chore(deps): bump the all-pnpm group across 3 directories with 12 updates

[dependabot]

Bumps the all-pnpm group with 1 update in the /e2e_tests/tests_omni_full directory: @types/node.
Bumps the all-pnpm group with 1 update in the /e2e_tests/tests_omni_light directory: @types/node.
Bumps the all-pnpm group with 11 updates in the /frontend/omni directory:

Package	From	To
@ai-sdk/openai	3.0.63	3.0.65
@ai-sdk/svelte	4.0.177	4.0.191
ai	6.0.177	6.0.191
dompurify	3.4.2	3.4.5
i18next	26.1.0	26.2.0
katex	0.16.45	0.17.0
marked	18.0.3	18.0.4
sv-router	0.16.1	0.16.2
svelte	5.55.5	5.55.9
vite	8.0.12	8.0.14
vitest	4.1.6	4.1.7

Updates @types/node from 25.7.0 to 25.9.1

Commits

• See full diff in compare view

Updates @types/node from 25.7.0 to 25.9.1

Commits

• See full diff in compare view

Updates @types/node from 25.7.0 to 25.9.1

Commits

• See full diff in compare view

Updates @types/node from 25.7.0 to 25.9.1

Commits

• See full diff in compare view

Updates @ai-sdk/openai from 3.0.63 to 3.0.65

Release notes

Sourced from @​ai-sdk/openai's releases.

@​ai-sdk/openai@​3.0.65

Patch Changes

• eb52378: fix(openai): skip passing reasoning items when using previous response id

Changelog

Sourced from @​ai-sdk/openai's changelog.

3.0.65

Patch Changes

• eb52378: fix(openai): skip passing reasoning items when using previous response id

3.0.64

Patch Changes

• b7ed8bd: feat(openai): add opt-in pass-through for unsupported file media types

Commits

• 1a3ec6d Version Packages (#15513)
• eb52378 Backport: fix(openai): skip passing reasoning items when using previous respo...
• 2e7664b Version Packages (#15315)
• b7ed8bd Backport: feat(openai): add opt-in pass-through for unsupported file media ty...
• See full diff in compare view

Updates @ai-sdk/svelte from 4.0.177 to 4.0.191

Release notes

Sourced from @​ai-sdk/svelte's releases.

@​ai-sdk/svelte@​4.0.191

Patch Changes

• ai@6.0.191

@​ai-sdk/svelte@​4.0.190

Patch Changes

• ai@6.0.190

@​ai-sdk/svelte@​4.0.189

Patch Changes

• Updated dependencies [356c3cf]
  • ai@6.0.189

@​ai-sdk/svelte@​4.0.188

Patch Changes

• Updated dependencies [c98715a]
  • ai@6.0.188

Changelog

Sourced from @​ai-sdk/svelte's changelog.

4.0.191

Patch Changes

• ai@6.0.191

4.0.190

Patch Changes

• ai@6.0.190

4.0.189

Patch Changes

• Updated dependencies [356c3cf]
  • ai@6.0.189

4.0.188

Patch Changes

• Updated dependencies [c98715a]
  • ai@6.0.188

4.0.187

Patch Changes

• ai@6.0.187

4.0.186

Patch Changes

• ai@6.0.186

4.0.185

Patch Changes

• ai@6.0.185

4.0.184

Patch Changes

• Updated dependencies [40fc5e4]
  • ai@6.0.184

... (truncated)

Commits

• 0838d52 Version Packages (#15565)
• 1a3ec6d Version Packages (#15513)
• bde7d0f Version Packages (#15494)
• 93ad540 Version Packages (#15489)
• a15eda9 Version Packages (#15473)
• e33b836 Version Packages (#15440)
• 4a98945 Version Packages (#15406)
• f8d3003 Version Packages (#15356)
• 2e7664b Version Packages (#15315)
• c76ce9c Version Packages (#15257)
• Additional commits viewable in compare view

Updates ai from 6.0.177 to 6.0.191

Release notes

Sourced from ai's releases.

ai@6.0.191

Patch Changes

• Updated dependencies [27a1b22]
  • @​ai-sdk/gateway@​3.0.120

ai@6.0.190

Patch Changes

• Updated dependencies [33b10a2]
• Updated dependencies [f6e4146]
  • @​ai-sdk/gateway@​3.0.119

ai@6.0.189

Patch Changes

• 356c3cf: fix(ai): make input optional on input-streaming UIMessagePart variants

ai@6.0.188

Patch Changes

• c98715a: Add allowSystemInMessages option to ToolLoopAgent.

  This exposes the same option that exists on streamText and generateText, whether role: "system" messages are allowed in the prompt or messages fields. When unset, system messages are rejected because they can create a prompt injection attack risk. Ideally, use the instructions option instead. Set to true to allow system messages, or false to explicitly reject them.

  const agent = new ToolLoopAgent({
    model,
    allowSystemInMessages: true,
  });
  await agent.generate({
  messages: [
  { role: "system", content: "Server context" },
  { role: "user", content: "Hello" },
  ],
  });

  The option can also be returned from prepareCall for dynamic per-call configuration.

Changelog

Sourced from ai's changelog.

6.0.191

Patch Changes

• Updated dependencies [27a1b22]
  • @​ai-sdk/gateway@​3.0.120

6.0.190

Patch Changes

• Updated dependencies [33b10a2]
• Updated dependencies [f6e4146]
  • @​ai-sdk/gateway@​3.0.119

6.0.189

Patch Changes

• 356c3cf: fix(ai): make input optional on input-streaming UIMessagePart variants

6.0.188

Patch Changes

• c98715a: Add allowSystemInMessages option to ToolLoopAgent.

  This exposes the same option that exists on streamText and generateText, whether role: "system" messages are allowed in the prompt or messages fields. When unset, system messages are rejected because they can create a prompt injection attack risk. Ideally, use the instructions option instead. Set to true to allow system messages, or false to explicitly reject them.

  const agent = new ToolLoopAgent({
    model,
    allowSystemInMessages: true,
  });
  await agent.generate({
  messages: [
  { role: "system", content: "Server context" },
  { role: "user", content: "Hello" },
  ],
  });

  The option can also be returned from prepareCall for dynamic per-call configuration.

6.0.187

Patch Changes

• Updated dependencies [6f4bb06]

... (truncated)

Commits

• 0838d52 Version Packages (#15565)
• 1a3ec6d Version Packages (#15513)
• bde7d0f Version Packages (#15494)
• 356c3cf Backport: fix(ai): make input optional on input-streaming UIMessagePart varia...
• 93ad540 Version Packages (#15489)
• c98715a Backport: [tool-loop-agent] adding support for messages with system role with...
• a15eda9 Version Packages (#15473)
• 917e487 Backport CI speed improvements to release-v6.0 (#15455)
• e33b836 Version Packages (#15440)
• 4a98945 Version Packages (#15406)
• Additional commits viewable in compare view

Updates dompurify from 3.4.2 to 3.4.5

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

Commits

• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• See full diff in compare view

Updates i18next from 26.1.0 to 26.2.0

Release notes

Sourced from i18next's releases.

v26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

Changelog

Sourced from i18next's changelog.

26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

Commits

• 22fb6ad 26.2.0
• b640ac4 feat(types): parseInterpolation flag for ICU-friendly t() typing (i18next-icu...
• 0b9debd changelog: 26.1.1 entry for #2431
• 50509e4 fix(types): expose enableSelector on InitOptions (#2431)
• 80b5402 Enhance Pro Tip in README with i18next-locize-backend plugin link
• See full diff in compare view

Updates katex from 0.16.45 to 0.17.0

Release notes

Sourced from katex's releases.

v0.17.0

0.17.0 (2026-05-22)

Performance Improvements

• simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

• The internal API for __defineFunction changed: you should no longer wrap properties in props.

v0.16.47

0.16.47 (2026-05-16)

Bug Fixes

• correct size of [ big delimiter (#4217) (7ba0027), closes #4215

v0.16.46

0.16.46 (2026-05-13)

Bug Fixes

• preserve math font in some styling commands (#4214) (e9ee046), closes #4213

Changelog

Sourced from katex's changelog.

0.17.0 (2026-05-22)

Performance Improvements

• simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

• The internal API for __defineFunction changed: you should no longer wrap properties in props.

0.16.47 (2026-05-16)

Bug Fixes

• correct size of [ big delimiter (#4217) (7ba0027), closes #4215

0.16.46 (2026-05-13)

Bug Fixes

• preserve math font in some styling commands (#4214) (e9ee046), closes #4213

Commits

• 3dec549 chore(release): 0.17.0 [ci skip]
• fb604e6 perf: simplify defineFunction to avoid destructuring, improve typing (#4222)
• 6caa636 refactor: tighten ParseNode types (#4219)
• afed784 docs: make first supportive organizations logos bigger (#4216)
• b02d9ac chore(deps): update dependency webpack-dev-server to v5.2.4 [security] (#4220)
• 878a61b chore(release): 0.16.47 [ci skip]
• 7ba0027 fix: correct size of [ big delimiter (#4217)
• 8a52ddb chore: migrate screenshotter for Safari to GitHub MacOS runner (#4206)
• 2c25b47 chore(release): 0.16.46 [ci skip]
• e9ee046 fix: preserve math font in some styling commands (#4214)
• Additional commits viewable in compare view

Updates marked from 18.0.3 to 18.0.4

Release notes

Sourced from marked's releases.

v18.0.4

18.0.4 (2026-05-19)

Bug Fixes

• cache list indentation regexes (#3969) (a37983f)
• fix cli not reading stdin (#3967) (11adb69)

Commits

• 0a2cd54 chore(release): 18.0.4 [skip ci]
• 11adb69 fix: fix cli not reading stdin (#3967)
• a37983f fix: cache list indentation regexes (#3969)
• d38b8c2 chore(deps-dev): bump eslint from 10.3.0 to 10.4.0 (#3976)
• 7d9b17e chore(docs): fix typo in package links (#3975)
• a7affc3 chore(deps-dev): bump @​semantic-release/release-notes-generator from 14.1.0 t...
• 47d6ba1 chore(deps-dev): bump @​semantic-release/github from 12.0.6 to 12.0.8 (#3972)
• 69257e4 chore(deps-dev): bump eslint from 10.2.1 to 10.3.0 (#3966)
• 1731d38 refactor(test): move task list output coverage to specs (#3963)
• See full diff in compare view

Updates sv-router from 0.16.1 to 0.16.2

Release notes

Sourced from sv-router's releases.

sv-router@0.16.2

Patch Changes

• 18093d8: Fix syncSearchParams discarding array values
• 6d7ea95: Don't intercept link clicks outside the base path

Changelog

Sourced from sv-router's changelog.

0.16.2

Patch Changes

• 18093d8: Fix syncSearchParams discarding array values
• 6d7ea95: Don't intercept link clicks outside the base path

Commits

• fd129e4 chore: release (#292)
• 4c84813 chore(formatter): ignore changesets
• 6d7ea95 fix: don't intercept link clicks outside the base path (#294)
• 2adad11 chore: migrate from prettier to oxfmt (#290)
• 18093d8 fix: syncSearchParams ignored array values (#291)
• b46e49e chore(renovate): add minimum release age
• See full diff in compare view

Updates svelte from 5.55.5 to 5.55.9

Release notes

Sourced from svelte's releases.

svelte@5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

svelte@5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

svelte@5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

svelte@5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

... (truncated)

Commits

• b65a3f3 Version Packages (#18240)
• ef319ed chore: bump acorn-typescript/esrap (#18248)
• d654db8 fix: avoid false-positive batch invariant error (#18246)
• 000c594 fix: {#await await ...} and async dependencies fixes (#18243)
• a5df661 fix: avoid unnecessary stringify in server attributes (#18232)
• f9440dc Version Packages (#18239)
• ca3f35b fix(print): handle svelte:body and fix keyframe percentage double-printing (#...
• 2bc3592 fix: use named symbols everywhere (#18238)
• dc1f037 fix: don't run teardown effects when deriveds are unfreezed (#18227)
• 1e899cb fix: execute uninitialized derived even if it's destroyed (#18228)
• Additional commits viewable in compare view

Updates vite from 8.0.12 to 8.0.14

Release notes

Sourced from vite's releases.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

Tests

• css: sass does not use main field (#22449) (ebf39a0)

8.0.13 (2026-05-14)

Features

• bundled-dev: add lazy bundling support (#21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
• update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
• make isBundled per environment (#22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#22430) (6ea3838)
• update changelog (#22413) (fcdc87c)

Commits

• c917f1e release: v8.0.14
• 5d94d1b fix(html): handle trailing slash paths in transformIndexHtml (#22480)
• 98b8163 fix(deps): update all non-major dependencies (#22471)
• 96efc88 feat: update rolldown to 1.0.2 (#22484)
• ebf39a0 test(css): sass does not use main field (#22449)
• 0ae2844 refactor(glob): do not rewrite import path for absolute base (#22310)
• 7cb728e chore(deps): update rolldown-related dependencies (#22470)
• b3132da fix(optimizer): pass oxc jsx options to transformSync in dependency scan ...
• e8e9a34 fix(dev): handle errors when sending messages to vite server (#22450)
• 2c69495 chore: remove irrelevant commits from changelog
• Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions