sveltejs/kit)

v2.65.0

Compare Source

Minor Changes

• feat: allow queries to refresh other queries (#​16012)

Patch Changes

• fix: dedupe remote data (#​15991)

• fix: skip client build if all routes have CSR disabled (#​15936)

v2.64.0

Compare Source

Minor Changes

• feat: allow commands to receive File objects (#​15978)

Patch Changes

• fix: avoid server components from being bundled if SSR is turned off for a route (#​15982)

v2.63.1

Compare Source

Patch Changes

• fix: use SSE for query.live (#​15957)

• fix: use forward slashes in the generated env.d.ts import path on Windows (#​15977)

• fix: allow $app/environment with a warning when explicitEnvironmentVariables is enabled (#​15980)

• fix: avoid importing Vite while validating explicit environment variables (#​15953)

• docs: adjust the release version of explicit env vars (#​15968)

• fix: ensure version is defined when importing from $app/env with explicit environment variables (#​15971)

v2.63.0

Compare Source

Minor Changes

• feat: explicit env vars (#​15934)

Patch Changes

• fix: remove check for svelte.config.js before running sync (#​15946)

• fix: generate a placeholder tsconfig.json to squelch sync-time warnings (#​15948)

• fix: allow use of $app/env/public in service workers (#​15950)

v2.62.0

Compare Source

Minor Changes

• feat: support passing Svelte(Kit) config via Vite plugin (#​15944)

Patch Changes

• fix: preserve multiple Set-Cookie headers on 304 responses (#​15902)

• fix: preload for anchor elements that were just previously preloaded (#​15915)

• fix: catch load function streaming errors on the client (#​15929)

• fix: avoid generating the _app/env.js module if public dynamic environment variables are not used by the app (#​15940)

v2.61.1

Compare Source

Patch Changes

• fix: regression where routes starting and ending with a route group are not matched correctly (#​15903)

v2.61.0

Compare Source

Minor Changes

• breaking: the .run() method has been removed from remote queries on both the client and the server. Use await query() directly instead — it now works everywhere (#​15779)

• feat: remote queries can now be awaited in any context (event handlers, module scope, async callbacks), not just inside reactive contexts. The cache is shared across reactive and non-reactive subscribers, so awaiting a query in an event handler will dedupe with components that have already subscribed to the same query. (#​15779)

• feat: live query instances are now themselves async-iterable (#​15878)

• feat: add programmatic submit method to form remote function instances (#​15657)

• feat: pass form remote function instance into enhance callback (#​15657)

Patch Changes

• fix: resolve the app payload without using process.env.NODE_ENV (#​15852)

• fix: support exactOptionalPropertyTypes for optional route params (#​15825)

• fix: correctly send true value to the server for 'submit' and 'hidden' form fields (#​15858)

• fix: avoid build warnings about undefined universal hooks (#​15895)

• fix: prefer default error page when failing to decode the URL pathname (#​15744)

• fix: disable link prefetching on slow internet connections (#​15885)

• fix: allow routes ending with optional parameters next to more specific routes (#​15861)

• fix: remove reliance on Content-Length header in deserialize_binary_form, which caused failures when proxies (e.g. Vercel, Azure) strip the header and use chunked transfer encoding (#​15796)

sveltejs/kit (@​sveltejs/package)

v2.5.8

Compare Source

Patch Changes

• chore: bump svelte2tsx dependency to support TypeScript 6 (#​15896)

sveltejs/vite-plugin-svelte (@​sveltejs/vite-plugin-svelte)

v7.1.2

Compare Source

Patch Changes

• fix: correctly resolve compiled CSS on the server for dependencies with Svelte files (#​1342)

v7.1.1

Compare Source

Patch Changes

• fix: pass typescript.onlyRemoveTypeImports to transformWithOxc in vitePreprocess so that value imports are not dropped when they are only referenced in Svelte template markup (#​1326)

• fix: correctly resolve compiled CSS for optimised Svelte dependencies on the server (#​1336)

v7.1.0

Compare Source

Minor Changes

• feat: enable optimizer for server environments during dev (#​1328)

tailwindlabs/tailwindcss-typography (@​tailwindcss/typography)

v0.5.20

Compare Source

Fixed

• Support installing with stable versions of Tailwind CSS v4 (#​424)

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.3.0

Compare Source

Added

• Add @container-size utility (#​18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#​19981, #​20019)
• Add scrollbar-gutter-* utilities (#​20018)
• Add zoom-* utilities (#​20020)
• Add tab-* utilities (#​20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#​19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#​19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#​19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#​19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#​19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#​19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#​19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#​19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#​19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#​19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#​19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#​19918)
• Allow multiple @utility definitions with the same name but different value types (#​19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#​19707)
• Ensure start and end legacy utilities without values do not generate CSS (#​20003)
• Ensure --value(…) is required in functional @utility definitions (#​20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#​20011)

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.61.0

Compare Source

🚀 Features

• ast-spec: change type of UnaryExpression.prefix to always true (#​12372)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.1

Compare Source

🩹 Fixes

• eslint-plugin: [no-shadow] correct rule to match ESLint v10 handling (#​12182)
• eslint-plugin: respect ECMAScript line terminators in ts-comment rules (#​12352)

❤️ Thank You

• lumir
• Nevette Bailey @​nevette-bailey

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#​12294)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.2

Compare Source

🩹 Fixes

• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#​12292)
• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#​12150)

❤️ Thank You

• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.61.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

[

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 6am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[stickerdaniel]

• fix(deps): update all non-major dependencies #362 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	saas-starter	ef24f4e	Jun 15 2026, 02:01 PM

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​mmailaender/​convex-svelte@​0.18.0 ⏵ 0.19.1	+1		+1	-43
	@​typescript-eslint/​parser@​8.59.1 ⏵ 8.61.0
	@​better-svelte-email/​components@​2.0.0 ⏵ 2.1.1	+1		-3	+1
	typescript-eslint@​8.59.1 ⏵ 8.61.0			+1
	@​sveltejs/​package@​2.5.7 ⏵ 2.5.8				-1
	@​better-svelte-email/​server@​2.0.0 ⏵ 2.1.1			-3	+1
	@​oxlint/​plugins@​1.62.0 ⏵ 1.69.0	+1		+1	+1
	vitest@​4.1.5 ⏵ 4.1.8	+1		+1	+2
	vercel@​53.1.1 ⏵ 53.4.0			+1	+1
	@​typescript-eslint/​eslint-plugin@​8.59.1 ⏵ 8.61.0			+1
	@​lucide/​svelte@​1.14.0 ⏵ 1.18.0	+1		+1	+2
	@​types/​node@​25.6.0 ⏵ 25.9.3	+1		+1
	@​sveltejs/​kit@​2.60.1 ⏵ 2.65.0	+1		+1	+1
	@​sveltejs/​vite-plugin-svelte@​7.0.0 ⏵ 7.1.2	+1		+1
	vite@​7.3.2 ⏵ 8.0.16	+1		+1	+2
	tailwindcss@​4.2.4 ⏵ 4.3.0
	tailwind-merge@​3.5.0 ⏵ 3.6.0	+1		+1
	@​internationalized/​date@​3.12.1 ⏵ 3.12.2			+1
	svelte@​5.55.7 ⏵ 5.56.3	+1		+1
	convex@​1.37.0 ⏵ 1.41.0	+12		+1
	@​tailwindcss/​vite@​4.2.4 ⏵ 4.3.0	+1		+1
	bits-ui@​2.18.0 ⏵ 2.18.1	+1		+1
	oxlint@​1.62.0 ⏵ 1.69.0			+1
	prettier-plugin-svelte@​3.5.1 ⏵ 3.5.2	+1			+1
	svelte-check@​4.4.7 ⏵ 4.6.0				-1
	knip@​6.11.0 ⏵ 6.16.1	+1		+1	+1
	eslint-plugin-svelte@​3.17.1 ⏵ 3.19.0	+1
	@​tailwindcss/​typography@​0.5.19 ⏵ 0.5.20
	prettier@​3.8.4
	@​playwright/​test@​1.59.1 ⏵ 1.60.0
	bun-tasks@​0.1.2 ⏵ 0.1.4	+29		+3	+14

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/@internationalized/date@3.12.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/@typescript-eslint/eslint-plugin@8.61.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm htmlparser2 is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/@better-svelte-email/server@2.1.1 → npm/htmlparser2@10.1.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/htmlparser2@10.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report