chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	2.60.1 → 2.61.1
@swc/core (source)	1.15.33 → 1.15.40
pnpm (source)	11.2.2 → 11.3.0
vite (source)	8.0.13 → 8.0.14

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.61.1

Compare Source

Patch Changes

• fix: regression where routes starting and ending with a route group are not matched correctly (#​15903)

v2.61.0

Compare Source

Minor Changes

• breaking: the .run() method has been removed from remote queries on both the client and the server. Use await query() directly instead — it now works everywhere (#​15779)

• feat: remote queries can now be awaited in any context (event handlers, module scope, async callbacks), not just inside reactive contexts. The cache is shared across reactive and non-reactive subscribers, so awaiting a query in an event handler will dedupe with components that have already subscribed to the same query. (#​15779)

• feat: live query instances are now themselves async-iterable (#​15878)

• feat: add programmatic submit method to form remote function instances (#​15657)

• feat: pass form remote function instance into enhance callback (#​15657)

Patch Changes

• fix: resolve the app payload without using process.env.NODE_ENV (#​15852)

• fix: support exactOptionalPropertyTypes for optional route params (#​15825)

• fix: correctly send true value to the server for 'submit' and 'hidden' form fields (#​15858)

• fix: avoid build warnings about undefined universal hooks (#​15895)

• fix: prefer default error page when failing to decode the URL pathname (#​15744)

• fix: disable link prefetching on slow internet connections (#​15885)

• fix: allow routes ending with optional parameters next to more specific routes (#​15861)

• fix: remove reliance on Content-Length header in deserialize_binary_form, which caused failures when proxies (e.g. Vercel, Azure) strip the header and use chunked transfer encoding (#​15796)

swc-project/swc (@​swc/core)

v1.15.40

Compare Source

Bug Fixes

• (es/minifier) Preserve args for destructured callbacks (#​11830) (21873b0)

• (es/minifier) Avoid generating mangled property names that collide with existing properties (#​11839) (9b4fab5)

• (es/minifier) Respect ecma for iife temp vars (#​11873) (e481934)

• (es/minifier) Preserve default parameter object props (#​11884) (71ff84f)

• (es/parser) Reject object-rest assignment to array/object literal (#​11875) (7b57d1f)

• (es/parser) Reject object rest assignment to literals (#​11881) (4ec2eaf)

• (es/react) Exclude self-recursive hooks from refresh dependency array (#​11838) (9101c71)

• (ts/fast-dts) Strip definite assertions in dts (#​11858) (2ab1b8a)

• (ts/fast-strip) Reject unsafe assertion erasure in binary expressions (#​11828) (aa5b539)

• (typescript) Strip parameter binding defaults in dts (#​11857) (800bc17)

Documentation

• Update agent guidance (#​11842) (bf2d015)

• Add security policy (#​11876) (6c43c2d)

• Clarify security scope for npm packages (#​11877) (4662db8)

• Clarify untrusted input security model (#​11882) (5463777)

Features

• (es/minifier) Fine grained effect analysis of class (#​11814) (c9058ad)

• (swc_cli) Implement all features for swc_cli (#​11797) (9300ede)

Miscellaneous Tasks

• (es/minifier) Fix typo in debug log (#​11866) (3de0254)

• (html) Add webcontainer fallback for @swc/html (#​11860) (7692eed)

Performance

• (ecma) Reduce transformer compat overhead (#​11856) (d03cb71)

• (es/codegen) Speed up JsWriter position and srcmap tracking (#​11867) (dbceade)

• (es/codegen) Remove JsWriter last_srcmap cache (#​11869) (3bc1c2b)

• (es/minifier) Reduce minifier profiling hotspots (#​11853) (28c1091)

• Optimize es parser comment finalization (#​11852) (2959ddf)

Testing

• (es/minifier) Move issue_11835 fixture out of terser folder (#​11840) (3dd3431)

Ci

• Update corepack in publish docker jobs (#​11885) (9a7d954)

• Pass publish docker env explicitly (#​11888) (c5f7547)

• Lock issues closed by merged prs (#​11887) (6bd74e5)

• Provide aarch64 musl linker in publish job (#​11889) (20234fd)

• Fix publish musl linker and windows tests (#​11890) (a798a23)

• Make minifier test path explicit (#​11891) (e7cba97)

Security

• Save CI caches only on main (#​11848) (7582529)

• Update rkyv and Rust dependencies (#​11851) (20d92eb)

• Harden PR workflow permissions (#​11849) (e199564)

pnpm/pnpm (pnpm)

v11.3.0

Compare Source

Minor Changes

• Added pnpm stage with publish, list, view, approve, reject, and download subcommands for npm staged publishing.

• Added a new setting trustLockfile. When true, pnpm install skips the supply-chain verification pass that re-applies minimumReleaseAge / trustPolicy='no-downgrade' to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author. Defaults to false; verification stays on by default. Set in pnpm-workspace.yaml.

  Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (~4k lockfile entries with minimumReleaseAge + trustPolicy: no-downgrade enabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (time, per-version _npmUser.trustedPublisher, dist.attestations.provenance). The abbreviated-metadata cache is similarly projected to just the package-level modified field and the set of currently-listed version names. Fixes #​11860.

• Implemented pnpm pkg command natively, following npm pkg standards.

• Implemented pnpm repo command natively, following npm repo standards.

• Implemented pnpm set-script (alias ss) natively. Adds or updates an entry in the scripts field of the project manifest, supporting package.json, package.json5, and package.yaml formats.

• Add a skip-manifest-obfuscation option for pnpm pack and pnpm publish. When enabled, the original packageManager field and publish lifecycle scripts are kept in the packed/published manifest instead of being stripped. The pnpm-specific pnpm field continues to be omitted.

Patch Changes

• Fixed pnpm dlx failing with ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND when the installed package's CAS slot is missing its package.json. Observed in the wild for pnpm dlx node@runtime:<version> when the GVS slot was populated without the synthesized manifest runtime archives need (they don't ship a package.json of their own, so the synthesized one is the only way it gets there; an existing slot from an earlier code path that skipped the synthesis stays incomplete). The bin link itself is wired up from the resolution and remains valid, so dlx now falls back to the scopeless package name when the slot's manifest is unreadable — for single-bin packages (the dlx common case, including every runtime: spec) this matches what manifest.bin would have named. Multi-bin packages already require --package=<spec> <bin> to disambiguate and don't enter this code path.
• Fixed non-determinism in pnpm dedupe and pnpm install when a dependency graph contains packages with transitive peer dependencies on each other (e.g. @aws-sdk/client-sts and @aws-sdk/client-sso-oidc) and auto-install-peers is enabled. The lockfile no longer flips between two equally-valid forms across consecutive runs. The root cause was that resolveDependencies pushed onto its pkgAddresses / postponedResolutionsQueue arrays from inside Promise.all-spawned callbacks, so completion-order timing leaked into the array order and downstream cyclic-peer suffix assignment. Fixes #​8155.
• Fixed a regression introduced by #​11711 where pnpm add <github-shorthand> (and any other wanted-dependency whose alias can't be parsed from the user-supplied spec, e.g. tarball URLs or pnpm/test-git-fetch#sha) was silently dropped from the manifest update and from pendingBuilds. The alias-keyed lookup added in that PR couldn't find a wantedDependency whose alias was undefined at parse time but resolved to a package name only after fetching, so the entry never made it into specsToUpsert. Restored the original index-based pairing between directDependencies and wantedDependencies; the catalog-protocol preservation that PR was originally fixing is unaffected because it's driven by rdd.catalogLookup.userSpecifiedBareSpecifier, not by the lookup. Fixes the three rebuilds dependencies / rebuilds specific dependencies / rebuild with pending option failures in building/commands/test/build/index.ts.
• Fixed pnpm add --config leaving orphan entries in pnpm-lock.env.yaml (the optional subdependencies of the previously resolved version of the updated config dependency).

vitejs/vite (vite)

v8.0.14

Compare Source

Features

• update rolldown to 1.0.2 (#​22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#​22471) (98b8163)
• dev: handle errors when sending messages to vite server (#​22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#​22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#​22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#​22310) (0ae2844)

Tests

• css: sass does not use main field (#​22449) (ebf39a0)

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f2d49f6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
zag-nextjs	Ready	Preview	May 25, 2026 1:26am
zag-solid	Ready	Preview	May 25, 2026 1:26am
zag-svelte	Ready	Preview	May 25, 2026 1:26am
zag-vue	Ready	Preview	May 25, 2026 1:26am
zag-website	Ready	Preview	May 25, 2026 1:26am