Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump svelte and svelte-preprocess in /core #4054

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Bump svelte and svelte-preprocess in /core #4054

wants to merge 12 commits into from
+1,687 −3,220

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 5, 2024
edited
Loading

Bumps svelte and svelte-preprocess. These dependencies needed to be updated together.
Updates svelte from 3.54.0 to 5.6.2

Release notes

Sourced from svelte's releases.

[email protected]

Patch Changes

  • chore: make if blocks tree-shakable (#14549)

[email protected]

Patch Changes

  • fix: handle static form values in combination with default values (#14555)

[email protected]

Minor Changes

  • feat: support defaultValue/defaultChecked for inputs (#14289)

[email protected]

Patch Changes

  • fix: better error messages for invalid HTML trees (#14445)

  • fix: remove spreaded event handlers when they become nullish (#14546)

  • fix: respect the unidirectional nature of time (#14541)

[email protected]

Patch Changes

  • fix: don't try to add owners to non-$state class fields (#14533)

  • fix: capture infinite_loop_guard in error boundary (#14534)

  • fix: proxify values when assigning using ||=, &&= and ??= operators (#14273)

[email protected]

Patch Changes

  • fix: use correct reaction when lazily creating deriveds inside SvelteDate (#14525)

[email protected]

Minor Changes

  • feat: allow snippets to be exported from module scripts (#14315)

Patch Changes

  • fix: ignore TypeScript generics on variables (#14509)

[email protected]

Minor Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

svelte

4.2.3

Patch Changes

  • fix: improve a11y-click-events-have-key-events message (#9358)

  • fix: more robust hydration of html tag (#9184)

4.2.2

Patch Changes

  • fix: support camelCase properties on custom elements (#9328)

  • fix: add missing plaintext-only value to contenteditable type (#9242)

  • chore: upgrade magic-string to 0.30.4 (#9292)

  • fix: ignore trailing comments when comparing nodes (#9197)

4.2.1

Patch Changes

  • fix: update style directive when style attribute is present and is updated via an object prop (#9187)

  • fix: css sourcemap generation with unicode filenames (#9120)

  • fix: do not add module declared variables as dependencies (#9122)

  • fix: handle svelte:element with dynamic this and spread attributes (#9112)

  • fix: silence false positive reactive component warning (#9094)

  • fix: head duplication when binding is present (#9124)

  • fix: take custom attribute name into account when reflecting property (#9140)

  • fix: add indeterminate to the list of HTMLAttributes (#9180)

  • fix: recognize option value on spread attribute (#9125)

4.2.0

Minor Changes

  • feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by svelte-admin, a new releaser for svelte since your current version.


Updates svelte-preprocess from 4.10.7 to 6.0.3

Changelog

Sourced from svelte-preprocess's changelog.

6.0.3 (2024-09-26)

Bug Fixes

6.0.2 (2024-07-09)

Bug Fixes

6.0.1 (2024-06-14)

Bug Fixes

  • deprecate default export in favor of named export (#641) (a43de10), closes #591

6.0.0 (2024-06-12)

BREAKING CHANGES

  • remove TS mixed imports support, require TS 5.0 or higher
  • remove preserve option as it's unnecessary
  • require Svelte 4+, Node 18+
  • add exports map

Bug Fixes

  • adjust globalifySelector to not split selectors with parentheses. (#632) (c435ebd), closes #501
  • fix: allow TS filename to be undefined, fixes #488
  • fix: adjust Svelte compiler type import
  • fix: remove pug types and magic-string from dependencies
  • chore: bump peer deps, fixes #553

5.1.4 (2024-04-16)

Bug Fixes

5.1.3 (2023-12-18)

... (truncated)

Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump svelte and svelte-preprocess in /core
cc4b70a 
Bumps [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) and [svelte-preprocess](https://github.com/sveltejs/svelte-preprocess). These dependencies needed to be updated together.

Updates `svelte` from 3.54.0 to 5.6.2
- [Release notes](https://github.com/sveltejs/svelte/releases)
- [Changelog](https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG-pre-5.md)
- [Commits](https://github.com/sveltejs/svelte/commits/[email protected]/packages/svelte)

Updates `svelte-preprocess` from 4.10.7 to 6.0.3
- [Changelog](https://github.com/sveltejs/svelte-preprocess/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/svelte-preprocess/commits/v6.0.3)

---
updated-dependencies:
- dependency-name: svelte
  dependency-type: direct:development
- dependency-name: svelte-preprocess
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 5, 2024
@walmazacn
Copy link
Contributor

walmazacn commented Dec 5, 2024
edited
Loading

It seems there's no need to update Svelte to v5, as this vulnerability has been fixed already in version 4.2.19

Also - to keep things compatible - 'svelte-preprocess' might be updated to version 5.1.4 instead of v6

What's more, proper migration from Svelte v3 to v4 needs to be handled:
https://svelte.dev/docs/svelte/v4-migration-guide

@walmazacn walmazacn self-assigned this Dec 5, 2024
walmazacn
walmazacn requested changes Dec 5, 2024
View reviewed changes
Copy link
Contributor

@walmazacn walmazacn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lower versions should be tested first - also against other deps in core

walmazacn
walmazacn approved these changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@walmazacn walmazacn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@walmazacn
Copy link
Contributor

Bundle stats BEFORE upgrade:
public/luigi.js - 539.70 kB │ gzip: 149.48 kB │ map: 1,901.93 kB
✓ built in 5.41s

Bundle stats AFTER upgrade:
public/luigi.js - 540.35 kB │ gzip: 149.65 kB │ map: 1,914.03 kB
✓ built in 4.55s

@JohannesDoberer JohannesDoberer self-assigned this Dec 20, 2024
@JohannesDoberer
Copy link
Contributor

try out with nightly

@JohannesDoberer
Copy link
Contributor

test btptoollayout as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@walmazacn walmazacn walmazacn approved these changes

@hardl hardl Awaiting requested review from hardl hardl is a code owner

@JohannesDoberer JohannesDoberer Awaiting requested review from JohannesDoberer JohannesDoberer is a code owner

@ndricimrr ndricimrr Awaiting requested review from ndricimrr ndricimrr is a code owner

@VincentUllal VincentUllal Awaiting requested review from VincentUllal VincentUllal is a code owner

@smahati smahati Awaiting requested review from smahati smahati is a code owner

@amilewskaa amilewskaa Awaiting requested review from amilewskaa amilewskaa is a code owner

Assignees

@JohannesDoberer JohannesDoberer

@walmazacn walmazacn

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@walmazacn @JohannesDoberer