chore(deps): update packages

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@humanspeak/svelte-markdown (source)	1.3.0 → 1.4.1
@internationalized/date (source)	3.12.0 → 3.12.1
@metascraper/helpers (source)	5.50.0 → 5.50.1
@noble/hashes (source)	2.0.1 → 2.2.0
@prisma/adapter-better-sqlite3 (source)	7.6.0 → 7.7.0
@prisma/client (source)	7.6.0 → 7.7.0
@skeletonlabs/skeleton (source)	4.14.0 → 4.15.2
@skeletonlabs/skeleton-svelte (source)	4.14.0 → 4.15.2
@sveltejs/kit (source)	2.55.0 → 2.57.1
@tailwindcss/vite (source)	4.2.2 → 4.2.4
autoprefixer	10.4.27 → 10.5.0
dotenv	17.4.0 → 17.4.2
eslint (source)	10.1.0 → 10.2.1
eslint-plugin-svelte (source)	3.16.0 → 3.17.0
globals	17.4.0 → 17.5.0
metascraper (source)	5.50.0 → 5.50.1
metascraper-image (source)	5.50.0 → 5.50.1
metascraper-title (source)	5.50.0 → 5.50.1
openid-client	6.8.2 → 6.8.3
prettier (source)	3.8.1 → 3.8.3
prisma (source)	7.6.0 → 7.7.0
svelte (source)	5.55.1 → 5.55.4
tailwindcss (source)	4.2.2 → 4.2.4
typescript-eslint (source)	8.58.0 → 8.59.0
vite (source)	8.0.5 → 8.0.9

---

Release Notes

humanspeak/svelte-markdown (@​humanspeak/svelte-markdown)

v1.4.1

Compare Source

Changes in this Release
fix(types): add missing properties to SnippetProps interfaces

For more details, see the Pull Request

v1.4.0

Compare Source

Changes in this Release
fix: add built-in URL and attribute sanitization to prevent XSS

For more details, see the Pull Request

adobe/react-spectrum (@​internationalized/date)

v3.12.1

Compare Source

microlinkhq/metascraper (@​metascraper/helpers)

v5.50.1

Compare Source

Bug Fixes

• security: bump lodash from ~4.17.23 to ~4.18.0 (#​833) (e89d9d3), closes #​832

paulmillr/noble-hashes (@​noble/hashes)

v2.2.0

Compare Source

• March 2026 self-audit (all files): no major issues found
  • Audited for spec compliance and security
  • Fix: dkLen=0 handling in pbkdf2, blake2, turboshake, kt
  • Fix: parallelHash with blockLen=0
  • Fix: argon2 progress callback now reaches 100%
  • Improve: digestInto no longer returns a value (better performance)
  • Improve: argon2, blake2 support non-4-divisible dkLen
• Fix all Byte Array types, to ensure proper work in both TypeScript 5.6 & TypeScript 5.9+
  • TS 5.6 has Uint8Array, while TS 5.9+ made it generic Uint8Array<ArrayBuffer>
  • This creates incompatibility of code between versions
  • Previously, it was hard to use and constantly emitted errors similar to TS2345
  • See typescript#62240 for more context
• sha3: speed-up by up to 50%. Contributed by @​ChALkeR in #​126
• Fix compilation issues on TypeScript v6
• Make package Big Endian friendly. All tests pass on s390x
• Improve tree-shaking, reduce bundle sizes
• Add massive amounts of documentation everywhere

(We're skipping v2.1, to align with other noble packages)

Full Changelog: paulmillr/noble-hashes@2.0.1...2.2.0

prisma/prisma (@​prisma/adapter-better-sqlite3)

v7.7.0

Compare Source

Today, we are excited to share the 7.7.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

prisma bootstrap command

A new prisma bootstrap command (#​29374, #​29424) sequences the full Prisma Postgres setup into a single interactive flow. It detects the current project state and runs only the steps that are needed:

1. Init or scaffold — In an empty directory, offers a choice of 10 starter templates (Next.js, Express, Hono, Fastify, Nuxt, SvelteKit, Remix, React Router 7, Astro, NestJS) from prisma-examples. In an existing project without a schema, runs prisma init.
2. Link — Authenticates via the browser and connects to a Prisma Postgres database. Skips if already linked.
3. Install dependencies — Detects the package manager and offers to install missing @prisma/client, prisma, and dotenv.
4. Migrate — Runs prisma migrate dev if the schema contains models.
5. Generate — Runs prisma generate.
6. Seed — Runs prisma db seed if a seed script is configured.

Each side-effecting step prompts for confirmation. Re-running the command skips already-completed steps.

Basic usage

npx prisma@latest bootstrap

With a starter template

npx prisma@latest bootstrap --template nextjs

Non-interactive (CI)

npx prisma@latest bootstrap --api-key "$PRISMA_API_KEY" --database "db_abc123"

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

skeletonlabs/skeleton (@​skeletonlabs/skeleton)

v4.15.2

Compare Source

v4.15.1

Compare Source

v4.15.0

Compare Source

skeletonlabs/skeleton (@​skeletonlabs/skeleton-svelte)

v4.15.2

Compare Source

Patch Changes

• task: bump zag (#​4348)

• Updated dependencies []:

  • @​skeletonlabs/skeleton-common@​4.15.2

v4.15.1

Compare Source

Patch Changes

• Updated dependencies [31618a3]:
  • @​skeletonlabs/skeleton-common@​4.15.1

v4.15.0

Compare Source

Minor Changes

• task: bump zag (#​4327)

Patch Changes

• Updated dependencies []:
  • @​skeletonlabs/skeleton-common@​4.15.0

sveltejs/kit (@​sveltejs/kit)

v2.57.1

Compare Source

Patch Changes

• fix: better validation for redirect inputs (10d7b44)

• fix: enforce BODY_SIZE_LIMIT on chunked requests (3202ed6)

• fix: use default values as fallbacks (#​15680)

• fix: relax form typings for union types (#​15687)

v2.57.0

Compare Source

Minor Changes

• feat: return boolean from submit to indicate submission validity for enhanced form remote functions (#​15530)

Patch Changes

• fix: use array type for select fields that accept multiple values (#​15591)

• fix: silently 404 Chrome DevTools workspaces request in dev and preview (#​15656)

• fix: config.kit.csp.directives['trusted-types'] requires 'svelte-trusted-html' (and 'sveltekit-trusted-url' when a service worker is automatically registered) if it is configured (#​15323)

• fix: avoid inlineDynamicImports ignored with codeSplitting warning when using Vite 8 (#​15647)

• fix: reimplement treeshaking non-dynamic prerendered remote functions (#​15447)

v2.56.1

Compare Source

Patch Changes

• chore: update JSDoc (#​15640)

v2.56.0

Compare Source

Minor Changes

• breaking: rework client-driven refreshes (#​15562)

• breaking: stabilize remote function caching by sorting object keys (#​15570)

• breaking: add run() method to queries, disallow awaiting queries outside render (#​15533)

• feat: support TypeScript 6.0 (#​15595)

• breaking: isolate command-triggered query refresh failures per-query (#​15562)

• feat: use hydratable for remote function transport (#​15533)

• feat: allow form fields to specify a default value (field.as(type, value)) (#​15577)

Patch Changes

• fix: don't request new data when .refresh is called on a query with no cache entry (#​15533)

• fix: allow using multiple remote functions within one async derived (#​15561)

• fix: avoid false-positive overridden Vite base setting warning when setting a paths.base in svelte.config.js (#​15623)

• fix: manage queries in their own $effect.root (#​15533)

• fix: avoid inlineDynamicImports deprecation warning when building the service worker with Vite 8 (#​15550)

• fix: correctly escape backticks when precomputing CSS (#​15593)

• fix: discard obsolete forks before finishing navigation (#​15634)

• chore: tighten up override implementation (#​15562)

• fix: ensure the default Svelte 5 error.svelte file uses runes mode (#​15609)

• fix: deduplicate same-cache-key batch calls during SSR (#​15533)

• fix: decrement pending_count when form callback doesn't call submit() (#​15520)

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.2.4

Compare Source

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#​19947)

v4.2.3

Compare Source

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#​19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#​19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#​19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#​19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#​19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#​19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#​19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#​19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#​19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#​19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#​19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#​19846)
• Upgrade: never migrate files that are ignored by git (#​19846)
• Add .env and .env.* to default ignored content files (#​19846)
• Canonicalization: migrate overflow-ellipsis into text-ellipsis (#​19849)
• Canonicalization: migrate start-full → inset-s-full, start-auto → inset-s-auto, start-px → inset-s-px, and start-<number> → inset-s-<number> as well as negative versions (#​19849)
• Canonicalization: migrate end-full → inset-e-full, end-auto → inset-e-auto, end-px → inset-e-px, and end-<number> → inset-e-<number> as well as negative versions (#​19849)
• Canonicalization: move the - sign inside the arbitrary value -left-[9rem] → left-[-9rem] (#​19858)
• Canonicalization: move the - sign outside the arbitrary value ml-[calc(-1*var(--width))] → -ml-(--width) (#​19858)
• Improve performance when scanning JSONL / NDJSON files (#​19862)
• Support NODE_PATH environment variable in standalone CLI (#​19617)

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

motdotla/dotenv (dotenv)

v17.4.2

Compare Source

v17.4.1

Compare Source

eslint/eslint (eslint)

v10.2.1

Compare Source

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

sveltejs/eslint-plugin-svelte (eslint-plugin-svelte)

v3.17.0

Compare Source

Minor Changes

• #​1489 eb8172c Thanks @​marekdedic! - feat(no-navigation-without-resolve): added support for ternary expressions

Patch Changes

• #​1490 b742163 Thanks @​marekdedic! - fix(no-navigation-without-resolve): properly detecting invalid binary expression operators

sindresorhus/globals (globals)

v17.5.0

Compare Source

microlinkhq/metascraper (metascraper)

v5.50.1

Compare Source

Bug Fixes

• security: bump lodash from ~4.17.23 to ~4.18.0 (#​833) (e89d9d3), closes #​832

microlinkhq/metascraper (metascraper-image)

v5.50.1

Compare Source

Note: Version bump only for package metascraper-image

panva/openid-client (openid-client)

v6.8.3

Compare Source

Documentation

• note a workaround for redirect_uri with query string or bare origin (e9689de), closes #​868

Fixes

• passport: delete one-time state on callback (1e7dd2e)

prettier/prettier (prettier)

v3.8.3

Compare Source

v3.8.2

Compare Source

sveltejs/svelte (svelte)

v5.55.4

Compare Source

Patch Changes

• fix: never mark a child effect root as inert (#​18111)

• fix: reset context after waiting on blockers of @const expressions (#​18100)

• fix: keep flushing new eager effects (#​18102)

v5.55.3

Compare Source

Patch Changes

• fix: ensure proper HMR updates for dynamic components (#​18079)

• fix: correctly calculate @const blockers (#​18039)

• fix: freeze deriveds once their containing effects are destroyed (#​17921)

• fix: defer error boundary rendering in forks (#​18076)

• fix: avoid false positives for reactivity loss warning (#​18088)

v5.55.2

Compare Source

Patch Changes

• fix: invalidate @const tags based on visible references in legacy mode (#​18041)

• fix: handle parens in template expressions more robustly (#​18075)

• fix: disallow -- in idPrefix (#​18038)

• fix: correct types for ontoggle on <details> elements (#​18063)

• fix: don't override $destroy/set/on instance methods in dev mode (#​18034)

• fix: unskip branches of earlier batches after commit (#​18048)

• fix: never set derived.v inside fork (#​18037)

• fix: skip rebase logic in non-async mode (#​18040)

• fix: don't reset status of uninitialized deriveds (#​18054)

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

Compare Source

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#​12187)

❤️ Thank You

• Abhijeet Singh @​cseas

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.0.9

Compare Source

Features

• update rolldown to 1.0.0-rc.16 (#​22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#​22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#​22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#​22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#​22039) (374bb5d)
• deps: update all non-major dependencies (#​22219) (4cd0d67)
• deps: update all non-major dependencies (#​22268) (c28e9c1)
• detect Deno workspace root (fix #​22237) (#​22238) (1b793c0)
• dev: handle errors in watchChange hook (#​22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#​22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#​22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#​22231) (44c42b9)
• fix reuses wording in dev environment comment (#​22173) (9163412)
• fix wording in sass error comment (#​22214) (bc5c6a7)
• update build CLI defaults (#​22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#​22271) (0a3887d)

v8.0.8

Compare Source

Features

• update rolldown to 1.0.0-rc.15 (#​22201) (6baf587)

Bug Fixes

• avoid dns.getDefaultResultOrder temporary (#​22202) (15f1c15)
• ssr: class property keys hoisting matching imports (#​22199) (e137601)

v8.0.7

Compare Source

Bug Fixes

• use sync dns.getDefaultResultOrder instead of dns.promises (#​22185) (5c05b04)

v8.0.6

Compare Source

Features

• update rolldown to 1.0.0-rc.13 (#​22097) (51d3e48)

Bug Fixes

• css: avoid mutating sass error multiple times (#​22115) (d5081c2)
• optimize-deps: hoist CJS interop assignment (#​22156) (17a8f9e)

Performance Improvements

• early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#​22151) (56ec256)

Miscellaneous Chores

• create-vite: remove unnecessary DOM.Iterable (#​22168) (bdc53ab)
• replace remaining prettier script (#​22179) (af71fb2)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 9am on sunday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.