Bump the npm_and_yarn group with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates: @sveltejs/kit, vite, cross-spawn and nanoid.

Updates @sveltejs/kit from 2.7.1 to 2.16.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.16.1

Patch Changes

• fix: avoid overwriting headers for sub-requests made while loading the error page (#13341)

• fix: correctly resolve index file entrypoints such as src/service-worker/index.js (#13354)

• fix: correctly handle relative anchors when using the hash router (#13356)

@​sveltejs/kit@​2.16.0

Minor Changes

• feat: add ability to invalidate a custom identifier on goto() (#13256)

• feat: remove the postinstall script to support pnpm 10 (#13304)

  NOTE: users should add "prepare": "svelte-kit sync" to their package.json in order to avoid the following warning upon first running Vite:

  ▲ [WARNING] Cannot find base config file "./.svelte-kit/tsconfig.json" [tsconfig.json]
  tsconfig.json:2:12:
    2 │   "extends": "./.svelte-kit/tsconfig.json",
      ╵              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

• feat: provide PageProps and LayoutProps types (#13308)

Patch Changes

• perf: shorten chunk file names (#13003)

• fix: strip internal data before passing URL to reroute (#13092)

• fix: support absolute URLs and reroutes with data-sveltekit-preload-code="viewport" (#12217)

• fix: use current window.fetch for server load fetch requests (#13315)

• fix: resolve symlinks when handling routes (#12740)

• fix: prevent infinite reload when using the hash router and previewing /index.html (#13296)

• fix: service worker base path in dev mode (#12577)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.16.1

Patch Changes

• fix: avoid overwriting headers for sub-requests made while loading the error page (#13341)

• fix: correctly resolve index file entrypoints such as src/service-worker/index.js (#13354)

• fix: correctly handle relative anchors when using the hash router (#13356)

2.16.0

Minor Changes

• feat: add ability to invalidate a custom identifier on goto() (#13256)

• feat: remove the postinstall script to support pnpm 10 (#13304)

  NOTE: users should add "prepare": "svelte-kit sync" to their package.json in order to avoid the following warning upon first running Vite:

  ▲ [WARNING] Cannot find base config file "./.svelte-kit/tsconfig.json" [tsconfig.json]
  tsconfig.json:2:12:
    2 │   "extends": "./.svelte-kit/tsconfig.json",
      ╵              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

• feat: provide PageProps and LayoutProps types (#13308)

Patch Changes

• perf: shorten chunk file names (#13003)

• fix: strip internal data before passing URL to reroute (#13092)

• fix: support absolute URLs and reroutes with data-sveltekit-preload-code="viewport" (#12217)

• fix: use current window.fetch for server load fetch requests (#13315)

• fix: resolve symlinks when handling routes (#12740)

... (truncated)

Commits

• 7c81ac9 Version Packages (#13353)
• ab58c22 fix: correctly check index file exists when resolving an entry (#13354)
• a8bdcf8 fix: correctly handle relative anchors when hash router is enabled (#13356)
• b764298 fix: do not replace headers on fetch requests with error state (#13341)
• f5103c6 docs: document derived use of $app/state's page (#13346)
• 18d69fb docs: mention page state (#13348)
• 702575e chore: upgrade to vitest 3 (#13330)
• 537cd1b Version Packages (#13316)
• 6774ebc fix: strip internal data before passing URL to reroute (#13092)
• 37f72fb fix: inline server stylesheets instead of client stylesheets (#13068)
• Additional commits viewable in compare view

Updates vite from 5.4.8 to 5.4.14

Release notes

Sourced from vite's releases.

v5.4.14

Please refer to CHANGELOG.md for details.

v5.4.13

Please refer to CHANGELOG.md for details.

v5.4.12

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Please refer to CHANGELOG.md for details.

v5.4.10

Please refer to CHANGELOG.md for details.

v5.4.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

5.4.13 (2025-01-20)

• fix: try parse server.origin URL (#19241) (5946215), closes #19241

5.4.12 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
• fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
• fix: verify token for HMR WebSocket connection (b71a5c8)
• chore: add deps update changelog (ecd2375)

5.4.11 (2024-11-11)

• fix(deps): update dependencies of postcss-modules (ceb15db), closes #18617

5.4.10 (2024-10-23)

• fix: backport #18367,augment hash for CSS files to prevent chromium erroring by loading previous fil (7d1a3bc), closes #18367 #18412

5.4.9 (2024-10-14)

• fix: bump launch-editor-middleware to v2.9.1 (#18348) (508d9ab), closes #18348
• fix(css): fix lightningcss dep url resolution with custom root (#18125) (eae00b5), closes #18125
• fix(data-uri): only match ids starting with data: (#18241) (96084d6), closes #18241
• fix(deps): bump tsconfck (#18322) (dc5434c), closes #18322
• fix(hmr): don't try to rewrite imports for direct CSS soft invalidation (#18252) (851b258), closes #18252
• fix(ssr): (backport #18150) fix source map remapping with multiple sources (#18204) (262a879), closes #18204
• chore: update all url references of vitejs.dev to vite.dev (#18276) (c23558a), closes #18276
• chore: update license copyright (#18278) (1864eb1), closes #18278
• docs: update homepage (#18274) (ae44163), closes #18274

Commits

• e7eb3c5 release: v5.4.14
• 7d1699c fix: allow CORS from loopback addresses by default (#19249)
• 9df6e6b fix: preview.allowedHosts with specific values was not respected (#19246)
• a1824c5 release: v5.4.13
• 5946215 fix: try parse server.origin URL (#19241)
• f428aa9 release: v5.4.12
• 9da4abc fix!: check host header to prevent DNS rebinding attacks and introduce `serve...
• b71a5c8 fix: verify token for HMR WebSocket connection
• dfea38f fix!: default server.cors: false to disallow fetching from untrusted origins
• ecd2375 chore: add deps update changelog
• Additional commits viewable in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates nanoid from 3.3.7 to 3.3.8

Changelog

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

Commits

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.