Bump the npm_and_yarn group across 2 directories with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 14 updates in the / directory:

Package	From	To
happy-dom	19.0.2	20.8.9
postcss	8.5.6	8.5.10
svelte	4.2.20	5.55.7
vite	5.4.21	6.4.2
storybook	9.1.16	9.1.19
@sveltejs/kit	2.49.0	2.60.1
@sveltejs/adapter-vercel	5.10.3	6.3.2
wrangler	4.47.0	4.59.1
handlebars	4.7.8	4.7.9
mermaid	11.12.1	11.15.0
rollup	4.53.2	4.59.0
brace-expansion	1.1.12	5.0.6
dompurify	3.3.0	3.4.5
uuid	9.0.1	14.0.0

Bumps the npm_and_yarn group with 2 updates in the /js/dataframe-interim directory: svelte and vite.

Updates happy-dom from 19.0.2 to 20.8.9

Release notes

Sourced from happy-dom's releases.

v20.8.9

👷‍♂️ Patch fixes

• Fixes issue where cookies from the current origin was being forwarded to the target origin in fetch requests - By @​capricorn86 in task #2117
  • A security advisory (GHSA-w4gp-fjgq-3q4g) was reported for this security vulnerability. Big thanks to @​r74tech for reporting this!

v20.8.8

👷‍♂️ Patch fixes

• Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #2113
  • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @​tndud042713 for reporting this!

v20.8.7

👷‍♂️ Patch fixes

• Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @​YevheniiKotyrlo in task #1845

v20.8.6

👷‍♂️ Patch fixes

• Request.formData() should honor "Content-Type" header - By @​brianhelba in task #2106

v20.8.5

👷‍♂️ Patch fixes

• Fixes error thrown when modifying DOM structure in connectedCallback() - By @​capricorn86 in task #2110

v20.8.4

👷‍♂️ Patch fixes

• Replace ConsoleConstructor import with indexed access type - By @​YevheniiKotyrlo in task #1845

v20.8.3

👷‍♂️ Patch fixes

• Throw error if event is not of type Event in EventTarget.dispatchEvent() - By @​capricorn86 in task #2054

v20.8.2

👷‍♂️ Patch fixes

• Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #2090

v20.8.1

👷‍♂️ Patch fixes

• Make "inert" attribute block focus interactions - By @​coffeeandwork in task #1422

v20.8.0

🎨 Features

• Adds support for setPointerCapture, hasPointerCapture, and releasePointerCapture to Element - By @​coffeeandwork in task #1733

v20.7.2

👷‍♂️ Patch fixes

• Properly decode CSS escape sequences in attribute selector values - By @​silverwind

v20.7.1

👷‍♂️ Patch fixes

• Fixes issue related to parsing direct descendants (>) and universal (*) query selectors - By @​Cherry in task #2078

... (truncated)

Commits

• 68324c2 fix: #2117 Fixes issue related to cookies from the current origin being for...
• 5437fdf fix: #2113 Fixes issue where export names can be interpolated as executable...
• 7e97acb fix: #1845 Replace implementing Node js Console with common IConsole interf...
• 3373929 fix: #2106 Request.formData() should honor Content-Type header (#2107)
• 55c17ba fix: #2110 Fixes error thrown when modifying DOM structure in connectedCall...
• 82a0888 fix: #1845 Replace ConsoleConstructor import with indexed access type (#2095)
• 5998eea fix: #2054 Throw error if event is not of type Event in dispatchEvent (#2092)
• 7a11238 fix: #2090 Resets cancelBubble and defaultPrevented when calling initEvent ...
• 7d27984 fix: #1422 Make inert attribute block focus interactions (#2083)
• 53e4ec9 feat: #1733 Adds support for setPointerCapture, hasPointerCapture, and rele...
• Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates svelte from 4.2.20 to 5.55.7

Release notes

Sourced from svelte's releases.

svelte@5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

svelte@5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

• chore: allow null for pending in typings (#18201)

• fix: flush eager effects in production (#18107)

• fix: rethrow error of failed iterable after calling return() (#18169)

• fix: account for proxified instance when updating bind:this (#18147)

• fix: ensure scheduled batch is flushed if not obsolete (#18131)

• fix: resolve stale deriveds with latest value (#18167)

• chore: remove unnecessary increment_pending calls (#18183)

• fix: correctly compile component member expressions for SSR (#18192)

• fix: reset source.updated stack traces after flush (#18196)

• fix: replacing async 'blocking' strategy with 'merging' (#18205)

• fix: allow @debug tags to reference awaited variables (#18138)

• fix: re-run fallback props if dependencies update (#18146)

• fix: abort running obsolete async branches (#18118)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

• chore: allow null for pending in typings (#18201)

• fix: flush eager effects in production (#18107)

• fix: rethrow error of failed iterable after calling return() (#18169)

• fix: account for proxified instance when updating bind:this (#18147)

• fix: ensure scheduled batch is flushed if not obsolete (#18131)

• fix: resolve stale deriveds with latest value (#18167)

• chore: remove unnecessary increment_pending calls (#18183)

• fix: correctly compile component member expressions for SSR (#18192)

• fix: reset source.updated stack traces after flush (#18196)

• fix: replacing async 'blocking' strategy with 'merging' (#18205)

• fix: allow @debug tags to reference awaited variables (#18138)

• fix: re-run fallback props if dependencies update (#18146)

... (truncated)

Commits

• 4d8f99a Version Packages (#18220)
• 0552308 chore: bump devalue (#18219)
• e1cbbd9 Merge commit from fork
• a16ebc6 Merge commit from fork
• d2375e2 Merge commit from fork
• 547853e Merge commit from fork
• 55f9c85 Version Packages (#18158)
• a10e8e4 fix: keep dependencies of $state.eager/pending (alternative approach) (#1...
• ef4b97d fix: duplicated "of" in events.js comment (#18217)
• 5122936 fix: treat batches as a linked list (#18205)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for svelte since your current version.

Updates vite from 5.4.21 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

• feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

• fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (0ab19ea), closes #20736
• fix: upgrade sirv to 3.0.2 (#20735) (e11d240), closes #20735
• test: detect ts support via process.features (#20544) (7d99229), closes #20544

6.3.5 (2025-05-05)

• fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

6.3.4 (2025-04-30)

• fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
• fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940
• refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

• fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

... (truncated)

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Updates storybook from 9.1.16 to 9.1.19

Release notes

Sourced from storybook's releases.

v9.1.19

9.1.19

• Harden websocket connection

v9.1.18

9.1.18

• No-op release. No changes.

Changelog

Sourced from storybook's changelog.

9.1.19

• Harden websocket connection

9.1.18

• No-op release. No changes.

Commits

• 20887f1 Bump version from "9.1.18" to "9.1.19" [skip ci]
• 66b2d8e Fix test
• 31f16c4 fix linting
• 62dd25b Core: Require token for websocket connections
• bbe61e3 Bump version from "9.1.17" to "9.1.18" [skip ci]
• d0d5a3d Bump version from 9.1.16 to 9.1.17 MANUALLY
• a06c257 filter env vars from .env files
• See full diff in compare view

Updates @sveltejs/kit from 2.49.0 to 2.60.1

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.60.1

Patch Changes

• chore: bump svelte and devalue (#15836)

• fix: prevent query.batch cross-talk (dadaefc)

@​sveltejs/kit@​2.60.0

Minor Changes

• feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)

• feat: warn on unread form remote function validation issues (#15653)

Patch Changes

• fix: abort navigation after async rendering if obsolete (#15811)

• fix: skip refreshing queries on full-page reload form submissions (#15803)

@​sveltejs/kit@​2.59.1

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#15793)

@​sveltejs/kit@​2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

• fix: empty call to .updates() on a command/form invocation means "don't update anything" (#15705)

• fix: form.fields.foo.as('checkbox', default_value) now works (#15752)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.60.1

Patch Changes

• chore: bump svelte and devalue (#15836)

• fix: prevent query.batch cross-talk (dadaefc)

2.60.0

Minor Changes

• feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans (#15802)

• feat: warn on unread form remote function validation issues (#15653)

Patch Changes

• fix: abort navigation after async rendering if obsolete (#15811)

• fix: skip refreshing queries on full-page reload form submissions (#15803)

2.59.1

Patch Changes

• fix: resolve paths to route files with the letter drive on Windows (#15793)

2.59.0

Minor Changes

• feat: support query.batch in requested(...) (#15751)

• breaking: on the server, make the promise returned from refresh represent adding the refresh to the map, not the time it takes to run the remote function (#15705)

• feat: experimental query.live function (#15705)

Patch Changes

• fix: unwrap Promise in RemoteCommand output type (#15771)

... (truncated)

Commits

• d020406 Version Packages (#15838)
• 16b07a2 chore: bump svelte and devalue (#15836)
• dadaefc Merge commit from fork
• db8e8ae Version Packages (#15810)
• 2549a44 feat: allow 'submit' and 'hidden' form fields to accept numbers and booleans ...
• d3b5257 fix: skip refreshing queries on full-page reload form submissions (#15803)
• ea0b9a7 fix: abort navigation after async rendering if obsolete (#15811)
• a45e720 feat: warn on unread validation issues (#15653)
• 9cfa07d Version Packages (#15795)
• e547ec1 fix: resolve user files with drive letter on Windows (#15793)
• Additional commits viewable in compare view

Updates @sveltejs/adapter-vercel from 5.10.3 to 6.3.2

Release notes

Sourced from @​sveltejs/adapter-vercel's releases.

@​sveltejs/adapter-vercel@​6.3.2

Patch Changes

• fix: 404 for immutable assets that don't match static files (c67da8a)

• Updated dependencies [3e607b3, 62991c8, f47c01b]:

  • @​sveltejs/kit@​2.52.2

@​sveltejs/adapter-vercel@​6.3.1

Patch Changes

• feat: show remote function calls under the /_app/remote route in observability (#15098)

• fix: prevent isr routes from handling remote function calls (#15098)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

@​sveltejs/adapter-vercel@​6.3.0

Minor Changes

• chore: mark RequestContext as deprecated and refer to @vercel/functions (#14725)

Patch Changes

• Updated dependencies [e67613c, a5c313e, 06de550]:
  • @​sveltejs/kit@​2.49.3

@​sveltejs/adapter-vercel@​6.2.0

Minor Changes

• feat: Node 24 support (#14982)

@​sveltejs/adapter-vercel@​6.1.2

Patch Changes

• chore(deps): upgrade to @vercel/nft version 1.0.0 to reduce dependencies (#14950)

• Updated dependencies [0889a2a, 2ff3951, 5b30755]:

  • @​sveltejs/kit@​2.48.7

@​sveltejs/adapter-vercel@​6.1.1

Patch Changes

• chore: improve runtime config parsing (#14838)

• Updated dependencies [cd72d94, 53b1b73, 2ccc638]:

  • @​sveltejs/kit@​2.48.3

... (truncated)

Changelog

Sourced from @​sveltejs/adapter-vercel's changelog.

6.3.2

Patch Changes

• fix: 404 for immutable assets that don't match static files (c67da8a)

• Updated dependencies [3e607b3, 62991c8, f47c01b]:

  • @​sveltejs/kit@​2.52.2

6.3.1

Patch Changes

• feat: show remote function calls under the /_app/remote route in observability (#15098)

• fix: prevent isr routes from handling remote function calls (#15098)

• Updated dependencies [46c1ebd, 2dd74c8, 8871b54]:

  • @​sveltejs/kit@​2.50.1

6.3.0

Minor Changes

• chore: mark RequestContext as deprecated and refer to @vercel/functions (#14725)

Patch Changes

• Updated dependencies [e67613c, a5c313e, 06de550]:
  • @​sveltejs/kit@​2.49.3

6.2.0

Minor Changes

• feat: Node 24 support (#14982)

6.1.2

Patch Changes

• chore(deps): upgrade to @vercel/nft version 1.0.0 to reduce dependencies (#14950)

• Updated dependencies [0889a2a, 2ff3951, 5b30755]:

  • @​sveltejs/kit@​2.48.7

6.1.1

Patch Changes

... (truncated)

Commits

• 9c4a737 Version Packages (#15338)
• c67da8a Merge commit from fork
• 3b2ea1b Version Packages (#15186)
• 3fdb3ad fix: prevent isr routes from handling remote function calls (#15085) (#15098)
• 1399bd5 Version Packages (#15091)
• 0da365a chore(deps): update vitest monorepo to v4 (major) (#14789)
• 0280f4b feat: expose waitUntil also for serverless runtime & add docs (#14725)
• 79bb212 chore: Use formatter for robustness (#15006)
• 9fda2fc Version Packages (#14985)
• e295db5 feat: Add Node 24 support to Vercel adapter (#14982)
• Additional commits viewable in compare view

Updates wrangler from 4.47.0 to 4.59.1

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates mermaid from 11.12.1 to 11.15.0

Release notes

Sourced from mermaid's releases.

mermaid@11.15.0

Minor Changes

• #7174 0aca217 Thanks @​milesspencer35! - feat(sequence): Add support for decimal start and increment values in the autonumber directive

• #7512 8e17492 Thanks @​aruncveli! - feat(flowchart): add datastore shape

  In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with A@{ shape: datastore, label: "Datastore" }.

• #6440 9ad8dde Thanks @​yordis, @​lgazo! - feat: add Event Modeling diagram

• #7707 27db774 Thanks @​txmxthy! - feat(architecture): expose four fcose layout knobs for architecture-beta diagrams (nodeSeparation, idealEdgeLengthMultiplier, edgeElasticity, numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source

• #7604 bf9502f Thanks @​M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting

  If you have namespaces in class diagrams that use .s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set class.hierarchicalNamespaces=false in your mermaid config: