Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/deno (source)	^10.49.0 → ^10.50.0
@sentry/svelte (source)	^10.49.0 → ^10.50.0
@sveltejs/kit (source)	^2.57.1 → ^2.58.0
@turf/distance	^7.3.4 → ^7.3.5
axios (source)	^1.15.0 → ^1.15.2
maplibre-gl (source)	^5.23.0 → ^5.24.0
svelte (source)	^5.55.4 → ^5.55.5
vite (source)	^8.0.8 → ^8.0.10
vite-plugin-lucide-preprocess	^1.4.8 → ^1.4.10
vitest (source)	^4.1.4 → ^4.1.5

---

Release Notes

getsentry/sentry-javascript (@​sentry/deno)

v10.50.0

Compare Source

sveltejs/kit (@​sveltejs/kit)

v2.58.0

Compare Source

Minor Changes

• breaking: require limit in requested (as originally intended) (#​15739)

• feat: RemoteQueryFunction gains an optional third generic parameter Validated (defaulting to Input) that represents the argument type after schema validation/transformation (#​15739)

• breaking: requested now yields { arg, query } entries instead of the validated argument (#​15739)

Patch Changes

• fix: allow query().current, .error, .loading, and .ready to work in non-reactive contexts (#​15699)

• fix: prevent deep_set crash on nullish nested values (#​15600)

• fix: restore correct RemoteFormFields typing for nullable array fields (e.g. when a schema uses .default([])), so .as('checkbox') and friends work again (#​15723)

• fix: don't warn about removed SSI comments in transformPageChunk (#​15695)

  Server-side include (SSI) directives like <!--#include virtual="..." --> are HTML comments that are replaced by servers such as nginx. Previously, removing them in transformPageChunk would trigger a false positive warning about breaking Svelte's hydration. Since SSI comments always start with <!--# and Svelte's hydration comments never do, they can be safely excluded from the check.

• Change enhance function return type from void to MaybePromise. (#​15710)

• fix: throw an error when resolve is called with an external URL (#​15733)

• fix: avoid FOUC for CSR-only pages by loading styles and fonts before CSR starts (#​15718)

• fix: reset form result on redirect (#​15724)

Turfjs/turf (@​turf/distance)

v7.3.5

Compare Source

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

maplibre/maplibre-gl-js (maplibre-gl)

v5.24.0

Compare Source

✨ Features and improvements

• GPU performance optimization: Render halo and glyph in a single pass (-40% Time Reduction) (#​7436) (by @​xavierjs)
• Optimize matrix inversions and reduce GPU stalls (#​7367) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#​7077) (by @​CommanderStorm)

🐞 Bug fixes

• Fix Popup not updating its position when switching between terrain/globe projections (#​7468) (by @​CommanderStorm)
• Skip fog computation when fog opacity is zero (#​7476) (by @​CommanderStorm)

sveltejs/svelte (svelte)

v5.55.5

Compare Source

Patch Changes

• fix: don't mark deriveds while an effect is updating (#​18124)

• fix: do not dispatch introstart event with animation of animate directive (#​18122)

vitejs/vite (vite)

v8.0.10

Compare Source

Features

• update rolldown to 1.0.0-rc.17 (#​22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#​22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#​22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#​22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#​22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#​22278) (9437518)
• typecheck client directory (#​22284) (40a0847)

v8.0.9

Compare Source

Features

• update rolldown to 1.0.0-rc.16 (#​22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#​22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#​22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#​22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#​22039) (374bb5d)
• deps: update all non-major dependencies (#​22219) (4cd0d67)
• deps: update all non-major dependencies (#​22268) (c28e9c1)
• detect Deno workspace root (fix #​22237) (#​22238) (1b793c0)
• dev: handle errors in watchChange hook (#​22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#​22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#​22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#​22231) (44c42b9)
• fix reuses wording in dev environment comment (#​22173) (9163412)
• fix wording in sass error comment (#​22214) (bc5c6a7)
• update build CLI defaults (#​22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#​22271) (0a3887d)

WarningImHack3r/vite-plugin-lucide-preprocess (vite-plugin-lucide-preprocess)

v1.4.10

Compare Source

• Add explicit support for Rolldown's prereleases (#​58)

v1.4.9: - Automated release

Compare Source

• Add support for newly renamed components in Lucide v1.9.0

[!NOTE]
This is a fully-automated release.
Despite its content being manually checked after its release, it might be incorrect or potentially break some compatibility with Lucide.
If you happen to notice any issue I might not be aware of or actively working on, please open an issue.

vitest-dev/vitest (vitest)

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for pauseai canceled.

Name	Link
🔨 Latest commit	79969bb
🔍 Latest deploy log	https://app.netlify.com/projects/pauseai/deploys/69eb64c962c153000852a1c7