chore(deps): update dependency svelte to v5.55.9

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.55.5 → 5.55.9

---

Release Notes

sveltejs/svelte (svelte)

v5.55.9

Compare Source

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#​18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#​18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#​18243)

• fix: avoid false-positive batch invariant error (#​18246)

• fix: inline primitive constants in attribute values during SSR (#​18232)

v5.55.8

Compare Source

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#​18234)

• fix: execute uninitialized derived even if it's destroyed (#​18228)

• fix: use named symbols everywhere (#​18238)

• fix: don't run teardown effects when deriveds are unfreezed (#​18227)

• fix: unset context synchronously in run (#​18236)

v5.55.7

Compare Source

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#​18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

v5.55.6

Compare Source

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#​18180)

• fix: keep dependencies of $state.eager/pending (#​18218)

• fix: reapply context after transforming error during SSR (#​18099)

• fix: don't rebase just-created batches (#​18117)

• chore: allow null for pending in typings (#​18201)

• fix: flush eager effects in production (#​18107)

• fix: rethrow error of failed iterable after calling return() (#​18169)

• fix: account for proxified instance when updating bind:this (#​18147)

• fix: ensure scheduled batch is flushed if not obsolete (#​18131)

• fix: resolve stale deriveds with latest value (#​18167)

• chore: remove unnecessary increment_pending calls (#​18183)

• fix: correctly compile component member expressions for SSR (#​18192)

• fix: reset source.updated stack traces after flush (#​18196)

• fix: replacing async 'blocking' strategy with 'merging' (#​18205)

• fix: allow @debug tags to reference awaited variables (#​18138)

• fix: re-run fallback props if dependencies update (#​18146)

• fix: abort running obsolete async branches (#​18118)

• fix: ignore comments when reading CSS values (#​18153)

• fix: wrap Promise.all in save during SSR (#​18178)

• fix: ignore false-positive errors of $inspect dependencies (#​18106)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​svelte@​5.55.9
	npm/​astro@​6.3.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm astro is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: docs/package.json → npm/astro@6.3.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@6.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm cytoscape is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: docs/pnpm-lock.yaml → npm/cytoscape@3.33.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cytoscape@3.33.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: docs/pnpm-lock.yaml → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: docs/pnpm-lock.yaml → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm svelte is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ui/package.json → npm/svelte@5.55.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte@5.55.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.61%. Comparing base (bd5269d) to head (1f62a96).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #830      +/-   ##
==========================================
+ Coverage   80.58%   80.61%   +0.02%     
==========================================
  Files         265      265              
  Lines       27501    27501              
==========================================
+ Hits        22162    22169       +7     
+ Misses       3886     3882       -4     
+ Partials     1453     1450       -3     

Flag	Coverage Δ
integration	8.79% <ø> (ø)
unit	77.74% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.