build(deps): bump the production group across 1 directory with 32 updates

[dependabot]

Bumps the production group with 28 updates in the /frontend directory:

Package	From	To
@awesome.me/webawesome	3.1.0	3.8.0
@lit/localize	0.12.1	0.12.2
@lit/task	1.0.0	1.0.3
@novnc/novnc	1.4.0	1.7.0
@shoelace-style/shoelace	2.18.0	2.20.1
@tanstack/lit-virtual	3.13.12	3.13.30
@webrecorder/hickory	0.0.10	0.4.0
clsx	2.1.0	2.1.1
cronstrue	3.2.0	3.14.0
highlight.js	11.8.0	11.11.1
ink-mde	0.33.0	0.34.0
lit	3.2.1	3.3.3
lodash	4.17.21	4.18.1
@types/lodash	4.14.191	4.17.24
micromark	4.0.0	4.0.2
micromark-extension-gfm-strikethrough	2.0.0	2.1.0
nanoid	5.1.5	5.1.11
patch-package	8.0.0	8.0.1
postcss	8.4.21	8.5.15
postcss-lit	1.1.1	1.4.1
replaywebpage	2.4.3	2.4.6
slugify	1.6.6	1.6.9
tabbable	6.2.0	6.4.0
tlds	1.259.0	1.261.0
tsconfig-paths-webpack-plugin	4.1.0	4.2.0
@playwright/test	1.60.0	1.61.0
@types/react	19.1.3	19.2.17
@web/test-runner	0.13.31	0.20.2

Updates @awesome.me/webawesome from 3.1.0 to 3.8.0

Release notes

Sourced from @​awesome.me/webawesome's releases.

v3.8.0

Bug Fixes

• carousel: Smooth mouse drag on carousel (#1103) (#2394) #2394 (Jayden Pearse)
• zoomable-frame: Import wa-icon to prevent missing icon rendering (#2457) #2457 (DanielKanyo)

Commits

• 0704951: fix copy button test (konnorrogers)
• 8312c32: fix copy button test (konnorrogers)
• 340c281: syncing component badges across views via shared macro (#2391) (Brian Talbot) #2391
• Standardizing Hover Utilities for Card Links (#2390) #2390 (Brian Talbot)
• Polish Changelog View (#2395) #2395 (Brian Talbot)
• 9888c98: Make linkify-components Transformer Site-Wide (#2397) (Brian Talbot) #2397
• Set wa-breadcrumb-item Render href="" as a Link (#2398) #2398 (Brian Talbot)
• 3fd7088: fixing wa-breadcrumb-item regression rendering as link when href is absent (#2400) (Brian Talbot) #2400
• 057ef4d: using new size-based values (#2399) (Brian Talbot) #2399
• f39a4de: udpated changelog (#2406) (Kelsey Jackson) #2406
• c699518: Fixed link to themes in Angular documentation (#2408) (Anna Johansson) #2408
• 86adc26: update changelog (#2410) (Cory LaViska) #2410
• d2c9062: ignore assets directories (#2417) (Konnor Rogers) #2417
• 2c91bb2: styling wa-textarea disabled state to match wa-input (#2419) (Brian Talbot) #2419
• 2194fc5: fix padding bug (#2411) (Cory LaViska) #2411
• Code Example Polish (#2414) #2414 (Brian Talbot)
• 50ad382: Syncing Component Durations + WA Transition Tokens (#2423) (Brian Talbot) #2423
• Improve Lighthouse Score (#2420) #2420 (Brian Talbot)
• 0c785a0: extending transition token sync to wa-combobox and wa-toast-item (#2427) (Brian Talbot) #2427
• e75719f: unifying component category labels across the docs (#2431) (Brian Talbot) #2431
• d5aab1c: fixing build awesome nav link by sourcing from site.json (#2432) (Brian Talbot) #2432
• 7dac904: don't clip outlines everywhere (#2440) (Cory LaViska) #2440
• 829abbd: Make drawer lightDismiss default false (#2437) (DanielKanyo) #2437
• ed1aaf7: add tests + changelog; #2437 (#2446) (Cory LaViska) #2446
• 0c052ab: Add scroll into view handleDocumentKeyDown (#2430) (Wendelin) #2430
• 57537db: Wendevlin fix dropdown scroll (#2447) (Cory LaViska) #2447
• f4e485d: add changelog (#2448) (Cory LaViska) #2448
• 630fc68: fix link; closes #2445 (#2449) (Cory LaViska) #2449
• 7e0f421: Reset menu styles in Native Styles (#2450) (Lindsay M) #2450
• Link to a Component's Category (#2443) #2443 (Brian Talbot)
• 4fb78fc: Improve placement of content in textarea when exceeding rows (#2424) (trent) #2424
• c3999db: Add text-transform-Based Text Utilities (#2404) (Brian Talbot) #2404
• 4012339: Add text-align-Based Text Utilities + Adopt Flat wa-text- Naming (#2403) (Brian Talbot) #2403
• fff9166: Revise Native Styles (#2459) (Brian Talbot) #2459
• 117d515: Add Prose Text Utility (#2370) (Brian Talbot) #2370
• d43e26c: Rewrite theming documentation (#2249) (Lindsay M) #2249
• 4d00ea0: Add and components (#2434) (Kelsey Jackson) #2434
• 2fe74a1: submit empty strings for null form values (#2463) (Konnor Rogers) #2463
• 63e6f13: update zoomable frame to import wa-icon (#2466) (Konnor Rogers) #2466
• 50bdfbc: Add <wa-time-picker>, <wa-known-date>, and supporting translations, events, etc. for <wa-date-picker> and <wa-calendar> (#2407) (Cory LaViska) #2407
• eafe6e2: Add forked qr-library with support for images (#2139) (Konnor Rogers) #2139
• 72c389b: Date picker again (#2468) (Cory LaViska) #2468
• beacbd1: prettier (Cory LaViska)
• 49ef47c: fix selector column (#2469) (Cory LaViska) #2469

... (truncated)

Commits

• f86c024 Bump package.json version
• c2703e1 bump changelog
• 004070a add accordion, add missing experimental icons (#2471)
• 8b32cfd Working on SSR (#2428)
• 49ef47c fix selector column (#2469)
• beacbd1 prettier
• 72c389b Date picker again (#2468)
• eafe6e2 Add forked qr-library with support for images (#2139)
• 50bdfbc Add \<wa-time-picker>, \<wa-known-date>, and supporting translations, event...
• 63e6f13 update zoomable frame to import wa-icon (#2466)
• Additional commits viewable in compare view

Updates @lit/context from 1.1.3 to 1.1.6

Release notes

Sourced from @​lit/context's releases.

@​lit/context@​1.1.6

Patch Changes

• #4997 aea85e24 - Update README

@​lit/context@​1.1.5

Patch Changes

• #4917 aced5a93 Thanks @​djrenren! - Fixed a bug where initial values were not handled by the @​provide() decorator when using standard decorators (#4675)
• Updated dependencies [c9160405, 3e2f87f6, 4824c4ce]:
  • @​lit/reactive-element@​2.1.0

Changelog

Sourced from @​lit/context's changelog.

1.1.6

Patch Changes

• #4997 aea85e24 - Update README

1.1.5

Patch Changes

• #4917 aced5a93 Thanks @​djrenren! - Fixed a bug where initial values were not handled by the @​provide() decorator when using standard decorators (#4675)
• Updated dependencies [c9160405, 3e2f87f6, 4824c4ce]:
  • @​lit/reactive-element@​2.1.0

1.1.4

Patch Changes

• #4734 0f535d48 Thanks @​sorin-davidoi! - Avoid calling Event.composedPath() when it is not needed

Commits

• 43c6168 Version Packages (#5019)
• 503add0 Fix CONTRIBUTING.md reference (#5005)
• aea85e2 [all] A bunch of README updates (#4997)
• eb71041 Version Packages (#4969)
• aced5a9 [context] Make @​provide work with standard decorators (#4917)
• a66737f update package.json repository fields (#4928)
• 7db8ead Version Packages (#4926)
• 0f535d4 perf(context): skip expensive computation of Event.composedPath() (#4734)
• See full diff in compare view

Updates @lit/localize from 0.12.1 to 0.12.2

Release notes

Sourced from @​lit/localize's releases.

@​lit/localize@​0.12.2

Patch Changes

• #4679 eb84bebc Thanks @​codingjoe! - Move localize setup to resolve import loop

• Updated dependencies [feccc1ba]:

  • lit@3.2.0

Changelog

Sourced from @​lit/localize's changelog.

0.12.2

Patch Changes

• #4679 eb84bebc Thanks @​codingjoe! - Move localize setup to resolve import loop

• Updated dependencies [feccc1ba]:

  • lit@3.2.0

Commits

• d0ecfd7 Version Packages (#4718)
• 290a608 [all] Update TypeScript to 5.5.0
• 5463b10 Update rollup packages for localize example and starter kits
• eb84beb [localize] Move setup code to resolve import loop (#4679)
• e52271b test: upgrade chai to 5.x (#4628)
• 89c5bdf Bump typescript (#4520)
• See full diff in compare view

Updates @lit/task from 1.0.0 to 1.0.3

Release notes

Sourced from @​lit/task's releases.

@​lit/task@​1.0.3

Patch Changes

• #4997 aea85e24 - Update README

@​lit/task@​1.0.2

Patch Changes

• #4836 05691ba4 Thanks @​maxpatiiuk! - Improve type inference of tuples returned by the args function being used as task function parameter.

@​lit/task@​1.0.1

Patch Changes

• #4552 4050cac6 Thanks @​jrencz! - Make status of Task a readonly property

  So far status was writable which allowed for setting status of task form outside. Doing so did cause rendering of expected template but the task was becoming internally incoherent.

  Now attempt to assign status will end up in throwing a TypeError.

Changelog

Sourced from @​lit/task's changelog.

1.0.3

Patch Changes

• #4997 aea85e24 - Update README

1.0.2

Patch Changes

• #4836 05691ba4 Thanks @​maxpatiiuk! - Improve type inference of tuples returned by the args function being used as task function parameter.

1.0.1

Patch Changes

• #4552 4050cac6 Thanks @​jrencz! - Make status of Task a readonly property

  So far status was writable which allowed for setting status of task form outside. Doing so did cause rendering of expected template but the task was becoming internally incoherent.

  Now attempt to assign status will end up in throwing a TypeError.

Commits

• 43c6168 Version Packages (#5019)
• 503add0 Fix CONTRIBUTING.md reference (#5005)
• aea85e2 [all] A bunch of README updates (#4997)
• a66737f update package.json repository fields (#4928)
• 935697d Version Packages (#4887)
• 05691ba feat(task): improve type checking for tuples (#4836)
• 9217527 Version Packages (#4663)
• 4050cac [task] Make status of Task a readonly field (#4552)
• e52271b test: upgrade chai to 5.x (#4628)
• 5287233 fix(docs): correct typos (#4629)
• Additional commits viewable in compare view

Updates @novnc/novnc from 1.4.0 to 1.7.0

Release notes

Sourced from @​novnc/novnc's releases.

noVNC 1.7.0

A new version of noVNC is now available. Lots of changes have been made since the last release, but the highlights are:

Application:

• Added Croatian translation.
• Added Hungarian translation.
• Fixed a styling bug where some buttons in the GUI would almost disappear.
• The browser will now warn before the session's tab is closed when view only is not enabled.

Library:

• The NPM bundle has been converted to ES-module format.
• The novnc_proxy script now uses the bash-builtin type instead of which when checking if websockify is installed.
• Received image data is now dropped once rendered, resulting in more efficient memory usage.
• Detection of H.264 has been improved.
• The deprecated showDotCursor setting has now been removed.

Regards, The noVNC Developers

noVNC 1.7.0 beta

A new beta version of noVNC is now available. Many changes have been made since the last release, but the highlights are:

Application:

• Added Croatian translation.
• Added Hungarian translation.
• Fixed a styling bug where some buttons in the GUI would almost disappear.
• The browser will now warn before the session's tab is closed when view only is not enabled.

Library:

• The NPM bundle has been converted to ES-module format.
• The novnc_proxy script now uses the bash-builtin type instead of which when checking if websockify is installed.
• Received image data is now dropped once rendered, resulting in more efficient memory usage.
• Detection of H.264 has been improved.
• The deprecated showDotCursor setting has now been removed.

Regards, The noVNC Developers

noVNC 1.6.0

A new version of noVNC is now available. Lots of changes have been made since the last release, but the highlights are:

Application:

• Updated GUI with a more modern styling.
• Settings can now be configured via defaults.json and mandatory.json.
• Support for relative WebSocket URLs.

... (truncated)

Commits

• 63107bd noVNC 1.7.0
• 18cabdf Update generated json files
• 85ae81a noVNC 1.7.0 beta
• 7a96227 Remove show_dot from docs/EMBEDDING.md
• 43266f4 Remove showDotCursor from docs/API.md
• 4ccc3b4 Use Node version 24 when publishing to npmjs
• 8f3555b Publish with latest npm version
• 7808f57 Stop using access tokens when publishing to npmjs
• 603d63f Allow publishing to npmjs.com with OIDC
• 5ac7bd2 Update Swedish translation
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​novnc/novnc since your current version.

Updates @shoelace-style/localize from 3.2.1 to 3.2.2

Changelog

Sourced from @​shoelace-style/localize's changelog.

3.2.2

• Fixed a bug where malformed <html lang> values caused Intl.Locale to throw a RangeError. The controller now falls through to the fallback translation instead.
• Fixed a type error in update() where connected elements were incorrectly annotated as LitElement

Commits

• See full diff in compare view

Updates @shoelace-style/shoelace from 2.18.0 to 2.20.1

Release notes

Sourced from @​shoelace-style/shoelace's releases.

v2.20.1

Commits

• 19537b1: Fix a11y issues for closing components with focused children (Christian Schilling) #2383
• 61c73cd: Add ticket number to changelog (Christian Schilling) #2383
• Nested tab groups broken in v2.19.1 (#2367) #2367 (Christian Schilling)
• d83d620: Remove log statement (Christian Schilling) #2383
• 0a48bc5: Merge remote-tracking branch 'upstream/next' into fix/a11y-errors-for-blur (Christian Schilling) #2383
• 91235cb: Fixes dropdown closing on tab key (#2371) (Gabriel Belgamo) #2371
• 1b9104d: update changelog (Cory LaViska)
• 5ef3c91: fix contextElement guard (#2399) (Diego Ferreiro Val) #2399
• ee42086: update changelog (Cory LaViska)
• e09277e: Fixes closable sl-alert can be closed on whole vertical area without visual indication (#2375) (Susanne Kirchner) #2375
• eef4c17: update changelog (Cory LaViska)
• d2ce983: Merge branch 'fix/a11y-errors-for-blur' of https://github.com/schilchSICKAG/shoelace into schilchSICKAG-fix/a11y-errors-for-blur (Cory LaViska) #2383
• 5be9540: Merge branch 'schilchSICKAG-fix/a11y-errors-for-blur' into next (Cory LaViska)
• 0cf1984: update docs to fix types (Cory LaViska)
• bcf08a8: Carousel accessibility (#2364) (Matt McLean) #2364
• d1f94ab: update changelog (Cory LaViska)
• 3142d14: update version (Cory LaViska)
• fb59fda: 2.20.1 (Cory LaViska)

v2.20.0

Commits

• 7fd18d1: Modify ja.ts (#2329) (jz5) #2329
• c16c533: update changelog (Cory LaViska)
• 7f88bb3: Svelte documentation: adding Two-way Binding example in (#2327) (Emanuel Saramago) #2327
• b5e82d6: update docs (Cory LaViska)
• 81e94f2: Only trigger defaultslotchange of select after initialization (#2318) (Susanne Kirchner) #2318
• f0c93d0: update changelog (Cory LaViska)
• 6761fdc: Merge branch 'next' of https://github.com/shoelace-style/shoelace into next (Cory LaViska)
• b0399ca: fix tabbable for radios (#2357) (Konnor Rogers) #2357
• 372ba1f: fix ssr for sl-alert and scrollend-polyfill (#2359) (Christian Schilling) #2359
• 69cf94b: Explain why dividers don't show if you use TailwindCSS and add a workaround. (#2356) (Marcus) #2356
• b5f308c: move to section (Cory LaViska)
• cb6460c: update action (Cory LaViska)
• d93ee89: add changelog check (Cory LaViska)
• 0bc6d8c: fix error (Cory LaViska)
• c3b1fb9: try again (Cory LaViska)
• fce7f7c: fix comment (Cory LaViska)
• afc2b06: sigh (Cory LaViska)
• 03f8464: ahem (Cory LaViska)
• 471e6cc: somebody save me (Cory LaViska)
• c858a3a: yaml was a mistake (Cory LaViska)
• 5e11687: save me tarides (Cory LaViska)
• 4530ba3: welp (Cory LaViska)
• d674577: not today i guess (Cory LaViska)
• ca8a12b: maybe, just maybe (Cory LaViska)
• 74dafea: somebody save me (Cory LaViska)
• 39e4557: ok konnor (Cory LaViska)
• d45e6df: revert (Cory LaViska)

... (truncated)

Commits

• fb59fda 2.20.1
• 3142d14 update version
• d1f94ab update changelog
• bcf08a8 Carousel accessibility (#2364)
• 0cf1984 update docs to fix types
• 5be9540 Merge branch 'schilchSICKAG-fix/a11y-errors-for-blur' into next
• d2ce983 Merge branch 'fix/a11y-errors-for-blur' of https://github.com/schilchSICKAG/s...
• eef4c17 update changelog
• e09277e Fixes closable sl-alert can be closed on whole vertical area without visual i...
• ee42086 update changelog
• Additional commits viewable in compare view

Updates @tanstack/lit-virtual from 3.13.12 to 3.13.30

Release notes

Sourced from @​tanstack/lit-virtual's releases.

@​tanstack/lit-virtual@​3.13.30

Patch Changes

• Updated dependencies [ef69ea3]:
  • @​tanstack/virtual-core@​3.17.1

@​tanstack/lit-virtual@​3.13.29

Patch Changes

• Updated dependencies [c0b84c8, fbf3bdb]:
  • @​tanstack/virtual-core@​3.17.0

@​tanstack/lit-virtual@​3.13.28

Patch Changes

• Updated dependencies [c746841]:
  • @​tanstack/virtual-core@​3.16.1

@​tanstack/lit-virtual@​3.13.27

Patch Changes

• Updated dependencies [fc992ab]:
  • @​tanstack/virtual-core@​3.16.0

@​tanstack/lit-virtual@​3.13.26

Patch Changes

• Updated dependencies [99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad]:
  • @​tanstack/virtual-core@​3.15.0

@​tanstack/lit-virtual@​3.13.25

Patch Changes

• Updated dependencies [97a204d]:
  • @​tanstack/virtual-core@​3.14.0

@​tanstack/lit-virtual@​3.13.24

Patch Changes

• Updated dependencies [7ece2d5]:
  • @​tanstack/virtual-core@​3.13.23

@​tanstack/lit-virtual@​3.13.23

Patch Changes

• Updated dependencies [54d771a, d3416c3]:
  • @​tanstack/virtual-core@​3.13.22

@​tanstack/lit-virtual@​3.13.22

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/lit-virtual's changelog.

3.13.30

Patch Changes

• Updated dependencies [ef69ea3]:
  • @​tanstack/virtual-core@​3.17.1

3.13.29

Patch Changes

• Updated dependencies [c0b84c8, fbf3bdb]:
  • @​tanstack/virtual-core@​3.17.0

3.13.28

Patch Changes

• Updated dependencies [c746841]:
  • @​tanstack/virtual-core@​3.16.1

3.13.27

Patch Changes

• Updated dependencies [fc992ab]:
  • @​tanstack/virtual-core@​3.16.0

3.13.26

Patch Changes

• Updated dependencies [99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad, 99355ad]:
  • @​tanstack/virtual-core@​3.15.0

3.13.25

Patch Changes

• Updated dependencies [97a204d]:
  • @​tanstack/virtual-core@​3.14.0

3.13.24

Patch Changes

• Updated dependencies [7ece2d5]:
  • @​tanstack/virtual-core@​3.13.23

3.13.23

... (truncated)

Commits

• 75ae896 ci: Version Packages (#1202)
• b983b21 ci: Version Packages (#1184)
• c33902f ci: Version Packages (#1182)
• 693d915 ci: Version Packages (#1174)
• 949180b ci: Version Packages (#1169)
• c3d4cd4 ci: Version Packages (#1157)
• 9394e13 ci: Version Packages (#1149)
• c2f1c39 ci: Version Packages (#1139)
• c4da5cb ci: Version Packages (#1137)
• d2a9995 ci: Version Packages (#1136)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/lit-virtual since your current version.

Updates @tanstack/virtual-core from 3.13.12 to 3.17.1

Release notes

Sourced from @​tanstack/virtual-core's releases.

@​tanstack/virtual-core@​3.17.1

Patch Changes

• #1199 ef69ea3 - Fix "items jump while scrolling up": the default scroll-adjustment predicate now compensates scrollTop on the first measurement of an above-viewport item even while scrolling backward (the estimate→actual delta must be absorbed), and only skips compensation for re-measurements during backward scroll to avoid the cascading jank

@​tanstack/virtual-core@​3.17.0

Minor Changes

• #1186 fbf3bdb - Add useCachedMeasurements option to skip DOM measurement when the list is hidden (e.g. display: none). When enabled, the default measureElement returns the cached size or estimateSize fallback instead of reading the DOM, preventing ResizeObserver from resetting measurements to zero.

Patch Changes

• #1183 c0b84c8 - Skip synchronous DOM read (offsetWidth/offsetHeight) in default measureElement when a cached size already exists, reducing layout reflow on re-renders

@​tanstack/virtual-core@​3.16.1

Patch Changes

• Eagerly adjust scrollOffset on prepend to prevent one-frame jump with anchorTo: 'end' (#1176)

  When items are prepended with anchorTo: 'end' and dynamic sizes, the virtualizer would compute the wrong visible range for one frame (using stale estimate-based positions) and then correct in the next frame via _willUpdate, producing a visible jump. This fix eagerly adjusts scrollOffset in setOptions during the render pass so calculateRange/getVirtualItems return the correct items immediately.

@​tanstack/virtual-core@​3.16.0

Minor Changes

• Add end-anchored virtualization support for chat, logs, and reverse feeds. (#1173)

  New anchorTo: 'end' mode keeps the current visible item stable when older items are prepended, while preserving the existing start-anchored behavior by default. It also keeps an end-pinned viewport pinned when the last item grows during streaming output.

  Add followOnAppend so new items scroll into view only when the viewport was already at the end, plus scrollEndThreshold, scrollToEnd(), getDistanceFromEnd(), and isAtEnd() helpers for chat-style integrations.

@​tanstack/virtual-core@​3.15.0

Minor Changes

• iOS Safari momentum-scroll handling. Writing scrollTop while a finger (#1168) is on the screen, during momentum decay, or while the page is in the elastic-overscroll bounce zone all cancel the in-flight scroll in iOS WebKit. The virtualizer previously had no iOS-specific handling, which manifested as the recurring "scroll abruptly stops when content above resizes" complaints on Safari mobile.

  Adds three layers of protection, default-on, all transparent to consumers:

  • Touch event distinction. A touchstart→touchend window plus a 150 ms grace timer for the early-momentum phase. Scroll-position adjustments triggered during any of these states accumulate into a _iosDeferredAdjustment field instead of writing scrollTop.
  • Subpixel reconciliation. When the browser reports back a rounded scrollTop within 1.5 px of a value we just wrote, the virtualizer prefers the intended value rather than treating the round-trip as a

... (truncated)

Changelog

Sourced from @​tanstack/virtual-core's changelog.

3.17.1

Patch Changes

• #1199 ef69ea3 - Fix "items jump while scrolling up": the default scroll-adjustment predicate now compensates scrollTop on the first measurement of an above-viewport item even while scrolling backward (the estimate→actual delta must be absorbed), and only skips compensation for re-measurements during backward scroll to avoid the cascading jank

3.17.0

Minor Changes

• #1186 fbf3bdb - Add useCachedMeasurements option to skip DOM measurement when the list is hidden (e.g. display: none). When enabled, the default measureElement returns the cached size or estimateSize fallback instead of reading the DOM, preventing ResizeObserver from resetting measurements to zero.

Patch Changes

• #1183 c0b84c8 - Skip synchronous DOM read (offsetWidth/offsetHeight) in default measureElement when a cached size already exists, reducing layout reflow on re-renders

3.16.1

Patch Changes

• Eagerly adjust scrollOffset on prepend to prevent one-frame jump with anchorTo: 'end' (#1176)

  When items are prepended with anchorTo: 'end' and dynamic sizes, the virtualizer would compute the wrong visible range for one frame (using stale estimate-based positions) and then correct in the next frame via _willUpdate, producing a visible jump. This fix eagerly adjusts scrollOffset in setOptions during the render pass so calculateRange/getVirtualItems return the correct items immediately.

3.16.0

Minor Changes

• Add end-anchored virtualization support for chat, logs, and reverse feeds. (#1173)

  New anchorTo: 'end' mode keeps the current visible item stable when older items are prepended, while preserving the existing start-anchored behavior by default. It also keeps an end-pinned viewport pinned when the last item grows during streaming output.

  Add followOnAppend so new items scroll into view only when the viewport was already at the end, plus scrollEndThreshold, scrollToEnd(), getDistanceFromEnd(), and isAtEnd() helpers for chat-style integrations.

3.15.0

Minor Changes

• iOS Safari momentum-scroll handling. Writing scrollTop while a finger (#1168) is on the screen, during momentum decay, or while the page is in the elastic-overscroll bounce zone all cancel the in-flight scroll in iOS WebKit. The virtualizer previously had no iOS-specific handling, which manifested as the recurring "scroll abruptly stops when content above resizes" complaints on Safari mobile.

  Adds three layers of protection, default-on, all transparent to consumers:

  • Touch event distinction. A touchstart→touchend window plus a 150 ms grace timer for the early-momentum phase. Scroll-position adjustments triggered during any of these states accumulate into a
  ...

  Description has been truncated

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​novnc/​novnc@​1.4.0 ⏵ 1.7.0	-6
	npm/​replaywebpage@​2.4.3 ⏵ 2.4.6			+1	-1
	npm/​@​tanstack/​virtual-core@​3.13.12 ⏵ 3.17.1	+1		+1	-1
	npm/​tlds@​1.259.0 ⏵ 1.261.0
	npm/​ink-mde@​0.33.0 ⏵ 0.34.0	+1		+1
	npm/​@​awesome.me/​webawesome@​3.1.0 ⏵ 3.8.0	-4		+1	+8
	npm/​clsx@​2.1.0 ⏵ 2.1.1
	npm/​@​types/​lodash@​4.14.191 ⏵ 4.17.24			-1
	npm/​nanoid@​3.3.11 ⏵ 5.1.11			-1
	npm/​lodash@​4.17.21 ⏵ 4.18.1	+1	+19	+1
	npm/​patch-package@​8.0.0 ⏵ 8.0.1	+1		+1
	npm/​postcss-lit@​1.1.1 ⏵ 1.4.1	+1		+1	+5
	npm/​@​shoelace-style/​shoelace@​2.18.0 ⏵ 2.20.1	-10		+1
	npm/​postcss@​8.5.3 ⏵ 8.5.15	+1	+2	+1
	npm/​@​shoelace-style/​localize@​3.1.2 ⏵ 3.2.2	+1			-1
	npm/​@​lit/​localize@​0.12.1 ⏵ 0.12.2	+1		+1
	npm/​highlight.js@​11.8.0 ⏵ 11.11.1	+1
	npm/​slugify@​1.6.6 ⏵ 1.6.9			+1
	npm/​@​web/​test-runner@​0.13.31 ⏵ 0.20.2	+1		+1
	npm/​@​lit/​task@​1.0.0 ⏵ 1.0.3	+1		+3
	npm/​@​lit/​context@​1.1.3 ⏵ 1.1.6	+1			-1
	npm/​@​tanstack/​lit-virtual@​3.13.12 ⏵ 3.13.30	+12		+1	+3
	npm/​tsconfig-paths-webpack-plugin@​4.1.0 ⏵ 4.2.0
	npm/​lit@​3.3.3
	npm/​tabbable@​6.2.0 ⏵ 6.4.0
	npm/​cronstrue@​3.2.0 ⏵ 3.14.0	+1			+9
	npm/​@​playwright/​test@​1.60.0 ⏵ 1.61.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @awesome.me/webawesome is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: frontend/package.json → npm/@awesome.me/webawesome@3.8.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@awesome.me/webawesome@3.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @novnc/novnc is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: frontend/package.json → npm/@novnc/novnc@1.7.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@novnc/novnc@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @shoelace-style/shoelace is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: frontend/package.json → npm/@shoelace-style/shoelace@2.20.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@shoelace-style/shoelace@2.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm fast-xml-parser is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/replaywebpage@2.4.6 → npm/fast-xml-parser@4.5.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.5.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm puppeteer-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/@web/test-runner@0.20.2 → npm/puppeteer-core@24.43.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/puppeteer-core@24.43.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report