OpenZeppelin
Update dependency svelte to v4
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| svelte (source) | ^3.55.0 -> ^4.0.0 |
Release Notes
sveltejs/svelte (svelte)
v4.2.12
Patch Changes
- fix: properly update
svelte:componentprops when there are spread props (#10604)
v4.2.11
Patch Changes
- fix: check that component wasn't instantiated in
connectedCallback(#10466)
v4.2.10
Patch Changes
-
fix: add
scrollendevent type (#10336) -
fix: add
fetchpriorityattribute type (#10390) -
fix: Add
miter-clipandarcstostroke-linejoinattribute (#10377) -
fix: make inline doc links valid (#10366)
v4.2.9
Patch Changes
-
fix: add types for popover attributes and events (#10042)
-
fix: add
gamepadconnectedandgamepaddisconnectedevents (#9864) -
fix: make
@types/estreea dependency (#10149) -
fix: bump
axobject-query(#10167)
v4.2.8
Patch Changes
- fix: port over props that were set prior to initialization (#9701)
v4.2.7
Patch Changes
- fix: handle spreads within static strings (#9554)
v4.2.6
Patch Changes
- fix: adjust static attribute regex (#9551)
v4.2.5
Patch Changes
- fix: ignore expressions in top level script/style tag attributes (#9498)
v4.2.4
Patch Changes
- fix: handle closing tags inside attribute values (#9486)
v4.2.3
Patch Changes
-
fix: improve a11y-click-events-have-key-events message (#9358)
-
fix: more robust hydration of html tag (#9184)
v4.2.2
Patch Changes
-
fix: support camelCase properties on custom elements (#9328)
-
fix: add missing plaintext-only value to contenteditable type (#9242)
-
chore: upgrade magic-string to 0.30.4 (#9292)
-
fix: ignore trailing comments when comparing nodes (#9197)
v4.2.1
Patch Changes
-
fix: update style directive when style attribute is present and is updated via an object prop (#9187)
-
fix: css sourcemap generation with unicode filenames (#9120)
-
fix: do not add module declared variables as dependencies (#9122)
-
fix: handle
svelte:elementwith dynamic this and spread attributes (#9112) -
fix: silence false positive reactive component warning (#9094)
-
fix: head duplication when binding is present (#9124)
-
fix: take custom attribute name into account when reflecting property (#9140)
-
fix: add
indeterminateto the list of HTMLAttributes (#9180) -
fix: recognize option value on spread attribute (#9125)
v4.2.0
Minor Changes
- feat: move
svelteHTMLfrom language-tools into core to load the correctsvelte/elementtypes (#9070)
v4.1.2
Patch Changes
-
fix: allow child element with slot attribute within svelte:element (#9038)
-
fix: Add data-* to svg attributes (#9036)
v4.1.1
Patch Changes
- fix:
svelte:componentspread props change not picked up (#9006)
v4.1.0
Minor Changes
- feat: add ability to extend custom element class (#8991)
Patch Changes
-
fix: ensure
svelte:componentevaluates props once (#8946) -
fix: remove
let:variableslot bindings from select binding dependencies (#8969) -
fix: handle destructured primitive literals (#8871)
-
perf: optimize imports that are not mutated or reassigned (#8948)
-
fix: don't add accessor twice (#8996)
v4.0.5
Patch Changes
- fix: generate type definition with nullable types (#8924)
v4.0.4
Patch Changes
-
fix: claim svg tags in raw mustache tags correctly (#8910)
-
fix: repair invalid raw html content during hydration (#8912)
v4.0.3
Patch Changes
- fix: handle falsy srcset values (#8901)
v4.0.2
Patch Changes
-
fix: reflect all custom element prop updates back to attribute (#8898)
-
fix: shrink custom element baseline a bit (#8858)
-
fix: use non-destructive hydration for all
@htmltags (#8880) -
fix: align
disclose-versionexports specification (#8874) -
fix: check srcset when hydrating to prevent needless requests (#8868)
v4.0.1
Patch Changes
-
fix: ensure identifiers in destructuring contexts don't clash with existing ones (#8840)
-
fix: ensure
createEventDispatcherandActionReturnwork with types from generic function parameters (#8872) -
fix: apply transition to
<svelte:element>with local transition (#8865) -
fix: relax a11y "no redundant role" rule for li, ul, ol (#8867)
-
fix: remove tsconfig.json from published package (#8859)
v4.0.0
Major Changes
-
breaking: Minimum supported Node version is now Node 16 (#8566)
-
breaking: Minimum supported webpack version is now webpack 5 (#8515)
-
breaking: Bundlers must specify the
browsercondition when building a frontend bundle for the browser (#8516) -
breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#8516)
-
breaking: Minimum supported
rollup-plugin-svelteversion is now 7.1.5 (198dbcf) -
breaking: Minimum supported
svelte-loaderis now 3.1.8 (198dbcf) -
breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#8488)
-
breaking: Remove
svelte/registerhook, CJS runtime version and CJS compiler output (#8613) -
breaking: Stricter types for
createEventDispatcher(see PR for migration instructions) (#7224) -
breaking: Stricter types for
ActionandActionReturn(see PR for migration instructions) (#7442) -
breaking: Stricter types for
onMount- now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions (see PR for migration instructions) (#8136) -
breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) (#8457)
-
breaking: Deprecate
SvelteComponentTypedin favor ofSvelteComponent(#8512) -
breaking: Make transitions local by default to prevent confusion around page navigations (#6686)
-
breaking: Error on falsy values instead of stores passed to
derived(#7947) -
breaking: Custom store implementers now need to pass an
updatefunction additionally to thesetfunction (#6750) -
breaking: Do not expose default slot bindings to named slots and vice versa (#6049)
-
breaking: Change order in which preprocessors are applied (#8618)
-
breaking: The runtime now makes use of
classList.toggle(name, boolean)which does not work in very old browsers (#8629) -
breaking: apply
inertto outroing elements (#8628) -
breaking: use
CustomEventconstructor instead of deprecatedcreateEventmethod (#8775)
Minor Changes
-
Add a way to modify attributes for script/style preprocessors (#8618)
-
Improve hydration speed by adding
data-svelte-hattribute to detect unchanged HTML elements (#7426) -
Add
a11y no-noninteractive-element-interactionsrule (#8391) -
Add
a11y-no-static-element-interactionsrule (#8251) -
Allow
#eachto iterate over iterables likeSet,Mapetc (#7425) -
Improve duplicate key error for keyed
eachblocks (#8411) -
Warn about
:in attributes and props to prevent ambiguity with Svelte directives (#6823) -
feat: add version info to
window. You can opt out by settingdiscloseVersiontofalsein the compiler options (#8761) -
feat: smaller minified output for destructor chunks (#8763)
Patch Changes
-
Bind
nulloption and input values consistently (#8312) -
Allow
$storeto be used with changing values including nullish values (#7555) -
Initialize stylesheet with
/* empty */to enable setting CSP directive that also works in Safari (#7800) -
Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#8284)
-
Fix transitions so that they don't require a
style-src 'unsafe-inline'Content Security Policy (CSP) (#6662). -
Explicitly disallow
vardeclarations extending the reactive statement scope (#6800) -
Improve error message when trying to use
animate:directives on inline components (#8641) -
fix: export ComponentType from
svelteentrypoint (#8578) -
fix: never use html optimization for mustache tags in hydration mode (#8744)
-
fix: derived store types (#8578)
-
Generate type declarations with dts-buddy (#8578)
-
fix: ensure types are loaded with all TS settings (#8721)
-
fix: account for preprocessor source maps when calculating meta info (#8778)
-
chore: deindent cjs output for compiler (#8785)
-
warn on boolean compilerOptions.css (#8710)
-
fix: export correct SvelteComponent type (#8721)
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
This doesn't seem to be working, we need to review the breaking changes, I don't think they are many.
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@nomicfoundation/[email protected]
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
| Alert | Package | Note | Source | CI |
|---|---|---|---|---|
| Install scripts | npm/[email protected] |
| 🚫 |
Next steps
What is an install script?
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/[email protected]