build(deps-dev): bump svelte from 5.48.0 to 5.53.6 in /frontend

[dependabot]

Bumps svelte from 5.48.0 to 5.53.6.

Release notes

Sourced from svelte's releases.

svelte@5.53.6

Patch Changes

• perf: optimize parser hot paths for faster compilation (#17811)

• fix: SvelteMap incorrectly handles keys with undefined values (#17826)

• fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#17828)

• fix: visit synthetic value node during ssr (#17824)

• fix: always case insensitive event handlers during ssr (#17822)

• chore: more efficient effect scheduling (#17808)

• perf: optimize compiler analysis phase (#17823)

• fix: skip redundant batch.apply (#17816)

• chore: null out current_batch before committing branches (#17809)

svelte@5.53.5

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

svelte@5.53.4

Patch Changes

• fix: set server context after async transformError (#17799)

• fix: hydrate if blocks correctly (#17784)

• fix: handle default parameters scope leaks (#17788)

• fix: prevent flushed effects from running again (#17787)

svelte@5.53.3

Patch Changes

• fix: render :catch of #await block with correct key (#17769)

• chore: pin aria-query@5.3.1 (#17772)

• fix: make string coercion consistent to toString (#17774)

svelte@5.53.2

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.6

Patch Changes

• perf: optimize parser hot paths for faster compilation (#17811)

• fix: SvelteMap incorrectly handles keys with undefined values (#17826)

• fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#17828)

• fix: visit synthetic value node during ssr (#17824)

• fix: always case insensitive event handlers during ssr (#17822)

• chore: more efficient effect scheduling (#17808)

• perf: optimize compiler analysis phase (#17823)

• fix: skip redundant batch.apply (#17816)

• chore: null out current_batch before committing branches (#17809)

5.53.5

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

5.53.4

Patch Changes

• fix: set server context after async transformError (#17799)

• fix: hydrate if blocks correctly (#17784)

• fix: handle default parameters scope leaks (#17788)

• fix: prevent flushed effects from running again (#17787)

5.53.3

Patch Changes

• fix: render :catch of #await block with correct key (#17769)

• chore: pin aria-query@5.3.1 (#17772)

... (truncated)

Commits

• d4c7829 Version Packages (#17812)
• 361b32c fix: SvelteURL search setter uses unnormalized value (#17828)
• 1043f79 perf: optimize compiler analysis phase (#17823)
• b6faa2a fix: always case insensitive event handlers during ssr (#17822)
• e3d277b fix: visit synthetic value node during ssr (#17824)
• 18db0ca fix: SvelteMap incorrectly handles keys with undefined values (#17826)
• 3fc4bc6 chore: remove unused is_flushing variable (#17820)
• 16a1351 fix: skip redundant batch.apply (#17816)
• 04ba134 docs: flesh out attribute_invalid_sequence_expression message (#17789)
• fc67c9c chore(deps-dev): bump rollup from 4.52.5 to 4.59.0 (#17810)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

Bumps Svelte from 5.48.0 to 5.53.6 in the frontend package. This patch update includes important bug fixes (SvelteMap undefined handling, SSR hydration, effect scheduling), security improvements (XSS prevention for contenteditable bindings, transformError sanitization), and performance optimizations (parser and compiler analysis). Also updates transitive dependencies: devalue (5.6.2→5.6.3), esrap, and pins aria-query to 5.3.1.

• No breaking changes - all patch-level fixes
• Contains security fixes that should be applied
• Performance improvements for compilation speed

Confidence Score: 5/5

• Safe to merge - standard patch version dependency update with bug fixes and security improvements
• This is a well-documented patch version update (5.48.0→5.53.6) with no breaking changes. The update includes important security fixes, bug fixes, and performance improvements. All changes are in lock files reflecting standard dependency management.
• No files require special attention

Important Files Changed

Filename	Overview
frontend/package.json	Updated svelte devDependency from ^5.0.0 to ^5.53.6
frontend/package-lock.json	Lock file updates for svelte 5.53.6 and transitive dependencies (devalue, esrap, aria-query, @types/trusted-types)

_{Last reviewed commit: a314c43}