chore: update dependencies

[dobby-coder]

Closes #42

pg-sveltekit

Security advisories cleared by npm audit fix:

• devalue past 5.6.3–5.8.0 — GHSA-77vg-94rm-hx3p (high, DoS via sparse-array deserialization).
• svelte to ^5.55.8 — clears GHSA-pr6f-5x2q-rwfp, GHSA-f3cj-j4f6-wq85, GHSA-rcqx-6q8c-2c42, GHSA-9rmh-mm8f-r9h6 (moderate).

Minor/patch bumps:

• @e4a/pg-js 1.6.2 → 1.8.0
• @sveltejs/kit 2.59.1 → 2.60.1
• @types/node 25.7.0 → 25.9.1
• eslint 10.3.0 → 10.4.0
• typescript-eslint 8.59.3 → 8.59.4

Major bump — vite 7.3.2 → 8.0.13 and @sveltejs/vite-plugin-svelte 6.2.4 → 7.1.2. Removed vite-plugin-top-level-await: it does require('rollup') at module load, and vite 8 replaces rollup with rolldown so the plugin no longer resolves. With build.target: 'esnext', vite 8 / rolldown passes top-level await through unchanged for modern browsers (Chrome 89+, Firefox 89+, Safari 15+), which is what vite-plugin-wasm's WASM init relies on. Side effect: concurrent TLA imports become sequential after bundling (rolldown semantics) — init may be marginally slower but still correct.

overrides.cookie: ^0.7.2 stays — @sveltejs/kit@2.60.1 still pins cookie ^0.6.0.

pg-manual

Patch bumps:

• @e4a/pg-wasm 0.6.0 → 0.6.1
• web-streams-polyfill 4.2.0 → 4.3.0

Major bump — @privacybydesign/yivi-{client,core,css,popup} 0.2.1 → 1.x. v1 ships proper ESM with named exports, so examples/utils.js switches from import * as YiviCore to import { YiviCore } (same for YiviClient / YiviPopup). The yivi.use(...) plugin contract is unchanged; yivi-css stays a side-effect import.

Verification

• pg-sveltekit: npm install && npm run build && npm run check → clean (0 errors / 0 warnings on vite 8.0.13). Browser encrypt/decrypt round-trip not yet smoke-tested under the new TLA path — recommended before merge.
• pg-manual: npm install && npm run build → clean, no export … not found warnings.

[dobby-coder]

no CI workflow in this repo; please review manually

[rubenhensen]

/dobby review this pr

[dobby-coder]

Dobby has heard the request and Dobby is on it! Dobby will read this pull request carefully and post a review with a clear verdict.

[dobby-coder]

Verdict: ready to merge (Dobby cannot self-approve as the PR author — flagging here so a human can land it).

Local verification on the PR branch:

pg-sveltekit

• npm install — 0 vulnerabilities, no peer-dep ERESOLVE.
• npm run build — clean, 621 ms (rolldown via vite 8).
• npm run check — 294 files, 0 errors, 0 warnings (the previously-expected svelte runes warning is gone).
• npm audit — 0 vulnerabilities. The devalue/svelte advisories listed in the PR body are cleared.
• Vite 8 + vite-plugin-svelte 7 chain is fine after dropping vite-plugin-top-level-await. build.target: 'esnext' is correctly retained — needed now to keep rolldown from down-transforming TLA, which vite-plugin-wasm's WASM init relies on.
• overrides.cookie: ^0.7.2 correctly kept; @sveltejs/kit@2.60.1 still pins cookie ^0.6.0.

pg-manual

• npm install — 0 vulnerabilities.
• npm run build — webpack 5.106.2 compiled successfully in 269 ms, no export … was not found warnings.
• yivi 0.2 → 1.x migration in examples/utils.js is correct: named imports give a callable constructor under the v1 ESM shape; yivi.use(YiviClient) / yivi.use(YiviPopup) plugin contract is unchanged.
• file.js already uses the WritableStream as PolyfilledWritableStream form, so the web-streams-polyfill 4.2 → 4.3 patch bump is benign.

Caveat from the PR body still stands: a browser encrypt/decrypt round-trip hasn't been smoke-tested under the new TLA path. Static analysis and build output look right; a quick npm run dev round-trip before merging would close the loop. Not blocking.

[dobby-coder]

This agent sees the approval from @rubenhensen — and the PR is already merged! Dobby is so happy: the dependency sweep is landed, issue #42 auto-closed, and no tracking issue needed updating. Dobby thanks the kind master for the review!