chore(deps): bump devalue and @sveltejs/adapter-auto in /examples/svelte/svelte-vite

[dependabot]

Bumps devalue to 5.6.4 and updates ancestor dependency @sveltejs/adapter-auto. These dependencies need to be updated together.

Updates devalue from 4.3.3 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits

• 6cbb3f5 Version Packages (#133)
• 40f1db1 Merge commit from fork
• 87c1f3c Merge commit from fork
• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates @sveltejs/adapter-auto from 1.0.0-next.91 to 7.0.1

Release notes

Sourced from @​sveltejs/adapter-auto's releases.

@​sveltejs/adapter-auto@​7.0.1

Patch Changes

• feat: update adapter-netlify to version 6 (77ab341)

@​sveltejs/adapter-auto@​7.0.0

Major Changes

• feat: update adapter-vercel to version 6 (#14737)

@​sveltejs/adapter-auto@​6.1.1

Patch Changes

• chore: update "homepage" field in package.json (#14579)

Changelog

Sourced from @​sveltejs/adapter-auto's changelog.

7.0.1

Patch Changes

• feat: update adapter-netlify to version 6 (77ab341)

7.0.0

Major Changes

• feat: update adapter-vercel to version 6 (#14737)

6.1.1

Patch Changes

• chore: update "homepage" field in package.json (#14579)

6.1.0

Minor Changes

• feat: add Deno as a supported package manager (#14163)

Patch Changes

• Updated dependencies [ece3906, 5ac9d27, fed6331, 69f4e5f, 6b34122, 9493537, f67ba09]:
  • @​sveltejs/kit@​2.28.0

6.0.2

Patch Changes

• chore: add .git to the end of package.json repository url (#14134)

• Updated dependencies [c968aef]:

  • @​sveltejs/kit@​2.27.3

6.0.1

Patch Changes

• chore: remove import-meta-resolve dependency (#13629)

• Updated dependencies [bd1c04662332cbafa843c35a2e783486116af3d5, 09f61ec2a14573e27769edb403c58aea5433a39f, 09f61ec2a14573e27769edb403c58aea5433a39f]:

  • @​sveltejs/kit@​2.21.0

6.0.0

Major Changes

... (truncated)

Commits

• c727a90 Version Packages (#15309)
• 77ab341 feat: update adapter-netlify to version 6
• 1d2be12 chore: update suggestion message (#15165)
• 0da365a chore(deps): update vitest monorepo to v4 (major) (#14789)
• 6f13d2b Version Packages (#14738)
• c710a39 breaking: update to adapter-vercel to version 6 (#14737)
• 9fbd0d1 Version Packages (#14580)
• 193d37c chore: fix "homepage" field in package.json (#14579)
• 758ec17 fix: conditionally access builder properties that only exist on the latest Sv...
• d4f00a1 chore: remove skipLibCheck (#14227)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​sveltejs/adapter-auto since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Although confined to an example app lockfile, it upgrades SvelteKit across a major version and raises Node engine requirements, which can affect local builds and deployment environments.

Overview
Updates examples/svelte/svelte-vite/package-lock.json to use @sveltejs/adapter-auto next (resolving to 7.0.1) and pulls in @sveltejs/kit 2.54.0, along with a large set of transitive upgrades (notably devalue 5.6.4, cookie 0.6.0, set-cookie-parser 3.0.1, sirv 3.0.2, acorn 8.16.0) and removal of now-unneeded transitive packages.

The lockfile reflects updated engine/peer requirements (notably Node >=18.13 for @sveltejs/kit/sirv).

^{Written by Cursor Bugbot for commit ceb633a. This will update automatically on new commits. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: ceb633a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Incompatible peer dependencies after major version bump

High Severity

Bumping @sveltejs/adapter-auto from 1.x to 7.0.1 pulls in @sveltejs/kit 2.54.0 as a peer dependency. @sveltejs/kit 2.54.0 requires @sveltejs/vite-plugin-svelte ^3.0.0 and vite ^5.0.3, but package.json still specifies @sveltejs/vite-plugin-svelte ^2.4.5 (resolves to 2.5.3) and vite ^4.5.12. These unmet peer dependencies will likely cause build failures or runtime incompatibilities.

Additional Locations (1)

• examples/svelte/svelte-vite/package-lock.json#L617-L627

 

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit ceb633a

Command	Status	Duration	Result
nx test @snippet/angular-17-ssr	❌ Failed	50s	View ↗
nx test @e2e/gen1-next15-app	✅ Succeeded	13m 23s	View ↗
nx test @e2e/angular-17	✅ Succeeded	6m 41s	View ↗
nx test @e2e/qwik-city	✅ Succeeded	7m 45s	View ↗
nx test @e2e/nextjs-sdk-next-app	✅ Succeeded	7m 31s	View ↗
nx test @e2e/vue	✅ Succeeded	4m 16s	View ↗
nx test @e2e/nuxt	✅ Succeeded	5m 33s	View ↗
nx test @e2e/gen1-next14-pages	✅ Succeeded	4m 30s	View ↗
Additional runs (37)	✅ Succeeded	...	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-12 17:02:35 UTC