deps: bump the production-deps group across 1 directory with 25 updates

[dependabot]

Bumps the production-deps group with 25 updates in the / directory:

Package	From	To
@passwordless-id/webauthn	2.3.5	2.4.0
@tauri-apps/api	2.10.1	2.11.0
@tauri-apps/plugin-deep-link	2.4.8	2.4.9
@tauri-apps/plugin-dialog	2.7.0	2.7.1
@tauri-apps/plugin-fs	2.5.0	2.5.1
@tauri-apps/plugin-global-shortcut	2.3.1	2.3.2
@tauri-apps/plugin-opener	2.5.3	2.5.4
bits-ui	2.18.0	2.18.1
dexie	4.4.2	4.4.3
dompurify	3.4.2	3.4.7
preact	10.29.1	10.29.2
svelte	5.55.1	5.56.1
tailwind-merge	3.5.0	3.6.0
@internationalized/date	3.12.1	3.12.2
@playwright/test	1.59.1	1.60.0
@tailwindcss/postcss	4.2.4	4.3.0
@tauri-apps/cli	2.10.1	2.11.2
@typescript-eslint/eslint-plugin	8.59.1	8.60.1
@typescript-eslint/parser	8.59.1	8.60.1
postcss	8.5.13	8.5.15
svelte-check	4.4.7	4.5.0
svelte-eslint-parser	1.6.0	1.7.1
tailwindcss	4.2.4	4.3.0
typescript-eslint	8.59.1	8.60.1
workbox-cli	7.4.0	7.4.1

Updates @passwordless-id/webauthn from 2.3.5 to 2.4.0

Release notes

Sourced from @​passwordless-id/webauthn's releases.

2.4.0

IMPORTANT NOTE: In this version the browser field was removed in package.json due to issues how various tooling interpret it. Check out #108 for more details.

Commits

• bd07189 Removed "browser" field and updated authenticator devices metadata/icons
• 40e3c21 Merge pull request #112 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
• 3926a2f chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates
• ec42719 Merge pull request #110 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
• 3b514d8 chore(deps): bump minimatch in the npm_and_yarn group across 1 directory
• efd757a Merge pull request #109 from passwordless-id/dependabot/npm_and_yarn/npm_and_...
• 3fcfbce chore(deps-dev): bump qs in the npm_and_yarn group across 1 directory
• See full diff in compare view

Updates @tauri-apps/api from 2.10.1 to 2.11.0

Release notes

Sourced from @​tauri-apps/api's releases.

@​tauri-apps/api v2.11.0

No known vulnerabilities found

[2.11.0]

New Features

• 074299c08 (#14307) Add Bring All to Front predefined menu item type
• a12142a48 (#14357) Add macos support for setting the icon and icon template state in the same step of the main thread, to prevent flickering.
• 001c8fe3d (#14722) Add a WebView option to control browser-level general autofill behavior. This option does not disable password or credit card autofill. On Windows (WebView2), setting it to true disables the general autofill "Suggestions" UI, which may appear even when autocomplete="off" is specified on input elements. On Linux, macOS, iOS, and Android, this option is currently unsupported and performs no operation.
• eb0312ea9 (#15199) Propagates the Event::Suspended and Event::Resumed events from tao when they are emitted on mobile targets.

> @tauri-apps/api@2.11.0 npm-publish /home/runner/work/tauri/tauri/packages/api
> pnpm build && cd ./dist && pnpm publish --access public --loglevel silly --no-git-checks
> @​tauri-apps/api@​2.11.0 build /home/runner/work/tauri/tauri/packages/api
> rollup -c --configPlugin typescript
�[36m
�[1m./src/app.ts, ./src/core.ts, ./src/dpi.ts, ./src/event.ts, ./src/image.ts, ./src/index.ts, ./src/menu.ts, ./src/mocks.ts, ./src/path.ts, ./src/tray.ts, ./src/webview.ts, ./src/webviewWindow.ts, ./src/window.ts�[22m → �[1m./dist, ./dist�[22m...�[39m
�[32mcreated �[1m./dist, ./dist�[22m in �[1m1s�[22m�[39m
�[36m
�[1msrc/index.ts�[22m → �[1m../../crates/tauri/scripts/bundle.global.js�[22m...�[39m
�[32mcreated �[1m../../crates/tauri/scripts/bundle.global.js�[22m in �[1m1.6s�[22m�[39m
npm verbose cli /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/npm
npm info using npm@11.11.0
npm info using node@v24.14.1
npm silly config load:file:/opt/hostedtoolcache/node/24.14.1/x64/lib/node_modules/npm/npmrc
npm silly config load:file:/tmp/62753b73fd2498862aee9b07ed29cc21/.npmrc
npm silly config load:file:/home/runner/.npmrc
npm silly config load:file:/home/runner/.config/pnpm/rc
npm verbose title npm publish tauri-apps-api-2.11.0.tgz
npm verbose argv "publish" "--ignore-scripts" "tauri-apps-api-2.11.0.tgz" "--access" "public" "--loglevel" "silly"
npm verbose logfile logs-max:10 dir:/home/runner/.npm/_logs/2026-04-30T15_51_13_171Z-
npm verbose logfile /home/runner/.npm/_logs/2026-04-30T15_51_13_171Z-debug-0.log
npm warn Unknown env config "verify-deps-before-run". This will stop working in the next major version of npm. See npm help npmrc for supported config options.
npm warn Unknown env config "npm-globalconfig". This will stop working in the next major version of npm. See npm help npmrc for supported config options.
npm warn Unknown env config "_jsr-registry". This will stop working in the next major version of npm. See npm help npmrc for supported config options.
</tr></table>

... (truncated)

Commits

• e60834f Apply Version Updates From Current Changes (#15041)
• df05c00 chore: minor bump for codegen crate
• 13bea17 chore: fmt
• 9808236 fix(macOS): correct value for work_area.position.y (#14655)
• eb0312e feat(mobile): Propagate tao::Event::Suspended and tao::Event::Resumed to the ...
• 4ef5797 feat(ios): add --no-sign and --archive-only flags to ios build (#15061)
• 110336c fix(macOS): fix incorrect window position on multi-monitor setups (#15250)
• c00a3db feat(macros): add support for rename command macro in tauri-macros #14173 (#1...
• 764b913 feat(cli): restart Android emulator if it is disconnected from adb (#14313)
• 1035f12 fix(windows): tauri-bundler detect arm system (#14923)
• Additional commits viewable in compare view

Updates @tauri-apps/plugin-deep-link from 2.4.8 to 2.4.9

Release notes

Sourced from @​tauri-apps/plugin-deep-link's releases.

deep-link-js v2.4.9

[2.4.9]

• e6cdc9f5 (#3396 by @​Legend-Master) Fix broken iOS custom URL schemes

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-deep-link@2.4.9
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 6.2kB README.md
npm notice 3.5kB dist-js/index.cjs
npm notice 2.9kB dist-js/index.d.ts
npm notice 3.4kB dist-js/index.js
npm notice 801B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-deep-link
npm notice version: 2.4.9
npm notice filename: tauri-apps-plugin-deep-link-2.4.9.tgz
npm notice package size: 4.4 kB
npm notice unpacked size: 17.7 kB
npm notice shasum: ae56d59130380f806b533b3107c3f16654e66a8d
npm notice integrity: sha512-u0SKOUHnJ1wqe[...]hIvqLBRpgHJlA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011657
+ @tauri-apps/plugin-deep-link@2.4.9

deep-link v2.4.9

[2.4.9]

• e6cdc9f5 (#3396 by @​Legend-Master) Fix broken iOS custom URL schemes

</tr></table> 

... (truncated)

Commits

• 5c7668b publish new versions (#3397)
• ec05401 chore(deps): update rust crate toml to v1 (#3323)
• b86e999 chore(deps): update tauri packages to 2.11 (#3407)
• c463d8a chore(deps): update rustls-webpki in lockfile, ignore core2 in audit (#3405)
• 1bb7beb chore(deps): bump openssl (#3402)
• 3412fa2 docs(readme): fix platform support matrix (opener supports mobile)
• af81fda docs(readme): fix platform support matrix (mobile is supported)
• c1fd33b fix(opener): allow open network share locations (#3343)
• 250857b chore(deps): update dependency typescript to v6 (#3363)
• 964e13f fix(store): dead lock trying to set while exiting (#3395)
• Additional commits viewable in compare view

Updates @tauri-apps/plugin-dialog from 2.7.0 to 2.7.1

Release notes

Sourced from @​tauri-apps/plugin-dialog's releases.

dialog-js v2.7.1

[2.7.1]

Dependencies

• Upgraded to fs-js@2.5.1

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-dialog@2.7.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.5kB README.md
npm notice 6.9kB dist-js/index.cjs
npm notice 14.6kB dist-js/index.d.ts
npm notice 6.8kB dist-js/index.js
npm notice 11B dist-js/init.d.ts
npm notice 657B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-dialog
npm notice version: 2.7.1
npm notice filename: tauri-apps-plugin-dialog-2.7.1.tgz
npm notice package size: 6.7 kB
npm notice unpacked size: 33.3 kB
npm notice shasum: fc83387de807c8d064d2b64b1b813b84e8286a12
npm notice integrity: sha512-OK1UBXYt+ojcm[...]FmEOjIY9IhzOQ==
npm notice total files: 7
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011725
+ @tauri-apps/plugin-dialog@2.7.1

dialog v2.7.1

[2.7.1]

Dependencies

• Upgraded to fs-js@2.5.1

... (truncated)

Commits

• e7a68fa publish new versions (#3068)
• b5550a3 chore: temp delete updater changefile
• 93426f8 fix: fix docsrs builds
• 4ee61e0 Revert "chore: temp delete updater changefile"
• 06124af publish new versions (#2972)
• 060219e chore(deps): update dependency @​rollup/plugin-typescript to v12.3.0 (#3067)
• c7e9766 chore(deps): update tauri monorepo (v2) (#3058)
• d4a8ce9 chore(deps): update rust crate tokio-tungstenite to 0.28 (#3016)
• cdc7eec chore(deps): update dependency @​rollup/plugin-typescript to v12.2.0 (#3066)
• 6314b00 chore: temp delete updater changefile
• Additional commits viewable in compare view

Updates @tauri-apps/plugin-fs from 2.5.0 to 2.5.1

Release notes

Sourced from @​tauri-apps/plugin-fs's releases.

fs-js v2.5.1

[2.5.1]

• ec054013 (#3323 by @​renovate) Updated dependency toml from 0.9 to 1

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-fs@2.5.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 2.4kB README.md
npm notice 32.8kB dist-js/index.cjs
npm notice 32.6kB dist-js/index.d.ts
npm notice 32.0kB dist-js/index.js
npm notice 697B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-fs
npm notice version: 2.5.1
npm notice filename: tauri-apps-plugin-fs-2.5.1.tgz
npm notice package size: 21.5 kB
npm notice unpacked size: 101.5 kB
npm notice shasum: e1b8643d41c74251699fcdecc800877d18a4a6fc
npm notice integrity: sha512-9Lz+Jopp6QyeE[...]tqPB/XEMS3NhQ==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011689
+ @tauri-apps/plugin-fs@2.5.1

fs v2.5.1

[2.5.1]

• ec054013 (#3323 by @​renovate) Updated dependency toml from 0.9 to 1

</tr></table> 

... (truncated)

Commits

• 5c7668b publish new versions (#3397)
• ec05401 chore(deps): update rust crate toml to v1 (#3323)
• b86e999 chore(deps): update tauri packages to 2.11 (#3407)
• c463d8a chore(deps): update rustls-webpki in lockfile, ignore core2 in audit (#3405)
• 1bb7beb chore(deps): bump openssl (#3402)
• 3412fa2 docs(readme): fix platform support matrix (opener supports mobile)
• af81fda docs(readme): fix platform support matrix (mobile is supported)
• c1fd33b fix(opener): allow open network share locations (#3343)
• 250857b chore(deps): update dependency typescript to v6 (#3363)
• 964e13f fix(store): dead lock trying to set while exiting (#3395)
• Additional commits viewable in compare view

Updates @tauri-apps/plugin-global-shortcut from 2.3.1 to 2.3.2

Release notes

Sourced from @​tauri-apps/plugin-global-shortcut's releases.

upload-js v2.3.2

[2.3.2]

• 93426f85 Fixed an issue that caused docs.rs builds to fail. No user facing changes.

npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-upload@2.3.2
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.2kB README.md
npm notice 1.4kB dist-js/index.cjs
npm notice 507B dist-js/index.d.ts
npm notice 1.4kB dist-js/index.js
npm notice 729B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-upload
npm notice version: 2.3.2
npm notice filename: tauri-apps-plugin-upload-2.3.2.tgz
npm notice package size: 2.9 kB
npm notice unpacked size: 8.1 kB
npm notice shasum: 4c0d9af44b28f9b05905ff8972a5438b642fc260
npm notice integrity: sha512-h/V8RqsbVpJSt[...]RqpUr0Dk9DuGA==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=644611265
+ @tauri-apps/plugin-upload@2.3.2

upload v2.3.2

[2.3.2]

• 93426f85 Fixed an issue that caused docs.rs builds to fail. No user facing changes.

Updating crates.io index
</tr></table> 

... (truncated)

Commits

• e7a68fa publish new versions (#3068)
• b5550a3 chore: temp delete updater changefile
• 93426f8 fix: fix docsrs builds
• 4ee61e0 Revert "chore: temp delete updater changefile"
• 06124af publish new versions (#2972)
• 060219e chore(deps): update dependency @​rollup/plugin-typescript to v12.3.0 (#3067)
• c7e9766 chore(deps): update tauri monorepo (v2) (#3058)
• d4a8ce9 chore(deps): update rust crate tokio-tungstenite to 0.28 (#3016)
• cdc7eec chore(deps): update dependency @​rollup/plugin-typescript to v12.2.0 (#3066)
• 6314b00 chore: temp delete updater changefile
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tauri-apps/plugin-global-shortcut since your current version.

Updates @tauri-apps/plugin-opener from 2.5.3 to 2.5.4

Release notes

Sourced from @​tauri-apps/plugin-opener's releases.

opener-js v2.5.4

[2.5.4]

• c1fd33b3 (#3343 by @​Legend-Master) Fix revealItemInDir/reveal_items_in_dir can't reveal network paths like \\wsl.localhost\Ubuntu\etc on Windows

npm warn Unknown user config "always-auth". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an object
npm warn publish "repository.url" was normalized to "git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦  @tauri-apps/plugin-opener@2.5.4
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 4.2kB README.md
npm notice 3.1kB dist-js/index.cjs
npm notice 2.0kB dist-js/index.d.ts
npm notice 3.1kB dist-js/index.js
npm notice 11B dist-js/init.d.ts
npm notice 730B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-opener
npm notice version: 2.5.4
npm notice filename: tauri-apps-plugin-opener-2.5.4.tgz
npm notice package size: 3.5 kB
npm notice unpacked size: 14.1 kB
npm notice shasum: b37883e4d36125b8c5a0c74f683395958a65bd7d
npm notice integrity: sha512-1HnPkb+AmgO29[...]aUJtT57lfO9CQ==
npm notice total files: 7
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=1429011743
+ @tauri-apps/plugin-opener@2.5.4

opener v2.5.4

[2.5.4]

• c1fd33b3 (#3343 by @​Legend-Master) Fix revealItemInDir/reveal_items_in_dir can't reveal network paths like \\wsl.localhost\Ubuntu\etc on Windows

... (truncated)

Commits

• e7a68fa publish new versions (#3068)
• b5550a3 chore: temp delete updater changefile
• 93426f8 fix: fix docsrs builds
• 4ee61e0 Revert "chore: temp delete updater changefile"
• See full diff in compare view

Updates bits-ui from 2.18.0 to 2.18.1

Release notes

Sourced from bits-ui's releases.

bits-ui@2.18.1

Patch Changes

• fix(text-selection-layer): snapshot enabled and pointer handlers for listeners (#2041)

• fix(Tooltip): set wrapper pointer-events when hoverable content is disabled (#2041)

• fix(Menu): prevent page scroll-jump on item hover when scroll-padding is set (#2035)

Commits

• 25f8137 Version Packages (#2042)
• 158364e fix(menu): use preventScroll when focusing items on hover and content on item...
• 5a3f7ce fix(Tooltip): pointer event handling (#2041)
• 788fc03 chore: update workflows to Node 24 and latest action versions (#2032)
• See full diff in compare view

Updates dexie from 4.4.2 to 4.4.3

Release notes

Sourced from dexie's releases.

Dexie v4.4.3

This is a maintenance release with bug fixes and a configuration API improvement.

Related Package Releases

Package	Version
dexie	4.4.3
dexie-cloud-addon	4.4.13

Bug Fixes

dexie@4.4.3

• fix: delByKeyPath() creates empty intermediate objects on missing path — Dexie.delByKeyPath(obj, "foo.bar") on an object without foo would create {foo: {}} as a side effect instead of doing nothing. This caused a real-world bug in dexie-cloud-addon where clearing a dotted key from a changeSpec (e.g. claims.sub) would leave {claims: {}} in the spec, which then overwrote the inline primary key with undefined, resulting in: DataError: Evaluating the object store's key path did not yield a value. Fixed in setByKeyPath to bail out early when value is undefined and the intermediate path doesn't exist. (#2303)

• fix: Collection.sortBy() mutates frozen array in immutable cache mode — calling .sortBy() on a table when using immutable cache mode could throw TypeError: Cannot assign to read only property because Array.sort() was called on a frozen array. Fixed by sorting on a copy instead. (#2294)

dexie-cloud-addon@4.4.12

• rename: maxStringLength → largeStringThreshold — the string offloading option is renamed for clarity. The old name is kept as a backward-compatible alias. (#2290)

• fix: blob writebacks routed through BlobSavingQueue to avoid PSD context loss — after an async native fetch (blob download), Dexie's PSD zone is no longer active, causing table.mutate() to crash with Cannot read properties of undefined (reading 'table'). This surfaced as [dexie-cloud:blobResolve] Failed to resolve BlobRefs. Fixed by always routing blob writebacks through BlobSavingQueue.saveBlobs(), which opens a proper Dexie rw-transaction in a fresh JS task. Fixes lazy blob mode crash when using Dexie hooks with dexie-cloud-addon. (#2302)

• fix: eager blob downloader could starve RAM — the eager downloader triggered blobResolveMiddleware which resolved all pending blobs into memory at once. Fixed by downloading blobs in chunks with a query limit, so memory usage stays bounded regardless of how many blobs are pending. (#2302)

• fix: in-flight blob downloads are now deduplicated — if a blob is requested after download starts but before it is persisted, the existing download promise is reused instead of starting a new download. (#2302)

• fix: use cache: no-store for blob fetch requests — avoids the browser caching raw blob responses and double-storing them. (#2302)

dexie-cloud-addon@4.4.13

• fix: DataError when applying server-side $logins update — when a user received a server update for the $logins table, dexie-cloud-addon tried to clear claims.sub from the changeSpec using delByKeyPath. Due to the bug above, this left {claims: {}} in the spec, overwriting the inline primary key with undefined and causing DataError: Evaluating the object store's key path did not yield a value. Fixed by guarding against empty changeSpec objects after key deletion. (#2304)

Other Changes

• dexie-observable and dexie-syncable README updated to mark them as legacy/unmaintained, with a recommendation to use dexie-cloud-addon for sync. (#2298)

Commits

• 30134f6 Trigger new dev build
• 9dd614d DataError after updating a user in dexie cloud when that user got an update f...
• 0919742 Trigger dev build
• 2710301 Fix delByKeyPath so that it does not create empty object when keyPath is dott...
• a024831 dexie-cloud-addon@4.4.12
• 988ec9c Merge pull request #2302 from dexie/liz/fix-blobsave-hooks-psd-context
• b74758f Use cache: no-store to avoid double storing blobs
• ed59f5c Implify one bit more
• f0bb943 Simplified the loop in eagerBlobDownloader by requesting keys first.
• d2c3ef0 Bugfix: eager blob downloader would trigger blobResolveMiddleware and resolve...
• Additional commits viewable in compare view

Updates dompurify from 3.4.2 to 3.4.7

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

Commits

• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• See full diff in compare view

Updates preact from 10.29.1 to 10.29.2

Release notes

Sourced from preact's releases.

10.29.2

Fixes

• Fix hydration when we have defaultValue or value on a textarea (#5081, thanks @​JoviDeCroock)

Maintenance

• Add CODEOWNERS for GitHub configuration (v10.x) (#5088, thanks @​JoviDeCroock)
• Fix trusted publishing workflow (#5084, thanks @​JoviDeCroock)
• Trusted publishing (#5072, thanks @​JoviDeCroock)

Commits

• fce6ed7 10.29.2 (#5091)
• 84581d0 Fix buggy edge case (#5090)
• 5a39554 Add CODEOWNERS for GitHub configuration (#5088)
• 562e0f5 Fix trusted publishing workflow (#5084)
• 3a01255 Trusted publishing (#5072)
• cae8d3a Fix migrations when we have defaultValue or value on a textarea (#5081)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for preact since your current version.

Updates svelte from 5.55.1 to 5.56.1

Release notes

Sourced from svelte's releases.

svelte@5.56.1

Patch Changes

• fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

• fix: parse declaration tag contents more robustly (#18353)

• fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

• fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

• fix: tolerate whitespace before let/const in declaration tags (#18348)

• fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

• fix: more robust parsing of declaration tags with regards to type (#18330)

• fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

• fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

• fix: check references for blockers on server, too (#18352)

svelte@5.56.0

Minor Changes

• feat: allow declarations in the template (#18282)

Patch Changes

• perf: use createElement instead of createElementNS for HTML elements (#18262)

• perf: store current_sources as a Set for O(1) membership checks (#18278)

• perf: deduplicate identical hoisted templates within a component (#18320)

• perf: hoist rest_props exclude list as a module-scope Set (#18252)

svelte@5.55.10

Patch Changes

• fix: unlink errored and otherwise finished batch (#18264)

• perf: walk composedPath() directly in delegated event propagation (#18268)

• fix: transfer effects when merging batches (#18254)

• fix: allow $derived(await ...) in disconnected effect roots (#18273)

• fix: remove temporary raw-text hydration markers (#18269)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.56.1

Patch Changes

• fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)

• fix: parse declaration tag contents more robustly (#18353)

• fix: correctly transform references to earlier declarators in a declaration tag (e.g. {let a = $state(0), b = $derived(a * 2)}) (#18348)

• fix: avoid spurious state_referenced_locally warnings for $derived declarations in declaration tags (#18348)

• fix: tolerate whitespace before let/const in declaration tags (#18348)

• fix: prevent infinite loop when a tag's expression ends with a trailing / at the end of the input (#18350)

• fix: more robust parsing of declaration tags with regards to type (#18330)

• fix: preserve newlines in spread input values when the type attribute is applied after value (#18345)

• fix: update SvelteURLSearchParams when setting duplicate keys to the same joined value (#18336)

• fix: check references for blockers on server, too (#18352)

5.56.0

Minor Changes

• feat: allow declarations in the template (#18282)

Patch Changes

• perf: use createElement instead of createElementNS for HTML elements (#18262)

• perf: store current_sources as a Set for O(1) membership checks (#18278)

• perf: deduplicate identical hoisted templates within a component (#18320)

• perf: hoist rest_props exclude list as a module-scope Set (#18252)

Commits

• 3ef761b Version Packages (#18346)
• 5b8db1b fix: error at compile time on duplicate snippet/declaration tag definitions (...
• 56013a2 fix: check references for blockers on server, too (#18352)
• 2afb895 fix: parse declaration tags with a division operator in the initializer (#18353)
• b471c15 fix: don't hang on a tag whose expression ends with a trailing slash (#18350)
• c74f44f fix: don't mistake type identifier expressions for TS type declarations i...
• b76b937 fix: various declaration tag bugs (#18348)
• 378bb25 fix: set input type before spread value (#18345)
• 2f6307a Fix searchParams.set duplicate updates (#18336)
• 11985c0 docs: desloppify browser support page (#18333)
• Additional commits viewable in compare view

Updates tailwind-merge from 3.5.0 to 3.6.0

Release notes

Sourced from tailwind-merge's releases.

v3.6.0

New Features

• Add support for Tailwind CSS v4.3 by @​dcastil in dcastil/tailwind-merge#677
  • Add postfixLookupClassGroups option to config to support Tailwind utilities where a slash is part of the full class name, like named container queries
• Add support for readonly array values by @​unional in dcastil/tailwind-merge#652

Documentation

• Fix broken links in README by @​maurer2 in dcastil/tailwind-merge#662

Other

• Harden internal CI pipeline security by omitting git checkout by @​dcastil, suggested by @​kyletaylored in

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.