Bump the npm_and_yarn group across 1 directory with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the /portal directory:

Package	From	To
rollup	2.79.1	2.79.2
svelte	3.49.0	5.14.1
svelte-preprocess	4.6.5	6.0.3
braces	3.0.2	3.0.3
ws	6.2.2	6.2.3

Updates rollup from 2.79.1 to 2.79.2

Release notes

Sourced from rollup's releases.

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

3.29.5

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.4

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5670: refactor: Use object.prototype to check for reserved properties (@​YuHyeonWook)
• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.3

2024-09-21

Bug Fixes

• Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)

Pull Requests

• #5669: Ensure impure dependencies of pure modules are added (@​lukastaegert)

4.22.2

... (truncated)

Commits

• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• See full diff in compare view

Updates svelte from 3.49.0 to 5.14.1

Release notes

Sourced from svelte's releases.

[email protected]

Patch Changes

• fix: improve unowned derived performance (#14724)

[email protected]

Minor Changes

• feat: adds $inspect.trace rune (#14290)

[email protected]

Minor Changes

• feat: add outro option to unmount (#14540)

• feat: provide loose parser mode (#14691)

[email protected]

Minor Changes

• feat: expose more AST types from "svelte/compiler" (#14601)

Patch Changes

• fix: don't add parenthesis to media query if already present (#14699)

• fix: ensure if block paths retain correct template namespacing (#14685)

[email protected]

Patch Changes

• fix: allow unquoted slash in attributes (#14615)

• fix: better handle hydration of script/style elements (#14683)

• fix: make defaultValue work with spread (#14640)

• fix: avoid mutation validation for invalidate_inner_signals (#14688)

[email protected]

Patch Changes

• fix: correctly handle ssr for reactivity/window (#14681)

[email protected]

Patch Changes

• fix: account for global block in is_empty (#14677)

• fix: remove overzealous reactive_declaration_non_reactive_property warning (#14663)

... (truncated)

Changelog

Sourced from svelte's changelog.

svelte

4.2.3

Patch Changes

• fix: improve a11y-click-events-have-key-events message (#9358)

• fix: more robust hydration of html tag (#9184)

4.2.2

Patch Changes

• fix: support camelCase properties on custom elements (#9328)

• fix: add missing plaintext-only value to contenteditable type (#9242)

• chore: upgrade magic-string to 0.30.4 (#9292)

• fix: ignore trailing comments when comparing nodes (#9197)

4.2.1

Patch Changes

• fix: update style directive when style attribute is present and is updated via an object prop (#9187)

• fix: css sourcemap generation with unicode filenames (#9120)

• fix: do not add module declared variables as dependencies (#9122)

• fix: handle svelte:element with dynamic this and spread attributes (#9112)

• fix: silence false positive reactive component warning (#9094)

• fix: head duplication when binding is present (#9124)

• fix: take custom attribute name into account when reflecting property (#9140)

• fix: add indeterminate to the list of HTMLAttributes (#9180)

• fix: recognize option value on spread attribute (#9125)

4.2.0

Minor Changes

• feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

... (truncated)

Commits

• e0e9990 Version Packages (#14728)
• 699dc6e fix: improve unowned derived performance (#14724)
• bbf3829 Version Packages (#14715)
• 5483495 feat: add $inspect.trace rune (#14290)
• 64a32ce Version Packages (#14708)
• 9f96417 note when features were added (#14709)
• b0e3c5b feat: add outro option to unmount (#14540)
• f0af633 feat: loose parser mode (#14691)
• af9b071 Version Packages (#14698)
• 887ce6a fix: don't add parenthesis to media query if already present (#14699)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by svelte-admin, a new releaser for svelte since your current version.

Updates svelte-preprocess from 4.6.5 to 6.0.3

Changelog

Sourced from svelte-preprocess's changelog.

6.0.3 (2024-09-26)

Bug Fixes

• add pug mixins to support svelte-5 syntax (#654) (9d49f3d)
• ignore sass deprecation warning (#657) (9b54325), closes #656

6.0.2 (2024-07-09)

Bug Fixes

• remove customConditions tsconfig option (#648) (afb80ae), closes #646

6.0.1 (2024-06-14)

Bug Fixes

• deprecate default export in favor of named export (#641) (a43de10), closes #591

6.0.0 (2024-06-12)

BREAKING CHANGES

• remove TS mixed imports support, require TS 5.0 or higher
• remove preserve option as it's unnecessary
• require Svelte 4+, Node 18+
• add exports map

Bug Fixes

• adjust globalifySelector to not split selectors with parentheses. (#632) (c435ebd), closes #501
• fix: allow TS filename to be undefined, fixes #488
• fix: adjust Svelte compiler type import
• fix: remove pug types and magic-string from dependencies
• chore: bump peer deps, fixes #553

5.1.4 (2024-04-16)

Bug Fixes

• remove pnpm version restriction (#629) (2713b82)

5.1.3 (2023-12-18)

... (truncated)

Commits

• c522b8e chore(release): 6.0.3
• 455e6e9 chore: cleanup fix
• 9b54325 fix: ignore sass deprecation warning (#657)
• 9d49f3d fix: add pug mixins to support svelte-5 syntax (#654)
• 359b1f6 docs: update broken documentation example (#650)
• 45b4604 chore: release 6.0.2
• 170ab95 chore: remove all dependencies (#645)
• 9e5fe59 chore: fall back to verbatimModuleSyntax if possible (#649)
• a7a88c6 docs: enhance TypeScript migration guide
• afb80ae fix: remove customConditions tsconfig option (#648)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by dummdidumm, a new releaser for svelte-preprocess since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates ws from 6.2.2 to 6.2.3

Release notes

Sourced from ws's releases.

6.2.3

Bug fixes

• Backported e55e5106 to the 6.x release line (eeb76d31).

Commits

• d87f3b6 [dist] 6.2.3
• eeb76d3 [security] Fix crash when the Upgrade header cannot be read (#2231)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml