chore(deps-dev): bump the dev-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the dev-dependencies group with 7 updates in the / directory:

Package	From	To
@changesets/cli	2.27.10	2.27.11
@rspack/cli	1.1.5	1.1.8
@rspack/core	1.1.5	1.1.8
esbuild	0.24.0	0.24.2
@types/node	22.10.1	22.10.2
@types/react	19.0.1	19.0.2
svelte	5.9.1	5.16.0

Updates @changesets/cli from 2.27.10 to 2.27.11

Release notes

Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.27.11

Patch Changes

• Updated dependencies [f0270f6]:
  • @​changesets/config@​3.0.5
  • @​changesets/apply-release-plan@​7.0.7
  • @​changesets/get-release-plan@​4.0.6

Commits

• ac2fd12 Version Packages (#1532)
• f0270f6 relax parameters for read() (#1517)
• f03f70b Bump @​typescript-eslint/parser from 5.43.0 to 5.62.0 (#1527)
• 5412908 Bump jest-watch-typeahead from 2.2.1 to 2.2.2 (#1529)
• 828a238 Bump enquirer from 2.3.2 to 2.4.1 (#1530)
• 5c1617f Bump @​types/lodash from 4.14.144 to 4.17.13 (#1520)
• 22eff6f Bump extendable-error from 0.1.5 to 0.1.7 (#1522)
• 7a53030 Bump eslint-config-standard from 17.0.0 to 17.1.0 (#1521)
• 921a852 Bump @​babel/preset-typescript from 7.18.6 to 7.26.0 (#1523)
• ff59515 Add Dependabot config file (#1219)
• See full diff in compare view

Updates @rspack/cli from 1.1.5 to 1.1.8

Release notes

Sourced from @​rspack/cli's releases.

v1.1.8

Security Vulnerability Report

Overview

This is a re-release version of v1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact

• Affected versions: @rspack/core and @rspack/cli v1.1.7
• Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
• Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. See Malicious code analysis for more details.

Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens. Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
2. Check your system for any unusual activity

Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.

If you have any questions or discover any suspicious activity, please create an issue or send an email to: [email protected]

We will continue to follow and respond to community feedback.

v1.1.6

What's Changed

Highlights 💡

Reduced memory usage

Rspack's memory usage in large projects has been significantly reduced since v1.1.6:

Related PRs:

• perf: improve cached source data struct by @​SyMind in web-infra-dev/rspack#8602
• perf: reduce heap allocations for RuntimeModule by @​h-a-n-a in web-infra-dev/rspack#8620

... (truncated)

Commits

• 938829f chore: release 1.1.8
• f366a2d Release Packages:1.1.6
• 08ddcdd release:1.1.5 (#8599)
• See full diff in compare view

Updates @rspack/core from 1.1.5 to 1.1.8

Release notes

Sourced from @​rspack/core's releases.

v1.1.8

Security Vulnerability Report

Overview

This is a re-release version of v1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact

• Affected versions: @rspack/core and @rspack/cli v1.1.7
• Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
• Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. See Malicious code analysis for more details.

Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens. Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
2. Check your system for any unusual activity

Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.

If you have any questions or discover any suspicious activity, please create an issue or send an email to: [email protected]

We will continue to follow and respond to community feedback.

v1.1.6

What's Changed

Highlights 💡

Reduced memory usage

Rspack's memory usage in large projects has been significantly reduced since v1.1.6:

Related PRs:

• perf: improve cached source data struct by @​SyMind in web-infra-dev/rspack#8602
• perf: reduce heap allocations for RuntimeModule by @​h-a-n-a in web-infra-dev/rspack#8620

... (truncated)

Commits

• 938829f chore: release 1.1.8
• f366a2d Release Packages:1.1.6
• 9e1205c feat: add intermediate file system (#8631)
• 3836042 feat: support getResolve in external function context (#8577)
• 5c44bd7 feat(incremental): named module ids (#8593)
• ac7d0d0 feat: support output.trustedTypes.onPolicyCreationFailure (#8619)
• 89ddc85 test(snapshot): make snapshots cleaner and update path-serializer 0.3.4 (#8161)
• 044e8e3 feat: implement output.clean.keep: Option<string> (#8479)
• 08ddcdd release:1.1.5 (#8599)
• 6b0e319 fix: importModule should have err (#8590)
• See full diff in compare view

Updates esbuild from 0.24.0 to 0.24.2

Release notes

Sourced from esbuild's releases.

v0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

v0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
  ))

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },

... (truncated)

Commits

• 745abd9 publish 0.24.2 to npm
• 79fd0b0 skip nulls in source map finalization (#4011)
• 4b9322f source map: avoid null entry for 0-length parts
• 199a0d3 close #4013: credit to @​sapphi-red for the fix
• 947f99f fix #4010, fix #4012: import.meta regression
• de9598f publish 0.24.1 to npm
• 15d56ca emit null source mappings for empty chunk content
• 8d98f6f fix #3985: entryPoint metadata for copy loader
• 0db1b82 fix #3998: avoid outbase in identifier names
• 7236472 close #3974: add support for netbsd on arm64
• Additional commits viewable in compare view

Updates @types/node from 22.10.1 to 22.10.2

Commits

• See full diff in compare view

Updates @types/react from 19.0.1 to 19.0.2

Commits

• See full diff in compare view

Updates svelte from 5.9.1 to 5.16.0

Release notes

Sourced from svelte's releases.

[email protected]

Minor Changes

• feat: allow class attribute to be an object or array, using clsx (#14714)

Patch Changes

• fix: don't include keyframes in global scope in the keyframes to rename (#14822)

[email protected]

Minor Changes

• feat: add "worker" exports condition to better support bundling for worker-based environments (#14779)

[email protected]

Patch Changes

• fix: treeshake $inspect.trace code if unused in modules (#14774)

• fix: Improve typescript DX for $inspect, $props, $bindable, and $host (#14777)

[email protected]

Patch Changes

• fix: bump esrap dependency (#14765)

• fix: ensure svg namespace for <a> elements is correct (#14756)

• fix: treeshake $inspect.trace code if unused (#14770)

[email protected]

Patch Changes

• fix: remove implements from class declarations (#14749)

• fix: remove unwanted properties from both replaced and unreplaced nodes (#14744)

[email protected]

Patch Changes

• fix: bump esrap, prevent malformed AST (#14742)

• fix: compare array contents for equality mismatch detections, not the arrays themselves (#14738)

[email protected]

Patch Changes

• fix: correctly highlight first rerun of $inspect.trace (#14734)

• chore: more loose parser improvements (#14733)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.16.0

Minor Changes

• feat: allow class attribute to be an object or array, using clsx (#14714)

Patch Changes

• fix: don't include keyframes in global scope in the keyframes to rename (#14822)

5.15.0

Minor Changes

• feat: add "worker" exports condition to better support bundling for worker-based environments (#14779)

5.14.6

Patch Changes

• fix: treeshake $inspect.trace code if unused in modules (#14774)

• fix: Improve typescript DX for $inspect, $props, $bindable, and $host (#14777)

5.14.5

Patch Changes

• fix: bump esrap dependency (#14765)

• fix: ensure svg namespace for <a> elements is correct (#14756)

• fix: treeshake $inspect.trace code if unused (#14770)

5.14.4

Patch Changes

• fix: remove implements from class declarations (#14749)

• fix: remove unwanted properties from both replaced and unreplaced nodes (#14744)

5.14.3

Patch Changes

• fix: bump esrap, prevent malformed AST (#14742)

• fix: compare array contents for equality mismatch detections, not the arrays themselves (#14738)

... (truncated)

Commits

• 7f8acb8 Version Packages (#14824)
• 97f3aa9 docs: fix links in some errors/warnings (#14825)
• 015210a feat: allow objects/arrays for class attribute (#14714)
• 38a3ae3 fix: Allow to disable animation prefix (#14822)
• 1d773ef Version Packages (#14782)
• 72b7bc7 feat: add "worker" exports condition (#14779)
• 2086c19 Version Packages (#14776)
• 999b92d fix: intellisense DX for $props, $inspect, $bindable, and $host (#14777)
• 5bc4033 fix: treeshake $inspect.trace code if unused in modules (#14774)
• 69d198e Version Packages (#14764)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: b8d9873

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.